1

Information Protection & Business Resilience

Nathan Desfontaines

September 2015

Cyber Security – Things you need to know

Recognising the need for better cyber-security in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently published “ Principles for Effective Cybersecurity: Insurance Regulators Guidance.” The NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks.

1. An increase in cybersecurity regulations;

2. A focus on consumer privacy;

3. An increase in cybersecurity spending;

4. The growing importance of cybersecurity information - sharing and analysis groups;

5. The Board’s and management’s involvement in cybersecurity;

6. The increased need to manage third - party risks;

7. The link between cybersecurity and risk management.

AGENDA

IT DOESN’T MATTER WHO DID IT

It doesn’t matter who did it

• In the event of a cyber-attack, your first response might be to hunt down the perpetrator.

• While this might provide closure, pinning down the source of the breach will do little to protect the business from future hacks.

• Further, the process of finding the responsible party will cost a lot of time and effort that could be better spent on boosting security.

• Instead of wasting resources on searching for the cyber-criminal, focus on identifying the vulnerability that led to the attack and exactly which information was affected.

• Learning from past mistakes is an essential step towards creating a more comprehensive security strategy.

BELIEVE IN BIG DATA

Believe in big data

• The process of analysing cyber-attacks will evolve to take on more of a big data approach.

• The quality and speed of cyber-threat analysis will increase, and cost will decrease, as the use of real-time analytics spreads across structured and unstructured data sources.

• Having the right capabilities at your disposal to quickly quantify and analyse log data will be crucial in effecting a timeous response to a cyber-attack.

THE COST OF BREACHES

7

The cost of breaches

• Research published by NetDiligence indicates that hackers and malware were responsible for about 97% of lost records in 2014 - and caused a lot of pricey damage.

• The median cost of incidents caused by hackers was $242,762 (R3,115,397), with the most expensive one totaling $11.75 million (R150.78 million).

• The study also shows that the sources and costs of data breaches vary widely according to industry.

• Healthcare, which filed 23% of claims, topped them all. Financial services accounted for 22% of all claims filed and were also hardest hit by third-party breaches.

• Financial institutions comprised 32% of all third-party incidents. Each cost about $288,000 (R3,695,783) on average.

BEWARE OF THIRD PARTIES

9

• Businesses are becoming increasingly more aware of the risks inherent to working with third parties.

• Now, they are under fire to address and manage this risk.

• In the future, we'll see more insurers actively monitoring third parties instead of undergoing less reliable self-certification.

• Instead of being pushed to the side, security will become priority as protective measures are built into third-party products and services.

• Upgrades and testing procedures will also be enforced.

Beware of third parties

CYBER-ATTACKS ARE A TOP CONCERN

11

• A report published by the Depository Trust & Clearing Corporation (DTCC) in late 2014 revealed that 84% of financial firms placed cyber risk among their top five concerns - up from 59% in the first quarter of the same year.

• Almost 40% of financial institutions claim the likelihood of a high-impact breach on the global financial system escalated throughout 2014.

• More than three quarters claim to have added resources intended to mitigate risk.

• No doubt last year's J.P. Morgan breach had an impact on their response.

Cyber-Attacks are a top concern

COMMUNICATE WITH CUSTOMERS

13

Communicate with customers

• As demonstrated by Anthem's response to its own cyber-attack, it's essential to communicate with customers before, during, and after a data breach.

• By publicly announcing the attack and providing the information it could, Anthem demonstrated transparency and built a level of trust with its customers.

• In the aftermath of a data breach, executives may be tempted to withhold information until they believe they have all the answers they need.

• The problem is, customers don't expect you to have all the answers right away - and those answers might take a long time to find.

• So long as your company shares information as it receives it, and is openly working with authorities to investigate the breach, customers will be more accepting.

SHARE SECURITY STRATEGIES

• The sophistication of today's hackers is escalating quickly because they work together to share tactics. Insurers, which primarily operate on their own when it comes to security, are moving comparatively slowly in developing protective strategies.

• While insurers have traditionally kept to themselves, it may be time to consider more open communication with other financial institutions facing the same risks.

Share security strategies

17

“

”

Data breaches are now common events that affect an organisation in many ways besides attorney fees, lost business, reputational damage, and system remediation costs. Back in 1970, in a now classic book, Dr. Elisabeth Kübler-Ross wrote “On Death and Dying”, which identified five stages of grieving and emotions that terminally ill patients experience. It is my contention that organisation’s have to deal with similar data breach grief.• Denial. The organisation’s initial reaction helps soften the

realization that technology, people or business processes have broken down and customer data has been exposed, leaked, or compromised. This stage may last for a few hours, days, or months depending on when the organisation confirmed the breach.     

• Anger. All organisation’s have irate doubters who refuse to acknowledge a data breach was caused by a software programming error or a lost laptop with unencrypted data, or that the compromised system did not follow established security hardening procedures.

• Bargaining. There are always people in an organisation who will insist that they just need another chance and they insist that a breach will not happen again. This is despite the fact that customer data is already in the “Internet wild.” Promising to do better in the future is neither timely nor practical.

• Depression. All organisation’s wish they had handled things differently. There will be individuals who will be unable to concentrate and second-guess their plan of action to contain the breach.       

• Acceptance. It is typically very difficult to recognize when the critical fifth and final stage is reached after a confirmed data breach. However, it is at this point that management understands that security needs to be an ongoing process in order to protect the confidentiality, availability, and integrity of the customer data.   

Nathan DesfontainesInformation Security Manager• 082 719 2426• nathan.desfontaines@kpmg.co.za

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2015 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. NDPPS 133584

HELPING CLIENTS

SPREAD THEIR WINGS