China Tax Weekly Update - assets.kpmg · China Tax Weekly Update - assets.kpmg ... 2016 2016
Cyber - assets.kpmg · Cyber Attacks kpmg.ca/insuranceconference2017 What Directors and C-Suite...
Transcript of Cyber - assets.kpmg · Cyber Attacks kpmg.ca/insuranceconference2017 What Directors and C-Suite...
Cyber Attacks
kpmg.ca/insuranceconference2017
What Directors and C-Suite professionals need to know
2© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Breaches are at an all time high and criminals more than every are targeting personal and health data:
− for direct sale − for extortion− for health insurance fraud− to bypass financial fraud detection systems
Top data breaches December 2013 – 2016
Reported data breaches of recognized companies involving at least 1M records by size and type
Ebay145M
Michaels 3M
2014
Home Depot109M
2015
2016
Trip AdvisorS 1.4M
CarPhoneWarehouse2.4M
Excellus10M
Ashley Madison
32M
AOL20M
SnapChat4.6M
Yahoo x21.5 B
Adult Friend Finder400M
My Space360M
LinkedIn167M
Tumblr65 M
Dropbox68.6 M
LastFM43M
Mexican Voter Database
93.4M
Minecraft 7M
MossackFonseca 11M
Premera11M
Alibaba 20M
PhillipinesElection
55M
Target110M
Anthem78.8M
CareFirst2.4M
Adult Friend Finder 4M
JP Morgan Chase83M
Yahoo22M
OPM25M
The threat landscape – data breaches
3© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
What risks do Directors and C-Suite face?Risk to the ongoing operation− Continuity− Day to day− Loss of revenues
Risk to reputation− Possibly most difficult to repair− Likely to impact BOTH organization AND individual
Risk of Costly Litigation− Organizational− Director− In some cases C-Suite if alleged careless
4© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Fighting Cyber
Be vigilant with internal threats − Investigations− Forensic D&A− Whistleblowing programs/outsourcing
Know your business partners & third parties− 3rd Party Risk Management− Corporate intelligence/Astrus
Perform risk assessments− Fraud Risk Management− Regulatory positioning services
Fight back with technology− Forensic technology− Cyber security− D&A
5© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Source: http://sensorstechforum.com/remove-jigsaw-ransomware-and-restore-fun-kkk-btc-encrypted-files/
Source: http://www.zdnet.com/article/the-cost-of-ransomware-attacks-1-billion-this-year/
Top industry threats Reactive extortion-driven attacks
Source: http://www.zdnet.com/article/the-cost-of-ransomware-attacks-1-billion-this-year/
6© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Run like a vendoR
Help line
Most often pRovide tHe key, bad foR business otHeRwise
once Hit, likely to ReoccuR
waR stoRy!!!
7© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Top industry threats – Social engineering fraud
Source:https://www.fbi.gov/news/stories/business-e-mail-compromise/@@images/image
8© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
waR stoRy!!!
financial institution in uk
13 eMailed Requests
Requests looked legit
inside job
law fiRM and pRofessional seRvice exaMple
9© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
How do Director’s/C-Suite protect their organization and themselves?Board− Training− Board Director with Cyber Risk expertise− The SEC “Highly Recommends” this!
− Understanding your organizations Cyber stance− STAY UPDATED! This should be a standing agenda item
C-Suite− Training− Ensure CIO/CTO positions or equivalent− Have a plan!!!! AND regularly review/update it
Both Board and C-Suite needs to be part of any Cyber Communication Plan!
10© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Rise of “cyber fatigue” There is a rising chorus of “cyber fatigue” permeating boardrooms, as cyber security is becoming understandably tiresome. As IT professionals concede that a breach is no longer a matter “if” but “when,” it’s a given that some decisions makers are exhausted as they revisit the same decision every year, every quarter, and every month.
“What’s the use?!Still got hacked.”
Despite asserting compliance, companies often discover procedural lapses months later.
“We’ve got to do more. We’ve got to spend more to do more.”
Continual admission that the status quo has become insufficient to evolving hacking tactics.
Onslaught of corporate
introspection and second-guessing
Reactionary enhancements to
existing compliance standards
Seemingly endless appeal for resources
Security failures or media
saturation of high-profile cases
“Is there any end in
sight?”
It’s real and here is what people are saying
11© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
How do we communicate with the board?
What are the new cyber security threats and risks and how do they affect our organization?
Is our organization’s cyber security program readyto meet the challenges of today’s (and tomorrow’s) cyber threat landscape?
What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?
KPMG’s global cyber maturityframework domains
Board engagement &
oversight
12© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Symptoms of cyber fatigue
Double-digit, compound annual growth rate (CAGR) in cyber
budgets over the last five years
Ever-increasing depth and breadth
of executive and board briefings on
cyber issues
Continual net addition of cyber-related
technologies – with few, if any, being retired
13© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Five ways to combat cyber fatigueOur approach is industry-agnostic and incorporates a systematic risk based process. Such an emphasis steers attention from the never-ending appeal for resources and redirects it to an objective assessment that reflects a company’s business strategies and innovation, risk tolerance, and unique cyber security costs.
Make measured investments in cyber based on risk – optimization without sacrificing security 1
Regularly measure the effectiveness of your security investments2
Develop/align the right cyber risk management model3
Continually update your model to reflect emerging threats4
Build/promote risk aligned security organization5
14© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Assistance with
− Containing an incident
− Investigating an incident / breach
− Improving cyber resiliency after a breach
− Obtaining independent advice
Cyber Emergency….
Thank you
16© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
Contact usJoseph ColtsonPartner, National LeadForensic Technology Clients & MarketsT: 416-777-8786E: [email protected]
John HeatonPartnerRisk Consulting – Cyber SecurityT: 416-476-2758E: [email protected]
kpmg.ca
© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.