guardtime & cyber liability - marsh bkk 06.09.13
TRANSCRIPT
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
© 2011. Copyright GuardTime. All Rights Reserved.
Data Authentication and Cyber Liability in a Networked World
Chris Venvell, Business Development Director – Insurance, Guardtime
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
2
Enhanced Trust and Data Integrity For InsuranceBusinesses Rely on Trustworthy Information Insurance industry data is arguably its greatest asset. Insurance data by nature can reside in multiple locations How can insurance players know data is authentic and intact. Regulatory policy and industry standards dictate the process Data can be called upon for evidence many years from now Content received must have come from the entity that sent it Data must withstand organizational and operational changes Insurance is a social business • Insurance is the industry of risk• It protects people and companies • Data privacy, transparency and integrity are key • Regulators are there to firstly protect the policyholder
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Protecting Your Intellectual Property
Your IP is your most important asset - once it's gone you can’t get it back
Companies are facing a constantly changing landscape (with regards to addressing cybersecurity issues), which includes: executive orders and legislation; evolving regulatory requirements; increases in penalties and fines; and, liability from class action lawsuits (USA but now globally)
In order to minimize risk, it’s important to keep abreast of changing requirements as they are being proposed so that you have the opportunity to affect the process
Companies are engaging internal IP lawyers for example
3
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Setting the Scene
As cyber attacks resulting in data breaches are often targeted at high profile companies and data networks , it increases the need for cyber liability insurance protection and the subsequent warranties and prevention programs. The effect on assets and
bottom line can be severe. 4
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Recent Surveys on Cyber Liability • CEO’s had Cyber Risk and E&O Risk at the top • Brokers did not have cyber risk at the top • 80% of survey said they were not keeping pace• 75% said legal compliance was driving adoption• 69% concerned on reputational risk than financial • 82% believe hackers are the primary cause but
71% also believe human error is major factor5
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Lloyds of London – Cyber Liability
r
Lloyds of London, AIG and large brokers lead the drive for new insurance products in cyber for Europe and USA, soon to spread to the rest of the world. To get insurance cover for data breach companies will have to prove that overall security and operational risk management have been improved
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
7
Problem: How to Validate Electronic Data?Inside the organization: validation based on procedure and trusted insiders
Most data needs to be taken at face valuePhishing, malware, electronic fraudWith emergence of Cloud computing outsiders become insiders as
perimeter is gone and as data leaves the perimeter the proof stays behind.
Outside the organization: minimal validation
Explosion in cyber-espionage and enterprise data tamperingCyber attackers increasingly good at hiding their tracksOver 70% of fraud is conducted by insiders Management, regulators, auditors, courts have no transparency
Over USD 60 Billion in 2011 in cyber security equipment, software and servicesOver USD 100 Billion in 2011 in shifting physical paper around the world
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Seismic Blue Shift in Risk
Risk management is about managing or minimizing the exposures to loss. Developing and incorporating policies and procedures is as important in the Cyber
Liability arena as it is in the property and casualty arena!
“As operational and security risk change, a broader gap between the protection of risk and the reality of risk is being created.”
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Organised Hacking
100 + Countries with dedicated cyber attack capabilities Main source of revenue for Eastern Bloc gangsRussian and Sicilian mafias actively recruiting “hacking” experts
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Catastrophe Data
10
The need for catastrophe modeling of risk is increasing due to rising catastrophes, climate changes and higher penetration of insured people in urban areas. As this data is used for solvency and pricing purposes it is essential to make sure this data is not tampered with or altered from the original sources of data.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
The Last Mile Problem In The Cloud
“Why should I trust you with my data?”
Cyber criminals will erase their digital tracksAdmins can cover up accidents and misbehaviorApplications can be changed or compromisedData is inherently at risk as it stored and shared
11
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Cyber Liability Risks
CYBER CRIME
Data Theft
Extortion
Network Damage
Electronic Theft
Denial of Service
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Impact of Cyber Risk
Operations
Litigation and
Regulatory Exposures
Financial
Brand Equity
Assets
Your Company
• Reputational Risk• Breaches by cloud providers• Breaches in off site storage• Aggregation of exposure of all cloud risks
correlated together • Breaches of an individual customer• Cyber crime breaches of digital assets• Business interruption and loss of revenue• Supply chain and industrial clusters.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Potential Cyber Crime ScenarioDuring his lunch break, an employee opens an “Important Security Update” supposedly from your IT department.
The email contains malicious code designed to discreetly take control of the employee’s desktop.
A remote attacker leverages the desktop to launch subsequent attacks on your backend network.
The attacker gains access to systems with increasing levels of security – eventually compromising a customer database.
Your CEO then receives an email containing the names, addresses and social security numbers of 5,000 of your customers.
The hacker will publish the email on an Internet bulletin board unless he is paid $250,000
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Property and Crime Policies generally:
Respond only to loss of or damage to tangible property;
Exclude indirect or consequential loss Liability Insurance Policies
generally: Respond only to loss from defined
professional services or defined acts or offenses;
Exclude Loss from violations of privacyThe Short Answer is “NO”.
Won’t My Insurance Cover That Cyber Liability?
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Covers liability for monetary damages sustained by a person arising from the actual or potential unauthorized access to that person’s personal information. Includes mental anguish & emotional distress.
E-Business Income Loss Cyber Extortion Expense E-Vandalism Expense Violation of Privacy Notification Expense Covers unauthorized access by employees
Cyber Insurance Policy Features
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Security – Risk Management Identify information assets Conduct periodic risk assessments to identify the specific
vulnerabilities your company faces Develop and implement a security program to manage and
control the risks identified Monitor and test the program to ensure that it is effective Continually review and adjust the program in light of ongoing
changes Oversee third party service provider arrangements Maintain training for all staff on Information Security
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Why Would a Customer Sue a Company?
An Error or Omission (London market slip or equivalent)
Intellectual Property (copyright/trademarks)
Breach of contract (for professional services i.e. website design)
Failure to render professional services (invasion of privacy, liable/slander)
Breach of security (hackers, virus)
Misrepresentation
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Adaption to Cyber Liability
Privacy Policy Breaches and Data Mismanagement
Establish a privacy policy and post it on your homepage of your website and adhere to the promises your privacy statement makes by day to day compliance.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Maintaining Customer Trust
More and more, companies customize products, services, and technology to address individual customers’ needs; so, they collect personal information
Privacy practices should include: assessments of current protection practices, analysis and incorporation of relevant privacy/security laws, employee training, and periodic monitoring
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Creation of Standards for Mitigation
There are no absolute industry standards for due care as relates to security right now
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Security Breach Incident Response
Insurance Broker Client service offering providing guidance in setting up a risk management plan and process to address data breaches including:• Process guidelines• Content and scope of plan• Workshops and meetings to assist client team• Provide Competitive Edge • Outside resources (legal, forensics, credit protection resources, etc.)Technology must exist that informs management immediately of breach otherwise insurance cover may not be intact and long term effect of tampering is serious in terms of recovery from attack. Also notification is becoming law.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
23
CoverBenefits
Privacy/ Security Regulation. Aggregate sub limits.
.
Notification/Crisis Management: Aggregate sub-limits.
Cyber Liability Coverages
Defense costs, civil fines and penalties, regulatory issues.
Mailing costs, credit issues, identity theft, computer forensics, outside PR and legal advice, professional call centre, credit card issues.
Civil Liability Defense costs, class actions and plaintiff issues.
.
World Wide Coverage
CYBER LIABILITY INSURANCE CONTENT
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
© Copyright Allianz SE, May 2010 24
CoverBenefits
Reputational Harm from Data Breach
.
Electronic Information Assets Tampering.Direct Non Physical Damage to NetworkContingent Business Interruption
Cyber Liability Coverages
Corruption, deletion, operational mistakes.
Viruses, terrorism, denial of service and operational mistakes including London Line Slip
Counterparty Risk and offshoring extra expense
Cyber Extortion
.
Monoline, Included or Additional Coverages
FIRST PARTY DATA AND NETWORK RISKS
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
S:/UNI
T50/UNI
T FILES/SE
MINARS/2
008/FEB 200
8 CYBE
R/RETAILINDU
STRYC
YBERupdated.PPT
Underwriting Process – Submission
Customer Contacts Broker for Cyber Liability CoverageSupporting documents – Broker sends risk assessment IT security questionnaire to customer. This includes warranty on data integrity. Broker passes specifications and coverage requests to panel of insurers. Underwriters (and perhaps their IT security consultant) request a security conference call with the IT security officer of the applicant to discuss controls in more detail prior to binding and this may include a visit for more complex accounts to provide more comprehensive overview of operations, controls, and coverage requirements.Technology that provides a “lie detector” for data in the cloud will be the warranty and liability protection for the present and future.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Trust via PKI (Public Key Infrastructure)PKI has two primary applications
Encryptionprivacy of information
Proof digital signatures
digital timestamps
26
Key-based solutions are too intrusive for our enterprise clients.
Carlos Domingo, CEO, Telefonica R&D
As a mechanism for delivering proof it has been a complete failure
It is expensive, cumbersome, and does not scaleStill requires trust (someone has to manage the keys)Not appropriate in the cloud: keys reside in memory
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Converting Trust To Proof
GuardTime maintains a global infrastructure delivering Keyless Signatures which provide proof of time, origin and integrity for all the world’s electronic data, whether on disk, in transit or in the cloud.
27
By allowing an independent audit of data and activity in a cloud environment GuardTime’s technology will be a key element in accelerating enterprise adoption of cloud computing.
Yvon Le Renard, Head of Strategic Alliances, Alcatel Lucent
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Technology: The keyless signature KSI
28
HASH VALUE
TIME
ORIGIN
The time of signatureThe origin of the signing requestNot a single bit has changed
Proves:
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Validation relies only on mathematics
29
Simple and lightweightSignature never expiresCan be used repeatedly by multiple partiesRelies only on mathematicsNo exposure to GuardTime or any third party
=+
Features:
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Background | What it really means
trust in people vs. mathematical proof
Keyless signatures remove the need to rely on any human being for evaluating the authenticity of electronic documents and data.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Keyless Signature Applications At Glance
1. Cloud Infrastructure 2. Documents & Archiving
3. Messaging & Mobile 4. Cyber Security
Keyless Signature
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Technology | Keyless Signature Infrastructure (KSI)
Features:
Core cluster distributed between Europe, North America and Asia
264 requests / second
Fixed core network load
No single point of failure
Ultra high availability (99.999%)
Stateless (nothing to hack)
Certified and EU-accredited service infrastructure
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Technology | KSI Partnerships
Guardtime partners operate a client facing part of the Keyless Signature Infrastructure (KSI) with potentially exclusive rights:
by geography
by vertical
by specific clients
China Telecom (China)Hutchison Telecom (Hong Kong)Bharti (India)Trust Technologies (Philippines)
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
© 2011. Copyright GuardTime. All Rights Reserved.
Sample Case Studies
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Case Study: Maritime Industry Agency - Philippines
35
Problem:It is difficult to enable rapid and consistent verification of physical document authenticity in the field and restrain document fraud.
Solution:Guardtime’s QRSealer provides officials an easy, portable and consistent way to compare the physical document with a securely stored image of the same document to spot any tampering or fraud immediately.
????IS IT REAL OR FAKE?
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
How QRSealer Works
36
Issuing Physical Documents
• Create a digital image of the physical document: scan or select a digital file from the computer
• Upload the digital image of the document to the QRSealer service to secure it
• Print the received QR-code with a label printer and attach it to the physical document
Verifying Physical Documents
• Point the smartphone camera to the QR-code to view the secure digital image of the document
• Compare the secure digital image with the physical document
Secure Cloud Infrastructure
2.
4.
3.
1.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Documents & Archiving | Philippines Land Title Registry
Client:Philippines State23 million land title documents18+ million digitized, ongoing…
Summary:
Land Title Registry needed to be able to prove that its digitized and archived electronic Land Title documents are authentic and not tampered with since their creation and the evidence needed to be portable and transparent to all users
Land Title Registry
Public Services
AsiaService Provider
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Documents & Archiving ACORD Documents
Recipient drops a received document to a webpage to authenticate
Document Verification
Document Verification
ACORD signs documents with simple desktop application
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
3. Messaging & Mobile | Certified Email
SMTP Verification
Forward received email to a Verification Agent to validate email integrity
AsiaService Provider
Validation report is automatically received by emailalong with a link to online copy
of the certified Email
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Messaging & Mobile | Secure “Dropbox”
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
3. Messaging & Mobile | Certified SMS
SMS GW Verification
Forward received SMS to a Verification Agent to validate SMS integrity
AsiaService Provider
Validation report is automatically received by SMSalong with a link to online copy
of the certified SMS
Huge Benefits for Microinsurance
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Cybersecurity | Event Level Data Integrity
Each record issigned by keyless
signature
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Cybersecurity Financial Services Transaction Logs
Summary:
Every ATM transaction, every internet banking transaction, every single mobile payment comes with a keyless signature preventing insider fraud and increasing transparency.
In 2011 SWIFT selected Guardtime as the world’s most innovative startup in banking and finance based on our insider fraud solution.
With Guardtime UBS rogue trader Kweku Adoboli could not have committed his fraud.
Log Archive
Central Log Server
POTENTIAL CHANGES TO POLICY WORDING
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Cybersecurity | Connected Car
authorities
Telematics Server
AsiaService Provider Summary:
Live in production for Tokyo emergency services and under development in China with China Telecom.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
X-Ray Outsourcing and Telemedicine
Outsourcing Market Medical Insurance FraudKSI Stamping of X-Ray
45
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
© 2011. Copyright GuardTime. All Rights Reserved.
About GuardTime
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
47
GuardTime: Born in Estonia/Partner in PhilippinesMost wired country on Earth with 98% of transactions conducted onlineHome of Skype and NATO Cybersecurity HQ
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
Summary PointsIdentifying, preventing, mitigating and transferring privacy/security is a major priority, particularly in high compliance industries (such as utilities, finance etc.), any company that accepts a debit or credit card as a form of payment, and public traded companies.
Outsourcing and offshoring is a fact of life, but definitely increases data protection risks. Vendor management process is needed which includes due diligence, contract protections, and vendor insurance requirements.
This is a risk of survivability, not invincibility. Develop a team and plan for a data breach incident response, just like your contingency plans for other threats.
Client should consider insurance protection, either on a combination with professional liability coverage or stand-alone coverage. Insurance is not a substitute for best security practices, but deals with the potential severity risk you cannot prevent.
Quality of coverage and management of claims very important, as well as experience of the underwriter; be a thoughtful buyer.
© 2
011.
Cop
yrig
ht G
uard
Tim
e. A
ll Ri
ghts
Res
erve
d.
© 2011. Copyright GuardTime. All Rights Reserved.
Data Authentication and Cyber Liability in a Networked World
THANK YOU - [email protected]