Cyber insurance, security and data integrity - EY

1 Cyber insurance , security and data integrityPart 1: Insights into Cyber security and risk 20142| Cyber insurance , security and data integrityContents3 Executive summary5 Pillars of information security7 Introduction to emerging Cyber threats9 data breach in Cyber liability15 Big data security challenges for insurers17 A wake-up call to re-evaluate and retool analytics 1 Cyber insurance , security and data integrity |2| Cyber insurance , security and data integrityToday, executives are acutely aware that their information is under constant attack as Cyber threats become more pervasive, persistent and insurance , security and data integrity |This is the first in a two-part series on cybersecurity that focuses on both the data and risk aspects of this topic. It provides a broad view of why information security and Cyber risk are so important for insurance companies and how they can protect their businesses from rapidly emerging this paper, we look at the security aspects of Cyber liability insurance , key issues that insurers face and the underlying security model that organizations should follow.

2 data integrity presents one of the biggest challenges for the industry and is a major focus of our discussion. Our soon-to-be-published second paper will explore the risk aspects of Cyber liability insurance and look at how insurers and reinsurers are using mitigation in their risk are increasingly exposed to Cyber thieves and are the victims of corporate espionage (also known as the Insider Threat) caused by both internal and external security breaches. Fraudsters can be extremely capable of exploiting enterprise weaknesses and corporate defenses to steal intellectual property (IP), compromise corporate strategy, target customers, and pilfer or manipulate confidential and regulated information. In the wake of numerous recent data breaches, much has been published on Cyber liability insurance . Professional liability policies for companies providing computer hardware and software services have grown to include not just technology providers but all those collecting, storing and processing electronic data from their summaryKey Contacts:Shaun CrawfordGlobal insurance Piesse International insurance Society (IIS) Ambassador for Asia Pacific and insurance Lead at Guardtime Cyber insurance , security and data integrityExecutives need to commit to improving information security if they are to achieve the intended benefits and demonstrate the value of their insurance , security and data integrity | security breaches can be categorized by a triad of confidentiality, availability and integrity , as shown in Figure 1.

3 Confidentiality prevents the disclosure of information to unauthorized individuals or systems. Close to 95% of all enterprise networks have been compromised by external attackers. Researchers revealed that only 3% of organizations felt safe against insider threats. Hundreds of millions of consumers have had their identity information compromised. The financial and reputational losses to businesses and shareholders stretch into tens of billions of dollars annually. Availability is making sure that computing systems, security controls and communication channels are functioning correctly. There are multiple security solutions on the market that address confidentiality and availability (denial of service). Large organizations have been amassing these solutions to address their operational risk. integrity is maintaining and ensuring the accuracy and consistency of systems and data over the entire life cycle, and it remains the most nebulous, yet critical, pillar of the data security triad.

4 integrity is the gaping hole in security today. There is a media focus on confidentiality as it is easy to understand (a loss of customer information), but almost all losses of customer information have been caused by a breach in integrity (the introduction of malware compromising the integrity of the system used to secure the data ). integrity is a pre-requisite for ensuring confidentiality. Without it, encryption is worse than useless, bringing a false sense of security that almost always leads to downfall. integrity brings auditability and transparency of evidence to governance frameworks that allow the public and private sector to mutually audit each other s activities in accordance with an agreed-upon governance 1: security triadPillars of information securitySecurity modelPreventing the disclosure of information to unauthorized individuals or systemsMaintaining and assuring the accuracy and consistency of systems and dataMaking sure that the computing systems, the security controls, and the communication channels are functioning correctlyAvailabilityConfidentialityInte grity6| Cyber insurance , security and data integrityCyber liability insurance has evolved to include everyone collecting, storing and processing electronic data from their insurance , security and data integrity |Financial institutions have developed innovative mobile applications that enable mobile payment transactions for their customers.

5 While these applications represent innovation, the institutions never planned on supporting mobile banking. Consequently, digital exchanges via the mobile transaction network are at a higher risk of compromise and/or manipulation by exploiters with increasingly sophisticated tools and skills. Moreover, infrastructure and storage outsourcing efforts supporting these applications put organizations further at risk as unregulated cloud service providers have highly differentiated security mechanisms that may not address threats to their customers. Other challenges for insurers There is a stunning gap between the nature of new threats and the capabilities available to detect attacks, monitor (and stop) unauthorized exfiltration, and secure information. Few insurers have direct insights into the Cyber liabilities surrounding intangible digital assets.

6 Many do not have the tools to provide the direct real-time awareness necessary to calculate risks to insured digital assets stored by cloud service providers or enterprise networks. There is increased awareness that companies should be accountable for private records and the security of data collected from their customers. Insurers should make the fundamental assumption that any insured infrastructure will at some point be compromised, if not already. The more important and valuable the intangible ( data ) assets are (IP, customer and supplier base, etc), the more likely a and security measuresAs exposure has evolved, so have policies. Since exposure exists for any organization that handles private information, insurance companies were tasked with creating a new type of policy. Most current Cyber liability policies (or security and privacy policies) cover personal records in any format, including paper records.

7 Other policies continue to emerge, such as contingent business interruption for cloud infrastructure that addresses more complex risks than data -breach-related exposure to data loss, theft or fraudulent disclosure. From our experience, EY is seeing new distribution channels taking hold in rapid-growth markets in response to the exponential increase of mobile and digital devices. This is fostering new product development, along with security and privacy measures that are needed to protect companies in their adoption of digital technologies. Entering new markets generally requires new processes, systems, languages and cultures. These come with varying degrees of security risk and threat new issue on the table is electronic data integrity how to independently prove what happened in a digital infrastructure, determine the impact of a security incident and distribute the liability for a data breach.

8 This proof is hard to obtain when considering the internal information systems, and it becomes increasingly complicated with organizational reliance on outsourced cloud infrastructure and trusted administrators. New methods are needed to definitely identify the cause of compromise, the assets affected, when the compromise occurred, and if insured assets were exposed outside the to emerging Cyber threats8| Cyber insurance , security and data integrityBusinesses must take a proactive approach to tackling cybersecurity rather than waiting for a breach to occur and then acting on insurance , security and data integrity |Figure 2: Anatomy of a data breachData breach in Cyber liabilityIn the real world, it would be considered reasonable and appropriate to require an independent audit of digital assets to be insured. In cyberspace, this is more challenging.

9 Insurers have to rely on the insured to tell the truth about what assets have been impacted by a breach. integrity standards for data enable insurance companies to conduct an independent audit of what digital assets exist ( , client data , IP) prior to a breach, thus preventing fraudulent claims. Anatomy of a data breachData integrity standards can play a role in policy wording and risk assessments, as shown in the anatomy of a data breach (Figure 2).For stand-alone policies, these standards can be used as a warranty similar to a burglar alarm in a property policy. For Cyber endorsements in original and other liability covers, such as errors and omissions (E&O), they could act as a simplified standard to insure small and medium enterprises (SMEs) for Cyber liability when they cannot afford stand-alone cover. The extra cover, such as protecting digital assets against confidentiality and data integrity breaches, will allow carriers to increase their premiums because of a greater coverage and claims guarantee.

10 It will also make the products more attractive to risk , people have digital fingerprints via their mobile devices that identify them uniquely, and social media websites have turned this into an advantage in the sales process. Applying a unique data security signature associated with that fingerprint is bolstered with the data integrity standard. Another important role for data integrity standards will be in the broker risk assessment process. Brokers can include these standards in their risk process to educate their customers and direct them to compliant carriers. One aspect of a data integrity standard is keyless signature infrastructure, known as KSI .Before breachReasonable and appropriate measures to manage future data breach incidentAfter breach (short term)Forensic analysisDuring breachAlerting for rapid response and damage limitationAfter breach (long term)Subrogation mitigation and e-discoveryData breach incidentTimeBefore breach incidentAfter breach incident(short-term)After breach incident(long-term)10| Cyber insurance , security and data integrityKeyless signature infrastructureKSI1 is a disruptive new technology standard that can effectively address some of the issues insurers face in the rapidly emerging Cyber liability domain.