Protecting what matters most: Cyber resilience in the insurance industry PwC Insurance EyeOpener

www.pwc.com/ca/insurance
PwC Insurance EyeOpener
Protecting what matters most:
Cyber resilience in the
insurance industry
January 13, 2015
Speakers
PwC
Salim Hasham
Sajith Nair
National Cyber
Resilience Leader
Financial Services
Cyber Resilience Leader
2
Agenda
• What is cyber and why does it matter to us?
• PwC Global State of Information Security Survey 2015
• Becoming a cyber resilient organization
PwC
3
Our perspectives
• Developed based on our interactions with CISOs, CIOs, corporate
suite leadership, and boards of directors.
• Shaped through knowledge and experience of developing strategies,
implementing solutions, executing programs, and responding to
security crises.
• Supported and enhanced by years of federal law enforcement,
national intelligence and industry experience.
• Pragmatic insight and a balanced view of how to prioritize
investments in people, processes and technology solutions needed to
address the cyber security challenge.
PwC
4
What is cyber security and
why does it matter?
PwC
Your digital world just got bigger
The evolution:
• Technology-led innovation is
transforming the business models.
• Companies operate in a dynamic
environment that is increasingly hyperconnected and interdependent.
Leading to:
• Benefits of same technological
advances are being exploited by an
increasing number of global cyber
adversaries.
• Adversaries are actively targeting critical
assets throughout the ecosystem.
• Data is distributed and disbursed,
increasing the potential for loss and exposure.
PwC
6
Why does cyber security matter for insurance
companies?
Cyber security will
enable you to safely
recognize the
benefits of
technological
advances to
increase:
71% of insurance CEOs see cyber
insecurity as a threat to their business
prospects*
PwC
•
Innovation
•
Collaboration
•
Productivity
•
Competitiveness
•
Customer experience
86% of insurance CEOs identified
technological advances will transform
their business in the coming five years*
*Source: 17th Annual PwC Global CEO Survey – Key findings in the Insurance industry
7
Insurance companies today face four main types
of cyber adversaries
Adversary motives and tactics evolve as business strategies change and business activities are executed;
‘crown jewels’ must be identified and their protection prioritized, monitored and adjusted accordingly.
Adversary
Nation state
Organized
crime
Hacktivists
Insiders
PwC
Motives
Targets
Impact
• Economic or political
advantage
• Trade secrets
• M&A information
• Critical financial systems
and information
• Loss of competitive
advantage
• Regulatory inquiry/penalty
• Disruption to critical
infrastructure
• Immediate financial gain
• Collect information for
future financial gains
• Financial/payment systems
• Personally identifiable
information
• Payment card information
• Protected health info
•
•
•
•
• Influence political
and/or social change
• Pressure business to
change their practices
• Corporate secrets
• Sensitive business
information
• Critical financial systems
• Disruption of business
activities
• Brand and reputation
• Loss of consumer
confidence
• Personal advantage,
monetary gain
• Professional revenge
• Bribery or coercion
• Sales, deals, market
strategies
• Corporate secrets
• Business operations
• Personnel information
• Administrative credentials
•
•
•
•
Regulatory inquiry/penalty
Lawsuits
Brand and reputation
Loss of consumer
confidence
Trade secret disclosure
Operational disruption
Brand and reputation
Loss of consumer
confidence
8
Cyber threats could significantly impact your
investment portfolio
What’s most at risk?
Adversary
Nation state
Hacktivists
Emerging
technologies
Industrial
control systems
(SCADA)
$
Payment card and
related
information/financial
markets
Military
technologies
Organized crime
Insiders
Healthcare,
pharmaceuticals, and
related technologies
Health records
and other
personal data
Advanced materials
and manufacturing
techniques
Research and
Development and/or
product design data
Business
deals
information
Information and
communication
technology and data
Input from Office of the National Counterintelligence Executive, Report to Congress on
the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
PwC
9
A cyber breach has a long and unpredictable tail
Recognize breach
Review federal and state
statutes, actions necessary
in breach response
Potential regulatory
fines and penalties
incurred
Third party litigation
and damages
Determine extent of breach,
number of records lost,
type of information lost
Notification, credit
monitoring, credit
restoration
Vendor fines
and penalties
incurred
PwC
10
Cyber security could have broad direct and
indirect impact
Illustrative model*
Financial
Legal
Information
and
technology
Operations
Human
capital
Reputation
Global
PwC’s Hazard catalog: The seven categories of hazards that apply to any financial institution
Unfavorable audit
findings
Lawsuits
Disruptive change
Supply discontinuity
Ineffective recruiting
Brand degradation
Terrorism
Insider trading
New legislation
Technology
incompatibility
Infrastructure failure
Inadequate capabilities
Loss of market
position
War
Unfavourable
market conditions
New treaty
Intellectual property Supply chain issues
leakage
High turnover
Low customer
confidence
Natural disaster
New taxation
Sanctions
Espionage
Execution failures
Training inadequacy
Loss of partner
relationships
Pandemic
Balance sheet
infidelity
Whistle blower
Fraud
Supply fulfillment
gaps/delays
Succession gaps
Unfavourable price
elasticity
Geopolitical
instability
Balance sheet
write-offs
Regulatory
non-compliance
Data breach
Low supplier quality
Low employee confidence
Communication
mismanagement
Money laundering
Apps. and network
vulnerability
Physical security
breach
Performance gaps
Poor market access
Counterfeit
Asset deflation
Embezzlement
Discrimination
Kidnap and ransom
Key:
Areas where cyber incidents are either the source, cause or a contributor of hazards for large global financial institutions.
*Abstract from PwC’s Risk & Resilience Framework and benchmarking studies in the financial services sector. The hazards were selected after the analysis of industry incidents, and incorporating industry standards and frameworks (e.g.,
Basel II, ISO 27000). The hazards presented here are a representative sample – PwC works with financial institutions to “customize” the catalog for them , so that management can see hazards across the organization.
PwC
11
PwC Global State of Information
Security Survey 2015
Key Findings – Insurance Sector
PwC
Security incidents detected
The compound annual growth rate of detected
security incidents has increased 66% year
over year since 2009.
42.8
71%
28.9
22.7
24.9
71% of incidents go
undetected
Source: 2014 Trustwave Global Security Report, May
2014
9.4
3.4
2009
PwC
2010
2011
2012
2013
2014
13
Security incidents detected
1/3 of North American insurers do
not know how many incidents
have occurred in the past 12
months.
33%
33%
18%
PwC
Half of the insurers in North
America have detected up to 500
incidents.
5,000 or more
5%
17%
500 to 4,999
50%
1 to 499
Zero or none
17%
14
Most common types of incidents detected
82%
Data
exploited
of Canadian insurance companies have been affected by
one or combination of the most common type of incidents
IT system
exploited
Removable
storage
Mobile
device
Application
exploited
Network
exploited
Human
exploited
27%
18%
9%
12% 14%
13%
10% 10%
8%
5%
0%
PwC
9%
9% 10% 9%
18%
8%
8%
6%
6%
0%
15
How organizations were impacted by security
incidents
Personally identifiable
information (PII)
Network
slowed/unavailable
Customer records
compromised
Customer record
compromised
Identity theft
Customer related data has been
impacted the most for Canadian
insurers.
PwC
Financial Services institutions have
been impacted the most in their
network, followed up by customer
records.
16
Big data and analytics as a detection tool
Currently in
place (in-house)
0%
27%
36%
Currently
outsourced
17%
13%
15%
No plans to
adopt
50%
18%
19%
Behind
PwC
17
Losses from security incidents
100%
PwC
90%
88%
Most insurance companies do not know
the losses amounted from incidents in
2014
18
Top three most-cited external sources of incidents
for insurers
17%
9%
11%
11%
11%
5%
5%
7%
5%
2014
2014
Hackers
PwC
Information
brokers
Organized crime
19
Top three most-cited internal sources of incidents
for insurers
15%
14%
11%
11%
11%
12%
11%
4%
6%
2014
Current
employees
Former
employees
3
1
PwC
Current service
providers/
consultants/ 2014
contractors
2014
2
20
Greatest obstacles to improving overall strategic
effectiveness of security function
Poorly integrated or overly complex information and IT
systems
22%
17%
Insufficient operating expenditures
17%
Insufficient capital expenditures
17%
Absence or shortage of in-house technical expertise
Lack of an actionable vision or understanding of how
future business needs impact information security
Leadership: CIO or equivalent
14%
7%
Leadership: CEO, President, Board, or equivalent
13%
Lack of an effective information security strategy
Leadership: CISO, CSO, or equivalent
PwC
13%
11%
21
Security spending within the insurance industry
In average 3.5% of the IT budget at Canadian
insurance companies is assigned to information
security
4.5%
5%
33% of Canadian
insurers have information
security budgets up to
20M
3.5%
50% have a budget of less
than 1M
PwC
22
Business issues or factors that drive spending
Regulatory compliance is the key driver for security spending. That is not surprising in a
highly regulated industry, but a security model centered on existing compliance
standards may not adequately address today’s evolving security threats.
19%
Regulatory compliance
15%
Business continuity / disaster recovery
15%
Company reputation
15%
Internal policy compliance
11%
Economic conditions
Change and business transformation
9%
PwC
23
Collaboration amongst insurance companies
55%
42%
Only 17% of Canadian
insurance companies
collaborate with
competitors.
PwC
17%
24
Executive sponsorship is key
70%
56%
U.S.
Global
50%
Canada
Percentage of insurance companies who have a senior executive (CEO, CFO, COO, CRO, etc.) who
proactively and regularly communicates the importance of information security to the entire
organization.
PwC
25
Becoming a cyber resilient
organization
PwC
Threat predictions for financial services: 2015-2016
Emergence of cross-channel
and blended attacks
Data disruption attacks
become data destruction
attacks
Service providers will
become a key vulnerability
Threats from insiders
(malicious, coerced or
bribed) will increase
Mobile will become the main
route for compromise
‘Balkanized’ internet will
complicate global business
models
Encryption will fail and
undermine internet trust
C-suite and high risk
employees will be targeted
for direct access to sensitive
data and operations
Nation-state backed
espionage will become
mainstream
PwC
27
Evolving perspectives for financial institutions
adapting to the new reality
Traditional information
security perspective
Threat focus
Protection
strategy
Primarily external
External and internal
One-size-fits-all approach
Prioritize and protect your key assets
based on threat modelling and intelligence
Protect the perimeter; respond if
Defense posture
attacked
Control model
Threat
intelligence and
information
sharing
Risk
management
approach
PwC
Today’s leading cyber security
insight
Layered defense; contextual threat
intelligence; real-time detection; rapidly
respond when attacked
Primarily focused on prevention
Predict, prevent, detect, respond, correct,
and recover
Keep to yourself
Share internally (fraud, corporate security,
operational risk) and externally
(government, industry peers)
Primarily focused on minimizing
likelihood
Accepts breaches will occur often; focused
on minimizing business impact
28
Cyber security isn’t just about technology
PwC
29
Leading practices in financial services
PwC conducted a study of five global financial services organizations who are considered leaders in
understanding and preparing for threats in cyber space. The following represents a consolidated
view of key lessons learned.
PwC
30
Questions?
PwC
31
Thank you
Salim Hasham
National Cyber Resilience Leader
+ 1 (416) 365 8860
[email protected]
Sajith Nair
Financial Services Cyber Resilience Leader
+ 1 (416) 815 5185
[email protected]
Or visit www.pwc.com/ca/cyber-resilience
© 2015 PricewaterhouseCoopers LLP, an Ontario limited liability partnership. All rights
reserved. PwC refers to the Canadian member firm, and may sometimes refer to the PwC
network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for
further details.