Global IT Compliance Practical Use Cases Stefan Ort, Munich Re
Agenda About Munich Re Munich Re IT @ a Glance IT Compliance 5 Dimensions Basic Principles Data Privacy Cyber Security Possible to insure? Sourcing Globally Possible IT Trends & Innovation Blockchain Big Data / Analytics Munich Re Compliance Gate & IT Risk Management 25 May 2016 2
Munich Re (Group) History of Munich Re 1880 Image: Munich Re / Marcus Buck Image: Corbis Image: ERGO Versicherungsgruppe Image: used under license from shutterstock.com Image: Corbis Munich Re is founded on 19 April 1880 at the instigation of Carl von Thieme, Baron Theodor von Cramer-Klett and Wilhelm Finck. 1906 First major loss in the 20th century: the earth-quake in San Francisco on 18 April 1906. Munich Re's liability: US$ 2.5m. Munich Re deals with all aspects of claims on the spot. 1997 The insurance groups VICTORIA/D.A.S. and Hamburg- Mannheimer/DKV announce that they will merge under the name of ERGO Versicherungsgruppe AG. ERGO, which belongs to Munich Re, is now represented in more than 30 countries. 2009 Munich Re pools its international health insurance and reinsurance expertise in a new business segment: Munich Health. With the introduction of the new brand, Munich Re redefines its position in the reinsurance markets. 2011 With overall losses amounting to some US$ 380bn, 2011 becomes the costliest natural catastrophe year to date. After the terrible earthquake in Japan on 11 March 2011, Munich Re invites internationally recognised experts to assess the event. 25 May 2016 3
We Support 18,800 Users in 37 Locations Munich Re Reinsurance - Global IT Organization Americas 4 IT Service Centers 15 Locations ~8,800 Application Users Business transformation (PIRI) Amelia Atlanta Chicago Columbus Hartford Montreal New York Philadelphia Princeton San Francisco Toronto Vancouver Bogotá Buenos Aires Caracas Mexico Santiago de Chile São Paulo London Madrid Malta Milan Munich Paris Zurich EMEA 1 IT Service Center 11 Locations ~9,400 Application Users Regional consolidation Accra Cape Town Johannesburg Nairobi APAC 1 IT Service Center 11 Locations ~600 Application Users Business growth Auckland Melbourne Sydney Beijing Calcutta Dubai Hong Kong Kuala Lumpur Mumbai Seoul Shanghai Singapore Taipei Tokyo 25 May 2016 4
IT Compliance - Is responsible for all external (regulatory or legal) and internal (policies, standards) requirements! Data Privacy Law Amelia Atlanta Chicago Columbus Hartford Montreal New York Philadelphia Princeton San Francisco Toronto Vancouver Bogotá Buenos Aires Caracas Mexico Santiago de Chile São Paulo Contract Law London Madrid Malta Milan Munich Paris Zurich State Supervision of Credit Institutions Accra Cape Town Johannesburg Nairobi MR Internal Risk Appetite Legislation Auckland Melbourne Sydney Beijing Calcutta Dubai Hong Kong Kuala Lumpur Mumbai Seoul Shanghai Singapore Taipei Tokyo 25 May 2016 5
If you want to use personal data you must comply with the basic principles of the data protection law Permissibility of the collection, processing and use of personal data It is necessary to clarify whether the collection, processing or utilization of personal data in the IT-based business process is permitted. Necessity of the data processing, principle of data minimization and of deleting unnecessary data The processing of the data must also be necessary for achieving the processing purpose. Requirement for Transparency The "transparency precept" stipulates that all the parties affected be made aware that data relating to themselves are being collected. 25 May 2016 6
Cyber Security Taxonomy From Threats to an insured Loss Vulnera bilities Assets Security Controls Threats Actors Impact Successful attack Business Impact (costs) Impact on Operations - System & data recovery - Business interruption - Crisis management Liability - Notification - Credit monitoring Legal implications - Law suits, Defense costs Miscellaneous - Reputational damage - Extortion 25 May 2016 7
Data Privacy, Risk Management & Outsourcing Initiative work close together to fulfill that Legal Requirements are observed! Important topics for IT Compliance in case of Sourcing: Cross Border Data Transfer Business Continuity Management Certifications Control Environment Onsite Audits 25 May 2016 8
IT trends ranked by relevance for Munich Re / ERGO Starting points for IT Compliance to support implementation of new IT trends: Access to Munich Re network and data Development of pilots Starting detailed compliance check when Access to critical data Ready for production.. 25 May 2016 9
IT Trend Radar 2016 IT trends ranked by relevance for Munich Re / ERGO Quantum Computing new! Hold (Watch list) Artificial General Intelligence new! Autonomous Vehicles Advanced Smart Machines Machine Learning Smart Dust new! new! Information of Blockchain Technology Everything new! Haptic Technologies Context-aware Computing Robotics/Drones Cloud/Client Internet of Things Architecture Web-Scale IT Autonomous Agents Assess (Evaluation needed) The Device Mesh Trial (Initiatives in affected units) 3D Printing Materials Algorithmic Business new! Loc-based Services Industrialization 4.0 Augmented and Virtual Worlds Adopt (Start initiatives in your unit!) Collaborative Consumption Smart Home Digital Health Services Predictive Analytics Ambient User Experience new! New Payment Models Wearable Devices Telematics Digital Identity Cybersecurity Digitalization Crowd Sourcing User Centered Design Open Data Data driven Decisions Adaptive Security Architecture Web 5.0 Adopt Trial Assess Hold 25 May 2016 10
Blockchain Complete new digital way to make reinsurance business New challenges for IT Compliance: Cross Border Data Transfer Internal Control System Transparency Deleting Unnecessary Data.. 25 May 2016 11
Blockchain + Programming language = Smart contracts { if HAS_EVENT_X_HAPPENED() is true: send(party_a, 1000); } Contracts will be written as software in source code, digitally signed, executed by the network using a cryptocurrency. Programmability: blockchain stores not only currency transactions but software programs, so called smart contracts, that control assets and money, they follow the encoded rules and enforce them, based on trusted data feeds and digital signatures. "Crop insurance. One can easily make a financial derivatives contract (...) using a data feed of the weather (...). If a farmer in Iowa purchases a derivative that pays out inversely based on the precipitation in Iowa, then if there is a drought, the farmer will automatically receive money and if there is enough rain the farmer will be happy because their crops would do well. This can be expanded to natural disaster insurance generally. Source: Ethereum Whitepaper: https://github.com/ethereum/wiki/wiki/white-paper 25 May 2016 12
Digitalization of Everything - Agile Business Innovation Munich Re Cloud Strategy Important topics for IT Compliance in Cloud: Contracts, Regulations Cross Border Data Transfer Internal Control System Fall back Scenarios 25 May 2016 13
Munich Re Hybrid Cloud Strategy New IT Cloud born Packaged SW Consolidate Commodity Modern apps Existing, burst Systems of record Workloads Obsolete SW Efficiency and Savings Author: Martin Thormählen, Version 1.1 25 May 2016 14
Technology enables! Big Data / Analytics: From first idea to strategic program Important topics for IT Compliance in case of Big Data Analyses: Processing Purpose Cross Border Data Transfer Access/Permissions Deleting Unnecessary Data 25 May 2016 15
Technology enables! (I) The magic three: HANA / HADOOP / SAS User Interface User Interface User Interface HANA Hadoop Stack SAS HANA SAS Data Loader Embedded SAS Structured transactional business data SAP Vora Long term unstructured and structured data Ad hoc data for advanced analytics Embedded SAS Data Lake (HDFS) 25 May 2016 16
Risk acceptance is a major and important topic when implementing or changing an IT architecture Risk Management Process How to.. Identify Threats / Risks Assess Risks Mitigate Risks, if not possible or too expensive or too complex Accept Risks / Document decisions or Reject initiative/project 25 May 2016 17
Compliance Gate process Part 1 Visualization of major elements Triggers Data classification Dev new app App goes cloud BITA Project Purchase new app Compliance Gate 1 2 Fact Sheet Maturity Level Results Critical data classification Maturity level mismatch Bus. protection reqmts ORAR* is indicated Financial Sanctions Execution risk assessmt. Execution of IT Risk Managmnt Process Fact gathering and compilation Mandatory execution & result assessment Might trigger step 2 (e.g. Data Class>C2) Identification of risk indicators Potential execution/ result assessment *Outsourcing Risk Assessment Report 25 May 2016 18
Compliance Gate process Part 2 Visualization of major elements Execution of IT Risk Management Process Creation of risk assessment Assessment of detailed threats, vulnerabilities, and risks Valuation of assessment results CoCo Decision Risk high or very high Risk max. medium Implementation Update of documents Monitoring Owners Owners Owners Owners Owners Global IT Governance Project / Initiative IT/Group Complian. Group Legal IRM Project / Initiative ISO* Local IT Management Compliance Committee (CoCo) Project / Initiative ISO *IT Security - Information Security Officer 25 May 2016 19
Thank you very much for your attention!