![Page 1: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/1.jpg)
“Cyber Risk”– Implications for the insurance industryPIAM General Insurance Knowledge Seminar “CyberRisk”
Aloft, Kuala Lumpur24 July 2019
Lee Han Ther MBA, CISA, CISM, CRISC, CISSP, PMP, DRCS, TTT
Director, Emerging Tech Risk and Cyber (ETRC)
![Page 2: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/2.jpg)
Document Classification: KPMG Confidential
5© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
A True Story
1 3 5 74 6 82
Initial Attack
• Ransomware on servers and virtual machines.
• Later identified only as a decoy.
Internal security Crisis
CFO raised high severityincident to CIO.
On-site
Third party finally onsite after 1 week.
Containment
End point detection and response tools deployed. Took time to complete.
Lack of internalcapabilities
• Internal team not prepared. Speaking to all technology vendors.
• Desperately requesting for IR assistance.
Detection
Identified whole Active Directory has been compromised. Via “golden ticket attack”.
Resolution &Lesson learnt
• Finally resolved after 2 months.
• Very painful experience.
• Focus on ability to detect and respond.
Data leaked onInternet
Confidential M&A reports appearing on Paste Bin. Notified via third party.
![Page 3: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/3.jpg)
Document Classification: KPMG Confidential
6© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Global Risk Landscape 2019
Source: “World Economic Forum (WEF) Global Risk Report 2019”
![Page 4: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/4.jpg)
Document Classification: KPMG Confidential
7© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cost of Data Breach
Source: “2018 Cost of Data Breach Study from the Ponemon Institute”
![Page 5: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/5.jpg)
Document Classification: KPMG Confidential
8© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Footnotes
World’s Biggest Data Breaches
![Page 6: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/6.jpg)
Document Classification: KPMG Confidential
9© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Risk
Financial Impact
Legal Impact
Reputational Impact
Operational Impact
Health & Safety
Cyber Risks
![Page 7: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/7.jpg)
Document Classification: KPMG Confidential
10© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Personal Risk
![Page 8: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/8.jpg)
When the worst
happens
![Page 9: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/9.jpg)
Document Classification: KPMG Confidential
12© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
In The Headlines South East Asia
Source: TheStar, 13 November 2018
![Page 10: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/10.jpg)
Document Classification: KPMG Confidential
13© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
![Page 11: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/11.jpg)
Document Classification: KPMG Confidential
14© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Threat Actors
Nations state
Hacktivist
Malicious insider /
third party
Cyber Criminals
Corporate espionage
Footnotes
Threat Actors
![Page 12: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/12.jpg)
Document Classification: KPMG Confidential
15© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Nation State
![Page 13: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/13.jpg)
Document Classification: KPMG Confidential
16© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Criminals
![Page 14: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/14.jpg)
Document Classification: KPMG Confidential
17© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Hacktivist
![Page 15: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/15.jpg)
Document Classification: KPMG Confidential
18© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Cyber Risk Framework WEF
Source: “World Economic Forum (WEF) Advancing Cyber Resilience
![Page 16: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/16.jpg)
Document Classification: KPMG Confidential
19© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Denial
Cyber security isn’t an issue for us… Its all hype anyway
Worry
I am worried… but not sure what to do
False confidence
I have robust policies/defences…
And… a strong compliance function
Here?
Hard lessons
I don’t understand how we were breached…
There is no absolute security, we need to manage risk
Here?
On the journey…Se
curit
y ca
pabi
lity
A true leader
We need a more agile approach to match the threat
We cant do this alone – we are part of the community
Or Here!
![Page 17: “Cyber Risk” – Implications for the insurance industry€¦ · “Cyber Risk” – Implications for the insurance industry. PIAM General Insurance Knowledge Seminar “CyberRisk”](https://reader034.vdocuments.us/reader034/viewer/2022042122/5e9cb16b7e3df46b9036bb79/html5/thumbnails/17.jpg)
Thank YouHan Ther, Lee
Director of ETRC, Emerging Tech Risk & Cyber
03 - 7721 7752