London Business Interruption Association Technology new risks and opportunities for the Insurance industry Kiran Nagaraj Senior Manager, KPMG LLP February 2014
Agenda Introduction The world we live in Security & resilience Insurance products on the rise Types of impact Maturity assessment Tips and advice Insurance industry perspective
The world we live in Now, we know hackers steal people s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. President Obama, State of the Union address, 12 Feb 2013 There are only two types of companies, those that have been hacked and those that will be 27bn * Robert Mueller, Head of the FBI RSA Cyber Security Conference, 01 Mar 2012 *http://www.bbc.co.uk/news/uk-politics-21414831 3
Hacking and cyber attacks are only part of the problem Media hype tends to highlight certain types of events. But do you believe the media hype? Top Technology Risks IT complexity and legacy Lack of resilience vs. Major IT project failure Cyber crime Unauthorized system access Ineffective or erroneous change Fraud and data leakage Ineffective governance and compliance Third party management Source: KPMG Technology Risk Radar Go to kpmg.co.uk to download the Technology Risk Radar 4
Lack of IT resilience is increasingly becoming a cause of business interruption Some examples In August 2013, a major US market maker, lost about 70% of its market value potentially after incorrectly deploying code into their production environment. In December 2013, a leading bank had a major IT outage. Some analysts estimate costs could potentially add up to 1b. Also, in August 2013, there was a 3 hour trading halt at one of the largest US stock exchanges in the middle of the trading day potentially due to a failed backup system. 5
Cyber security vs. Resilience Cyber security, also referred to as information security, focuses on protecting computers, networks, programs and data from unintended or unauthorised access, change or destruction. Resilience is the ability of IT services to recover quickly and continue operating even when there has been an equipment failure, power outage or other disruption. Cyber risk is an important consideration for achieving technology resilience, but not the only one! Technology Risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Source: ISACA www.isaca.org Aim for security AND resilience! 6
Insurance products are on the rise Recently, there have been reports that a large retailer could tap more than $100m in insurance to pay claims tied to the massive data breach that affected millions of customers last year. A global insurer reported that sales of Cyber Insurance have jumped 30% in 2013 Organisations cannot anticipate or prepare for all technology risks Insurance can complement risk management measures Standalone products for cyber / technology risks are increasing 7
Types of impact to consider A mix of quantitative and qualitative measures are used 8
Maturity assessment What to look for?. Organisation is prepared for a risk event and is able to prevent or minimise the impact through successful disaster recovery and crisis management Board demonstrating due diligence, ownership and risk management framework Roles and responsibilities for effective decision making Leadership and Governance Integrated risk culture that empowers and ensures the right people, skills, culture and knowledge Risk part of business-as-usual within IT Comprehensive and proportionate processes and control measures implemented to address identified risks Regulatory expectations and international certification standards Risk Analytics and Reporting Comprehensive use of well defined metrics such as KRIs / KPIs along with business agreed thresholds Risk Analytic capabilities such as threat modelling and scenario analysis Clearly articulated and documented approach to achieve comprehensive and effective risk management of information throughout the organisation and its delivery and supply partners 9
What should organisations do? Security Prepare Understand vulnerabilities and improve preparedness against cyber attack. Resilience Focus on broad operational goals and not just on IT components or infrastructure Protect Design and implement cyber defence infrastructure. Develop strong testing and change management practices Implement the building blocks of intelligence; use threat intelligence as a springboard for delivering effective cyber security. Incidents will happen! Drive continuous improvement from lessons learned The question is not if, but when! Be ready to detect and respond to cyber attacks. Adopt strategic approaches and not just stopgap fixes Transform - design and deliver a program of change to improve cyber security capability. Adopt predictive analytics and invest in monitoring and control Integrate - embed cyber security in the culture and decision making of client organisations. Define metrics and success criteria formally across IT 10
KPMGs top 10 tips for defending against cyber attack Prepare for war Prioritise Brace for impact Strategy Learn form your mistakes and others Watch and learn Don t go it alone Caution Plug the mobile leak Accept the consequences 11
Insurance industry perspective Factors limiting the demand for Tech. / Cyber Risk insurance Cost Economic conditions Cost - Gartner estimates cyber insurance premiums to be around $10,000 to $35,000 for $1 million in coverage Arrogance / ignorance Factors limiting the supply of Tech. / Cyber Risk Insurance Actuarial data Absence of sufficient historical underwriting / claims data makes it hard to price Limited ability to charge differential premiums Limited ability to quantitatively assess technology risks Ambiguity in risk and coverage Rapid change in technological landscape Cyber risk insurance is still evolving as a product Coverage not fully understood by the technology community Re-insurance Lack of historical actuarial data forcing reinsurers to be equally hesitant Demand appears to be growing Complimentary services. KPMG can help! Pre-sales and marketing driving customer growth Pre-bind risk assessment better underwriting Insurance claim support with forensics and claims settlement Remediation services in addition to insurance protection 12
Contact: Kiran Nagaraj kiran.nagaraj@kpmg.co.uk +44 (0) 20 7311-3069 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2014 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Printed in the United Kingdom. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).