Patrick Kelliher FIA CERA Definition Recent loss events and other - - PowerPoint PPT Presentation

patrick kelliher fia cera definition recent loss events
SMART_READER_LITE
LIVE PREVIEW

Patrick Kelliher FIA CERA Definition Recent loss events and other - - PowerPoint PPT Presentation

Aug 19, 2022 232 likes •476 views

Patrick Kelliher FIA CERA Definition Recent loss events and other examples Data protection legislation and GDPR Mitigation Modelling Conclusion Information Security Risk: Risk to a firm from the theft, loss or

slide-1
SLIDE 1

Patrick Kelliher FIA CERA

slide-2
SLIDE 2

 Definition  Recent loss events and other examples  Data protection legislation and GDPR  Mitigation  Modelling  Conclusion

slide-3
SLIDE 3

 Information Security Risk:

Risk to a firm from the theft, loss or inadvertent disclosure of customer and other stakeholder data; and from breach of data protection legislation

 Cyber Crime Risk:

Risk to a firm from malicious cyber attacks including theft or damage to data; theft of own and/or client assets; interruption to operations; and reputation damage

slide-4
SLIDE 4

Data Theft - Cyber

Information Security Risk Cyber Crime Risk

Ransomware Technical Breach of Data Protection Legislation (no loss event) Data Theft - Physical Data Theft - Laptop Loss of Data 3rd party theft / loss / breach Inadvertent Disclosure (Website, mailing etc.) Impersonation Interception of e-mail and redirection of payments Cyber Theft of Assets e.g. Bangladesh Central Bank DDOS Cyber Espionage Cyber Vandalism Viruses Infrastructure Attack / Cyber Warfare Failure to properly delete / destroy data

slide-5
SLIDE 5

 Target, US Retailer, Q4 2013

  • 70m card details stolen – had to pay banks to replace these
  • US$291m offset by US$90m cyber insurance policy recovery

 Anthem, US Health Insurer, February 2015

  • 78m records stolen including ca.40m legacy records
  • Sophisticated APT attack; cost to date US$260m

 TalkTalk, UK Telecoms Provider, Q4 2015

  • 157k records stolen
  • ICO fine of £400k = 80% of current maximum
  • Remediation cost = £42m but also ca.£15m in indirect costs

(higher churn, lower sales)

 More recently: Yahoo!, Equifax etc.

slide-6
SLIDE 6

 Ransomware

  • WannaCry – highlighted need to apply patches and the risks
  • f unsupported software
  • NotPetya – cost both Maersk, Merck ≈ US$300m

 Cyber Theft of Assets

  • Bangladesh Central Bank $100m loss; “near miss” US$850m
  • Interception of e-mail correspondence with clients, changing

bank a/c for payments

  • Impersonation

 Cyber espionage / warfare  Dedicated Denial of Service (DDOS)  Cyber vandalism and viruses

slide-7
SLIDE 7

 Non-cyber theft of data

  • Theft of physical data e.g. paper records of patients
  • Theft of laptop with data (2007: Nationwide fined ≈£1m)

 Loss of data

  • HSBC firms fined £3.2m by FSA in 2009 for losing pension

scheme data in the post

  • 2010: FSA fined Zurich £2.275m for losing 46,000 customers

details in transfer of data to South African outsourcer

 Failure to destroy data in a secure manner  Inadvertent disclosure

  • Customers able to see others details on a website
  • Mailing sensitive details to the wrong address
slide-8
SLIDE 8

 3rd party theft or loss

  • 2014: 20m South Korean bank customers details stolen by a

contractor at a credit rating agency used by the banks

 Breach of data protection legislation including:

  • Not having legal basis (e.g. consent) to hold data;
  • Not observing data subjects rights (e.g. to access data);
  • Failure to keep records up to date;
  • Failure to keep data safe…
  • ….or prevent loss or damage to data (e.g. losing data due to

inadequate business continuity plans); and

  • Retaining data longer than necessary.
  • Note: doesn’t need to be a breach / loss event – poor controls

in themselves could give rise to fine.

slide-9
SLIDE 9

 General

neral Data a Pr Protection ection Regu gulation ation (GDPR): DPR):

  • New EU-wide data protection regulation which effectively

replaces the EU Data a Protecti tection Direc ectiv ive e (DPD) of 1995 and related national legislation such as the UK Data a Protec ectio ion Act (DPA) A) of 1998.

  • Seeks to update DPD to reflect developments such as modern

technology capabilities and cloud computing; and also aims for greater consistency in data protection regulation.

  • Due to come into force in the UK from the 25

25th

th May 201

018, , Brexit notwithstanding.

  • Post-Brexit, GDPR may still apply in some form as UK

regulations will need to offer similar protection if UK firms are to be allowed process the data of EU citizens.

  • 99

9 Article icles – but most rest relate to regulation and are not directly relevant to firms.

slide-10
SLIDE 10

 What’s new ?

  • Data

a protecti tection by design ign and d by defau ault lt (Article 25) – data protection needs to be an integral part of the design and development of business processes for products and services.

  • Records

ecords of f Proce cessi sing g Activi tivitie ties (man andat datory

  • ry docum

cumen entat atio ion) n) (Article 30) adds new requirements for firms to document personal data processing, including identification of data flows, risk assessments, whether it is being transferred

  • utside the EU; how long it should be retained etc..
  • No

Notific ificat atio ion: Article 33 requires that any material breach of personal data is communicated to regulators within 72 hours

  • f discovery. Previously only telecoms and internet service

providers had to report breaches. Article 34 requires the breach to be communicated “without undue delay” to individuals affected if the breach poses a high risk to them.

slide-11
SLIDE 11

 What’s new ?

  • Data

a Protec ectio ion Impac pact Assessmen essments ts (DPIAs IAs) (Article 35) – DPIAs are required where processing is likely to result in a high risk to the rights and freedoms of individuals. These would include where new technologies are being used and/or which involve sensitive data such as the person’s health. A firm will need to assess the risk to individual and cover the security measures that will be put in place to mitigate these.

  • Prior
  • r Con
  • nsult

sultat atio ion (Article 36) requires the Data Protection Officer to consult with the regulator prior to processing data if the DPIA highlights that processing likely to result in a high risk to data subjects which cannot be mitigated against. The firm must not process data until the Regulator has given authority to proceed. Once referred, the regulator can invoke any of its investigative or corrective powers (see Article 58).

slide-12
SLIDE 12

 What’s new ?

  • Data

a Protec ectio ion Offic icer er (DPO) O) (Articles 37-39) – this is a new role required for organisations which process personal data

  • extensively. The DPO will be the first point of contact for

regulators on data protection issues and should aim to ensure firms comply with GDPR. While similar to a compliance officer, they also need to have some expertise in IT and data protection to ensure data risks are properly managed across the organisation. The DPO is an important new role: they should have access to adequate resources; be able to act independently; and report in directly to the Board

slide-13
SLIDE 13

 What’s new ?

  • New individual rights including:

 Righ ght of Erasu sure e (Article 17) replaces the current “right to be forgotten” and gives the individual the right to request all personal data relating to them to be erased (subject to certain conditions such as the legal need to retain data).  Righ ght to Data a Porta tabil ility ity (Article 20) – the individual has the right to receive some classes of their data their data in a structured, electronic, machine readable format that can then be transferred directly to another data controller or the data subject.

slide-14
SLIDE 14

 Higher Fines:

  • Higher of 4% of global turnover or €20m for, inter alia, breach
  • f basic principles for processing (Articles 5-9) or individuals

rights (Articles 12-22) – see Article 83, 5.;

  • Higher of 2% of global turnover or €10m for other breaches

(Article 83, 4.)

  • Fines could increase up to 50x fold or more e.g.TalkTalk fine

based on 80% of max 4% of turnover = £58.8m vs £0.4m

 Other sanctions -

  • Article 58, 2. gives regulators a wide range of powers…
  • …including (f) the right to impose a ban on processing, say if

a DPIA indicated a high risk to individual’s data.

  • Possible Reverse Stress Testing scenario!
slide-15
SLIDE 15

 GDPR raises the bar in terms of compliance

with existing data protection legislation:

  • GDPR requires a higher quality of consent
  • Article 22 retains existing legislation giving individuals the

right not to be subject to a decision based on automated processing if it has a significant impact on them, which could have a significant impact on those using data science to profile and underwrite individuals

  • Accuracy of records – cost of getting it wrong increases:

 E.g. Prudential were fined £50,000 by the ICO in 2012 or 10% of current maximum when, having inaccurately merged the records

  • f two customers with the same name, they failed to correct this

when the customers highlighted this

slide-16
SLIDE 16

 GDPR forcing firms to raise their game in terms

  • f Information Security, but pressure also

coming from regulators: “Our work in the financial sector has shown us that firms continue to struggle to get the basics right….”

April 2017 speech by Nausicaa Delfas, Executive Director (now COO) at the FCA

slide-17
SLIDE 17

 Firms should at a minimum comply with basic

standards such as the NCSC’s 10 steps

 Ensure software up to date and patched  Create a “secure culture” within firms  Contingency planning – how do we respond ?  Penetration Testing  Cyber insurance

  • Unlikely to cover regulatory fines (?) while other items of loss

(e.g. litigation) may not be covered

  • Coverage may be invalidated if firm does not have basic

controls in place

slide-18
SLIDE 18

 Data: many useful studies on cyber attacks  Ponemon in particular is a valuable source of

reference but has issues:

  • Only consider breaches with < 100,000 records
  • Need to separate out indirect losses such as lapses (covered

under Insurance Risk) and lower sales (the value of which is not allowed for in Own Funds)

 Likelihood

  • Firm may experience frequent low level attacks which could

be used in modelling incidences

  • 7-steps of cyber attack/defence could serve as a basis for a

Bayesian Network or other model for the likelihood of a major attack succeeding, leading to large loss of data

slide-19
SLIDE 19

 Useful to consider 7-steps of cyber attack:

  • Reconna

econnais issan sance – seeking to identify vulnerable targets

  • Scan

annin ing – probing to identify a weak point to gain access

  • Acc

cces ess s and d Escalat calatio ion – once in, seek to gain wider access, particularly systems administrator rights

  • Exfil

iltrati tration n of data – access and steal confidential data; encrypt this with ransomware, or worse, delete data

  • Sust

stain ainme ment – having gained access, hackers may seek to stay in place quietly, installing malware allowing them to return

  • Assau

ault lt – hackers may seek to alter or disable hardware e.g. Stuxnet attack on Iran’s nuclear program

  • Obfusca

fuscatio ion – while some hackers may wish to leave a “calling card”, others may wish to cover their tracks e.g. clearing logs

slide-20
SLIDE 20

 Severity – bespoke assessment necessary  Exposure – need to consider:

  • # systems including not just those holding customer data but

as also staff, pensioner and other systems

  • # records on each system including legacy records
  • Whether multiple systems could be breached e.g. if hackers
  • btained administrator rights to systems

 Impacts – these might include:

  • Regulatory fines (post-GDPR)
  • Section 166 reports and other consultancy costs to identify

control failings and remediation required

  • Cost of overtime and external resource to fix systems and

remediate deficiencies

slide-21
SLIDE 21

 Impacts – these might include:

  • Cost of overtime and temporary staff to re-key data and deal

with backlogs (e.g. as a result of a DDOS)

  • Replacement costs for IT assets damaged or stolen
  • Notification costs
  • Compensation to those affected (though perhaps ex-gratia

goodwill payments should not count ?)

  • Credit monitoring of those affected to ensure they are not

subject to fraud (and compensation if they are)

  • Cost of replacing bank cards where details are stolen
  • Litigation by those affected
  • Complaints and FOS costs
slide-22
SLIDE 22

 Non-capital impacts – exclude from modelling:

  • Reputation damage ? – impact will results in lost sales (see

below) and higher lapses (covered under Insurance Risk)

  • Lost sales ? – value generally excluded from Own Funds
  • Theft of strategy plans ? – could result in lost sales if a

competitor exploited these, but see above

  • Theft of IP ? – typically value in terms of ability write

profitable new business excluded from Own Funds

  • Relations with regulators ? – difficult to assess
  • Management focus and effort ? – again difficult to assess

possibly opportunities missed or impact on existing business

  • f management focus on dealing with cyber attacks

 …though still important to capture these!

slide-23
SLIDE 23

 Information Security and Cyber Crime Risks

give rise to many diverse sources of loss

 The frequency and sophistication of cyber

attacks is increasing

 Regulators are raising the bar with GDPR etc.  The cost of breaches is increasing, both in

terms of the impact of attacks or other incidents; and the risk of regulatory fines

 The economic capital requirements of these

risks could be significant

slide-24
SLIDE 24

Including our Briefing Note on GDPR, as well as our Guide to Strategy and Risk in UK Life Insurance, visit: http://www.crystalrisk consulting.co.uk/