Insurance companies and their Cyber Insecurity

Posted on : 26-02-2016 | By : kerry.housley | In : Cyber Security, Finance

Tags: , , , , , , , , ,

0

In October 2015 all UK insurers were asked to provide details of their cyber resilience to the Prudential Regulation Authority. The Bank of England has been concerned about UK financial institutions’ cyber resilience for some time now and has extended their concern to the focus on the insurance sector.  The regulator is keen to understand the current policies and capabilities of the insurers and the steps they are taking to protect their information. Should they be found to have inadequate measures in place, strong action will be taken against them.

Information security is also a key focus for the FCA (Financial Conduct Authority). They are particularly worried about insurance companies due the nature of their business which involves large volumes of personal data. The biggest fines for data breaches so far imposed by the FCA are on insurance businesses, highlighting the reason for the regulator’s intense concern.

Insurance information is particularly attractive to hackers because of the number of highly personal individual details they hold. The Anthem healthcare insurer was breached last year and it is reported to have lost the personal information records of 80 million customers and employers.

Health care breaches are particularly on the rise as there is a lucrative resell market for these types of records. While credit card details typically trade at $10, insurance data typically trades at $100.  The US government is so concerned about its US insurance companies’ lack of preparedness that the National Association of Insurance Commissioners has set up a Cyber Security Taskforce to tackle the issue.

European policymakers are yet to agree the final provisions of the new General Data Protection Regulation. However, the new Regulation means that data privacy issues should now be a key concern for all insurers and they should be prepared to review and amend their data protection programmes. In general, regulation is likely to become increasingly formalised and more rigorous in its application.

The rise of big data presents opportunities to offer more creative, competitive pricing and, importantly, predict customers’ behavioural activity.  This is great news for insurers but a concern for the Information Comissioners Office (ICO). The ICO monitors how firms respond to subject access requests and complaints handling and firms will be invited to do an audit if the ICO has concerns. Compared with other EU Member States, such as France and Italy, the UK carries out relatively few audits.

However this too is changing. The FCA has announced that it is conducting a market study into how insurance firms use big data. Big data raises the possibility that an individual’s circumstances may not be factored in to an insurance risk assessment. As part of its market study, the FCA may examine whether such an approach is contrary to Principle 6 of its Principles for Businesses which requires that firms treat their customers fairly. Depending on the outcome of the review, the FCA may introduce specific consumer protection measures for the use of big data in underwriting.

Compliance measures will need to be reviewed and a risk assessment undertaken in order to implement appropriate security measures. These measures need to be documented and made available to regulators on request.

An insurance professional was recently reported as saying that most companies in the global market are not compliant with international standards. Many firms have no incident response plans in place to let their customers know that a breach has occurred. They are simply ill prepared for a data breach incident that is inevitable. A survey by technology company Xchanging in Nov 2015 reported that only one third of insurers in the London market believed that they could withstand a major cyber attack.  As in all areas of business, customers will be increasingly concerned about the cyber security of a company offering services.  Failure to demonstrate good cyber security will mean failure to win new customers.

2016 looks like this will be the year that insurance industry will be forced to take cyber security more seriously and make it a top priority for their board.

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.

 

Cyber security: The threat from within

Posted on : 30-04-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , , , , , , ,

0

Cyber security, as ever, has been a widely discussed topic in Broadgate over the past few weeks.  Numerous cyber-attacks have made the news, from the TV5Monde hack to the recent article in the financial times stating that cyber criminals are some of the fastest innovators currently in technology.

However, with the focus of attention being outside, the question is, is there an enemy within? Organisations have spent big money and devoted a lot of resource to protect itself against external threats and have built strong defences with firewalls, anti-virus software, mail filters and numerous other filters used extensively to protect itself.  But have they left themselves vulnerable from the inside?

What if an employee’s password has been hacked and an intruder is stealing information?
What if an employee was accessing sensitive information that they shouldn’t?
Are you able to track malware that has already made it past the external defences?

Once a person is past the external defences the level of access they might get and the potential for misuse is often worrying.  Organisations can find it difficult to identify such inside threats, or by the time they have recognised them it may be too late and the leak has already happened. This is made ever more difficult to monitor by the increasing complexity of an organisations network. The amount of data stored and number and type of devices connecting to it makes it harder than ever to monitor usage.

Evidence of this can be found in the 2014 Information security breaches survey conducted by PWC.  Almost 60% of organisations have encountered staff related security breaches with 20% caused by deliberate misuse of computer systems.

55% of large businesses were attacked by an unauthorised outsider in the last year
73% of large organisations suffered from infection by viruses or malicious software in the past year
58% of large organisations suffered staff-related security breaches
31% of the worst security breaches in the year were caused by inadvertent human error
20% of the worst security breaches were caused by deliberate misuse of computer systems

More significant and what can’t be tracked is the damage that may occur to an organisation if a leak does occur.  Reputational damage for private organisations could be the most damaging, especially if the breach is widely publicised in the press.  With this could come a monetary loss though loss of clients or potential fines from regulators – the information commissioner’s office has the power to fine organisations up to £500,000 for the misuse of personal data on UK citizens.

With this threat looming over organisations, what can be done to protect itself?  Solutions present themselves as policy, procedure and innovative technologies that can monitor and identify such misuse. Here are a few pointers;

Effective IT usage policy – Simpler, shorter implementations

  • Establish a person responsible for security
  • Classify data into confidential, internal and public data
  • Limiting and tracking access to important documents/files should be a deterrent to anyone trying to steal data from inside the network.
  • Limiting the use of external storage devices such as USB sticks and limiting access to file sharing sites including webmail
  • Identify the data “Crown jewels” – the data that if it were to leak would have the biggest financial/reputational damage.  Ensuring these types of files are encrypted with limited access
  • Customised role based training of staff

Monitoring – Medium/long term implementation

  • Use specialist security software to track files and malware entering/leaving the network.  Tools such as Fire eye or Dark trace can use advanced tracking functionality to spot unusual behaviour on a network. Tools like this have the ability to track unusual network behaviour as well as unusual user behaviour.
  • Consider tools such as Dtex deployed on an individual’s PC to monitor behaviour.  Capturing changes in user patterns (e.g. an employee getting ready to leave the organisations), High risk pattern behaviour or finding what information was lost on a laptop left on a train.
  • Other monitoring solutions such as Digital Shadows to track data that has left the internal boundary to calculate the amount of exposure you have outside the organisation.  Even tracking data on social media and the “Dark web”.
  • Controlled environment – Four Eyes check of files leaving the network to ensure sensitive files are not being sent externally

These types of attack are difficult to stop completely as they revolve around the people using the systems.

However, with better controls, methods to identify unusual activity and misuse the objective is that potential losses are captured and remediated as quickly as possible.

————————-

Sources

http://journalofaccountancy.com/issues/2014/sep/improve-data-security-201410183.html

Cyber Security in the Board Room

Posted on : 26-02-2015 | By : kerry.housley | In : Cyber Security

Tags: , , , , , ,

0

Most of us are all familiar by now with the Sony Entertainment hack which happened at the end of last year which had disastrous consequences for the film company. There have been many high profile breaches but this is probably the most notorious hack to date.

The Sony cyber attack resulted in embarrassing emails and personal details of movie stars published over the internet, contract and salary details released and the hackers managed to steal five entire movies! Whilst investigations were underway and the network disabled, Sony employees were left with just a pen and paper and fax machine to carry out their daily business. It has been impossible for business to ignore such high profile attacks which have helped to push cyber security onto most boardroom agendas.

The Thomson Reuters Corporate Governance Survey for 2014 reveals that although Cyber Security was now on the board agenda with 88% of boards including a Cyber Risk category in their Strategic Risk Register.

  • Only 29% viewed cyber threat as a “Top Risk”.
  • Two thirds (67%) of corporate boards are very concerned about cyber risk, but only 44% claimed they actually make decision on the topic.

The question is does the board see cyber security as an integral part of their business risk strategy or rather as tick box exercise that needs to be undertaken in order to satisfy compliance and regulatory departments. It still does not appear to be the case that company executives understand the paralysing nature of cyber crime and the ultimate affect it could have on their company’s profits and reputation.

An important part of any cyber defence approach is education and this must start with senior management. The Thomson Reuters Board Governance Survey found that board members had a poor understanding of the importance of the intellectual property and company data that they regularly carried around with them in person and on personal mobile devices.  A large volume of information was on paper which was rarely officially destroyed after it was no longer required and sometimes left on the train!  All company employees need to be trained in cyber security with the board being no exception.

  • The FTSE350 Cyber Governance Report found that 75% of board members had no cyber security training.

One way of improving this education is through the Chief Technology Officers and Chief Information Officers as the main communicators between IT and the business. A key part of their role is to talk to the company leadership in a way in a way which translates from the IT detail to a business level.

Less technological jargon and more about the people and the processes around which the IT framework sits.

The Government is keen to address this language issue and challenge the common perception that cyber security is an IT problem.  In 2013 it launched it’s 10 Steps Guide to Cyber Security which is a simple framework of 10 questions around information security presented in a more business friendly format. A summary of this document has been published with board members in mind 10 Steps: A Board Level Responsibility. The idea behind the 10 Steps is to encourage organisations to adopt a comprehensive risk management approach from the top.

The BIS 2014 Information Security Breaches Survey found that

  • 81% of large organisations had suffered a breach at an average cost of £600k – £1.5M
  • 60% small business suffered a breach at an average cost of £65k – £115k

A cyber attack experienced by Sony may sound like the stuff of Hollywood movies but the threat is very real, a threat that ultimately will affect the company profits.  A threat to company profits is a threat that any board member cannot afford to ignore.

If you would like any more information on Information Security and ways in which Broadgate can help your organisation please contact:

Kerry Housley
+44(0)203 328 8006