“Cyber Risk” – Implications for the insurance industry PIAM General Insurance Knowledge Seminar “CyberRisk” Aloft, Kuala Lumpur 24 July 2019 Lee Han Ther MBA, CISA, CISM, CRISC, CISSP, PMP, DRCS, TTT Director, Emerging Tech Risk and Cyber (ETRC)
“Cyber Risk”– Implications for the insurance industryPIAM General Insurance Knowledge Seminar “CyberRisk”
Aloft, Kuala Lumpur24 July 2019
Lee Han Ther MBA, CISA, CISM, CRISC, CISSP, PMP, DRCS, TTT
Director, Emerging Tech Risk and Cyber (ETRC)
Document Classification: KPMG Confidential
5© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
A True Story
1 3 5 74 6 82
Initial Attack
• Ransomware on servers and virtual machines.
• Later identified only as a decoy.
Internal security Crisis
CFO raised high severityincident to CIO.
On-site
Third party finally onsite after 1 week.
Containment
End point detection and response tools deployed. Took time to complete.
Lack of internalcapabilities
• Internal team not prepared. Speaking to all technology vendors.
• Desperately requesting for IR assistance.
Detection
Identified whole Active Directory has been compromised. Via “golden ticket attack”.
Resolution &Lesson learnt
• Finally resolved after 2 months.
• Very painful experience.
• Focus on ability to detect and respond.
Data leaked onInternet
Confidential M&A reports appearing on Paste Bin. Notified via third party.
Document Classification: KPMG Confidential
6© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Global Risk Landscape 2019
Source: “World Economic Forum (WEF) Global Risk Report 2019”
Document Classification: KPMG Confidential
7© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cost of Data Breach
Source: “2018 Cost of Data Breach Study from the Ponemon Institute”
Document Classification: KPMG Confidential
8© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Footnotes
World’s Biggest Data Breaches
Document Classification: KPMG Confidential
9© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Risk
Financial Impact
Legal Impact
Reputational Impact
Operational Impact
Health & Safety
Cyber Risks
Document Classification: KPMG Confidential
10© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Personal Risk
When the worst
happens
Document Classification: KPMG Confidential
12© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
In The Headlines South East Asia
Source: TheStar, 13 November 2018
Document Classification: KPMG Confidential
13© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Document Classification: KPMG Confidential
14© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Threat Actors
Nations state
Hacktivist
Malicious insider /
third party
Cyber Criminals
Corporate espionage
Footnotes
Threat Actors
Document Classification: KPMG Confidential
15© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Nation State
Document Classification: KPMG Confidential
16© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Criminals
Document Classification: KPMG Confidential
17© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Hacktivist
Document Classification: KPMG Confidential
18© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Risk Framework WEF
Source: “World Economic Forum (WEF) Advancing Cyber Resilience
Document Classification: KPMG Confidential
19© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Denial
Cyber security isn’t an issue for us… Its all hype anyway
Worry
I am worried… but not sure what to do
False confidence
I have robust policies/defences…
And… a strong compliance function
Here?
Hard lessons
I don’t understand how we were breached…
There is no absolute security, we need to manage risk
Here?
On the journey…Se
curit
y ca
pabi
lity
A true leader
We need a more agile approach to match the threat
We cant do this alone – we are part of the community
Or Here!
Thank YouHan Ther, Lee
Director of ETRC, Emerging Tech Risk & Cyber
03 - 7721 7752