2. 2
Executive summary: insights into
cybersecurity and risk Businesses must take a
As cyber threats have become more pervasive, persistent and sophisticated, information
security has become a business imperative for all industries. Unlike companies in other sectors,
however, insurers must gain a deeper understanding of cyber threats as they develop cyber
liability policies. These products are evolving to include not just technology companies, but all
organizations that collect, store and process data from their customers.
When it comes to information security, insurers must stay ahead of the ever shifting cyber
threats by maintaining the triad of confidentiality, integrity and availability of systems and data.
No one escapes cyber risk. Every company is vulnerable to cyber threats. In the vibrant global
cyber insurance market of the future, risk management of a data breach must be built into policy
at the board level, and not just a concern of the IT departments. This will give the reinsurance
industry and capital markets confidence, and confirm to regulators and rating agencies that
enterprise risk management (ERM) has been included in cyber liability coverage.
proactive approach to
cybersecurity rather than
waiting for a breach to occur
and then acting on it.
3. 3
Key actions for insurers to take
To achieve Cybersecurity, insurers must: To mitigate cyber risks, insurers must:
• Develop and implement a long-term, enterprise-wide security
program that addresses processes, controls, organization and
governance, as well as reporting, metrics, privacy and data
protection
• Invest in cybersecurity and do a better job of articulating and
demonstrating the value proposition
• Establish a framework of continuous improvement in analytics and
reporting, people, processes and technology
• Design and execute solutions to measure, monitor and report on the
effectiveness of security programs
• Refine strategies based on changing threats, risks and business
imperatives
• Integrate cyber risks into a broader enterprise risk management
approach, including risk modeling and transfer
• Gain specific understanding of risks related to data breaches,
supply chains, emerging digital technologies and rapid-growth
markets
• Track and monitor cyber liability regulation and rating issues
and developments
• Accept that all insured infrastructure is a target, with the highest
value assets the most frequent targets
• Remain alert to changing trends and emerging threats within
the market and ensure that policy terms and conditions do not
increase exposure
• Embrace a cyber risk center of excellence approach that extends
across customer, risk-centric and financial activities
4. Achieving cybersecurity
4
Emerging cyber threats
Financial institutions have developed applications for mobile payment and other transactions. While
these applications represent innovation, the institutions never planned on supporting mobile banking.
Consequently, digital exchanges via the mobile transaction network are at a higher risk of compromise
and/or manipulation by exploiters with increasingly sophisticated tools and skills. Moreover, infrastructure
and storage outsourcing efforts supporting these applications put organizations further at risk as cloud
service providers have different security mechanisms.
Other challenges (and reasons for concern) for insurers:
• There is a large gap between the nature of new threats and the capabilities available to detect attacks,
monitor (and stop) unauthorized exfiltration and secure information.
• Few insurers have direct insights into the cyber liabilities surrounding intangible digital assets.
• Many do not have the tools to provide the direct real-time awareness necessary to calculate risks to
insured digital assets stored by cloud service providers or enterprise networks.
• There is increased awareness that companies should be accountable for private records and the security
of data collected from their customers.
• Insurers should expect that insured infrastructure will be compromised at some point. The more
important and valuable the data assets are (IP, customer and supplier base, etc.), the more likely
a compromise will occur.
As exposure has evolved, so have policies. Since exposure exists for any organization that handles private
information, insurance companies have been tasked with creating a new type of policy. The rapid adoption of
mobile and digital devices in emerging markets is fostering new product development, along with
new security and privacy measures.
Research shows:
• Nearly 95% of all enterprise networks
have been compromised by external
attackers .
• Only 3% of organizations felt safe
against insider threats .
• Hundreds of millions of consumers
have had their identity information
compromised.
• The financial and reputational losses
to businesses and shareholders
stretching into the tens of billions
of dollars annually.
5. 5
Achieving cybersecurity
Maintains the accuracy and
consistency of systems and data
over the entire lifecycle – the most
critical pillar but a gaping hole today
Pillars of information security
Security
model
Availability
Confidentiality
Integrity
Prevents the disclosure of information to
unauthorized individuals or systems
Makes sure that computing systems,
security controls and communication
channels are functioning correctly
6. 6
Achieving cybersecurity
Data Integrity
What it is:
Data integrity is the ability to independently prove what
happened in a digital infrastructure, determine the impact of a
security incident and distribute the liability for a data breach.
This proof is currently hard to obtain from internal systems, and it
becomes increasingly complicated with organizational reliance on
outsourced cloud infrastructure and “trusted” administrators.
New methods are needed to definitely identify the cause of
compromise, the assets affected, when the compromise occurred and
if insured assets were exposed outside the organization.
Why it matters:
• It’s a prerequisite for ensuring confidentiality.
• Without it, encryption is worse than useless, bringing a false
sense of security that can lead to a breach.
• It brings auditability and transparency of evidence to
governance frameworks (for both public and private sectors).
Data integrity enables an independent
audit of digital assets prior to a data
breach and clearer visibility into
impacts when breaches occur.
7. Achieving cybersecurity
7
Getting to data integrity: keyless signature infrastructure
Most breaches today go unnoticed until long after they occur and the damage has been done. Active
integrity involves continuous verification of the integrity of data in storage using keyless signatures. A
disruptive new technology standard, keyless signature infrastructures (KSI) can effectively address some
cyber liability issues by enabling mutual auditability of information systems add clearer visibility into the
cause of a breach incident. Further, KSI mitigates the risk of breach escalation in real time and provides
indemnification against subrogation and other legal claims.
How KSIs work:
• Unlike digital certificates, keyless signatures never expire.
• People are not required in the signing process.
• Use of keyless signatures strengthens legal non-repudiation for data at rest.
• There are no keys to be compromised and/or keys to revoke.
• During a breach, active integrity can be provided with cyber alarms and correlated to other network
events by auditors, network operations centers and security operations centers — delivering real-time,
continuous monitoring and verification of data signed with keyless signatures.
Keyless signatures change the security paradigm by ensuring visibility into the cause of breaches.
A “managed security
service” resulting from the
implementation of KSI, marks a
new era for insurers.
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
+ =
Keyless Vignature
10101010101101
01010101010010
10101010101
01010101010
10101010101
01010101010
Electronic Gata Signed Hlectronic Gata
10 2009-009--01-21 16::39:02 2009-0
01-21 16:3
39:0
02 10 6 suporte6 pam_unix(cron:session): session closed for user root
11 2009-009-9-01-21 17::09:03 2009-0
01-21 17:09
09:0
03 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)
12 2009-009-9-01-21 17::09:15 2009-0
01-21 17:09
09:1
15 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] [-d /var/lib/php5 ] find /var/lib/php5/ -type…
13 2009-009-9-01-21 17:09:17 2009-01-21 17:09
09:1
17 10 6 suporte6 pam_unix(cron:session):session closed for user root
14 2009-009--01-21 17:Each 12:03 record 2009-is
01-21 17:1
12:0
03 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin
15 20
2009-009-0
01-
21 17:signed 17:02 by 2009-01-keyless
21 17:
17:0
02 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)
16 20
2009-009-01-
21 17:17:03 signature
2009-01-21
17:17:0
03 9 6 suporte6 (root) CMD ( cd/ run-parts –report /etc/cron.hourly)
17 20
2009-009-01-
21 17:17:03 2009-01-
21 17:17:0
03 10 6 suporte6 pam_unix(cron:session): session closed for user root
18 20
2009-009-01-
21 17:39:01 2009-01-21 17:39:0
01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)
19 2009-01-21 17:39:01 2009-01-21 17:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] [-d /var/lib/php5 ] find /var/lib/php5/ -type…
20 2009-01-21 18:09:01 2009-01-21 18:09:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] [-d /var/lib/php5 ] find /var/lib/php5/ -type…
21 2009-01-21 18:09:01 2009-01-21 18:09:01 10 6 suporte6 pam_unix(cron:session):session closed for user root
22 2009-01-21 18:09:01 2009-01-21 18:09:01 10 5 suporte6 mauricio: TTY=pts/1 ; PWD=/etc/rsyslog.d ; USER=root ; COMMAND=/usr/bin/killall kmysqladmin
23 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)
24 2009-01-21 18:17:01 2009-01-21 18:17:01 9 6 suporte6 (root) CMD ( cd/ run-parts –report /etc/cron.hourly)
25 2009-01-21 18:17:01 2009-01-21 18:17:01 10 6 suporte6 pam_unix(cron:session): session closed for user root
26 2009-01-21 18:39:01 2009-01-21 18:39:01 10 6 suporte6 pam_unix(cron:session): session opened for user root by (uid=0)
27 2009-01-21 18:39:01 2009-01-21 18:39:01 9 6 suporte6 (root) CMD ([-x /usr/lib/php5/maxlifetime ] [-d /var/lib/php5 ] find /var/lib/php5/ -type
8. 8
Achieving cybersecurity
KSI in action
Estonia: NATO headquarters
for Cybersecurity
Estonia solved the data integrity issue following a disabling cyber attack in 2007.
By integrating KSI into networks, every component, configuration and digital asset
can be tagged, tracked and located with real-time verification — no matter where
that asset is transmitted or stored.
With real-time awareness, incident response, data loss prevention, investigation
and/or network resilience, it is now possible to detect and react to any
misconfiguration, network, component or application failure in the country. It
has irrefutable transparent evidence to independently verify and enable trust
in transactions and interactions on their networks. No keys or encryption — just
mathematical proof of everything that happened.
9. 9
Achieving cybersecurity
Big data security challenges
In the past, large financial risk models and risk-scenario simulations have taken days
to run, slowing the delivery of urgently needed information to the C-suite. Running
models in the cloud across multiple processors, where the modeling software can
process successfully across multiple cores, means large models can now be run in a
matter of minutes.
But once the model data enters the cloud, can it be trusted?
Machine-to-machine and autonomous sensor data being managed by machines assumes
the security protocols and handling of machine-generated data are rock solid and
invulnerable to compromise. That’s a dangerous assumption.
Real-time, continuous integrity monitoring and tamper detection capabilities — like those
enabled by KSI — are necessary to protect the big data repositories that make up the
cloud. Further, KSI allows companies to manage big data through four dimensions:
KSI and emerging data integrity
standards will change the perception
that data in the cloud is less secure
than in corporate data centers.
• Velocity
• Variety
• Volume
• Veracity
10. 10
Achieving cybersecurity
Innovation through analytics:
the time is now Leading insurers are changing
Insurance master databases are one of the biggest sets of data in any sector and are
growing exponentially — thanks to telematics, social media, unstructured email data
and the like.
Big data will undoubtedly reshape the insurance industry. For years, the industry
has had big data but did not know it or use it. The wake-up call is here, and it is time
for re-evaluating and re-tooling analytical capabilities.
More predictive modeling
Better forecasting through deeper in-depth statistical analysis
across the enterprise
Moving beyond a simple one-on-one relationship of server to
data storage
Those are the capabilities innovation through analytics can enable and how data
can become a single holistic global and enterprise resource.
their vision to a “management-by-
data-analytics” approach
to customers, risk assessment
and financial analysis.
11. Mitigating cyber risk
11
Cyber risk in the context of ERM
Insurers manage many risks aligned to their risk profiles and appetites. Visionaries and early adopters
do so dynamically by use of mathematics (stochastically or actuarially) and simulations for the future
based on the historical loss data in order to correlate all the risks of the enterprise into one holistic
view. Factors to consider include:
Cyber risk. Operational risk affects every organization on an equal basis and is often quantified as a
percentage of gross written premiums. Cyber risks are no different from any other risk in terms of risk
management and transfer
Risk mitigation. Insurance and reinsurance are not alternatives to ERM. Risk transfer programs should be used
to address structural residual risk, and risk management best practices can ease the process of finding the
right cover at the right price — with reinsurance optimization. Such an approach must be applied to cyber risk.
Risk modeling. Dynamic risk modeling can enhance effective risk management best practices, modeling the
likelihood of small claims from data breaches, as well as the impact of long-tail or “black swan” events.
Early adopters are also experimenting with other risk transfer mechanisms include cyber captives, special-purpose
vehicles (SPVs) and sidecars. We are early in a long-term and necessary evolution — where cyber
risk can and must be managed within the broader context of ERM.
Cyber risk must not be viewed
as separate from other types
of risks.
Dynamic risk modeling tools are
necessary to gain detailed visibility
into value at risk.
12. 12
Mitigating cyber risk
Security issues affecting
reinsurers
As the stability mechanism for solvency in the insurance industry and the link to the
capital markets and pension funds, the reinsurance industry must also be focused on
cyber risks.
Emerging technology threat: the industry must model cyber risks in correlation to other
risks, including in the solvency, risk-based capital arena with long-tail exposure reduction.
An incentive to invest: it is difficult for governments to determine if a cyber attack
is an attack on a company or on a country. New mandatory data breach laws will
force organizations to report data breaches within a specified period or face heavy
fines (up to 10% of gross annual income). Ignorance that a data breach occurred is
not an acceptable excuse.
Cyber catastrophe models and databases: nearly 60 insurers write some form of cyber
insurance coverage outside of errors and omissions insurance (EO). The reinsurance
industry needs to look at the effect of large aggregated cyber attacks that can affect
the capital and stability of the risk industry.
Cyber attacks and data breaches are black-swan events — not unlike natural disasters —
that will:
• Help create cyber XL rates (excess of loss) for reinsurance to move away from quota
share reinsurance
• Cause the cyber reinsurance industry to mature in the same way it did for natural
catastrophe lines
• Include legal expenses, as these are particularly perilous to solvency and to the proper
reserving of claims (the ability to pay) over a period
Reinsurers need to understand
cyber risk independently of
the insurer to create the right
protection mechanisms, cyber
models and rating bands.
13. 13
Mitigating cyber risk
Supply chain risk Cyber liability regulation and rating
Recent natural catastrophe events have shown what can happen to
the global supply chain in terms of disruption.
A severe cyber-attack would affect the global supply chain,
especially around commercial and industrial internet usage.
The insurance industry knows that the outsource service provider
is the main cause of supply chain disruption, which often happens
simultaneously when increasing weather disruption brings cyber
and climate risks together in one event. When service providers
outsource to each other, it sends a red alert to the industry.
Data integrity needs to be embedded in the enterprise, as well as with
IT vendors they outsource to and those outsourcers in turn engage.
Rating agencies can have an economic effect on countries and
corporations by making rating changes based on an event. The rating
of insurers is also at risk if they do not provide mitigation advice to
customers. They may struggle to get reinsurance capacity, expose
themselves to more risk and lose access to “A”-rated capital. It is in
everyone’s interest in the regulatory and rating space to understand
the standards and value that they bring to the table.
Currently, rating agencies view cyber risk as a primary threat to
solvency because of the significant, rapid and unexpected impact of
an event and, in some cases, the ability to react to that event. For
natural catastrophes, rating agencies look at the use of catastrophe
event models that are created by third-party vendors and rely on
vendor research and data accuracy.
However, in the case of cyber risk, the catastrophe is the data
itself. That requires a broader rating approach — for example, with a
Technology, in conjunction with cyber attacks data-scoring rating mechanism added to overall ERM ratings.
and service providers, makes up the majority of
all supply chain disruptions.
The speed of regulatory change in data breach
reporting will lead to increased cyber liability
coverage and even mandatory insurance in some
cases.
14. Mitigating cyber risk
14
Best practices and the center of excellence
Cyber risk leaders in insurance will likely embrace a center of excellence across customer, risk-centric and financial activities,
thereby linking security analytics and big data with fraud investigations. This will further the trend toward intelligence-driven
security plans in order to protect digital information assets.
The Center of Excellence for Insurance Big Data Security, Technology Governance and
Compliance can help you create a holistic, technology-enabled, business-driven strategy.
Customer
Risk centric
Financial
Need: trust
Need: knowledge
Need: transparency
• Distribution channel cross sell/up sell • Underwriting • Rating and regulation
• Customer lead identifi cation • Product design and innovation • Asset liability matching
• Marketing campaign analysis • Pricing and deductibles • Reinsurance optimization
• Segmentation • Reinsurance strategy • Portfolio and asset optimization
• Know thy customer (KYC) • Telematics M2M • Risk-based capital pricing
• Lifetime value • Catastrophe models • Financial modelling
• Retention and lapse • Reserving and claims • Mac economics
• Fraud, SIU and forensics • Embedded value
• subrogation/recovery
15. 15
Mitigating cyber risk
How EY assists with effective
cyber risk management
EY’s information security services help our clients to assess their security
strategies, processes and infrastructure to manage risk and enable compliance
with applicable laws and regulations. This includes testing for security exposures
and business risks created by vulnerabilities or inadequate systems, applications
and network devices.
Leading practices should include:
• A pragmatic, risk-based information security strategy that integrates solutions to
address business needs, compliance requirements and ERM objectives
• Listening to what is going in the market, understanding security information
trends and threats, and adjusting the risk assessment accordingly
• Continually reassessing new technologies and the threat landscape to confirm that
focus is on the right priorities
• Executive and board support that leverages the expertise of partners and vendors
and defines which security functions sit in-house instead of outsourced and in the
cloud
• Assurance that information security is an integral part of the risk management
function, not a stand-alone unit that fails to involve the business in the process