What Directors and C-Suite professionals need to know kpmg.ca/insuranceconference2017

Transcription

1 Cyber Attacks What Directors and C-Suite professionals need to know kpmg.ca/insuranceconference2017

2 The threat landscape data breaches CarPhone Warehouse2.4M Michaels 3M Trip Advisor S 1.4M Excellus 10M Adult Friend Finder 400M My Space 360M CareFirst 2.4M Adult Friend Home Depot 109M Target 110M Premera 11M OPM 25M Finder 4M JP Morgan Chase Dropbox 68.6 M Yahoo x2 1.5 B Tumblr 65 M Mexican Voter Database 93.4M 83M Yahoo 22M Anthem 78.8M Alibaba 20M Mossack Fonseca 11M Minecraft 7M Ashley Madison 32M Ebay 145M LinkedIn 167M LastFM 43M Phillipines Election 55M SnapChat4.6M AOL 20M Top data breaches December Reported data breaches of recognized companies involving at least 1M records by size and type Breaches are at an all time high and criminals more than every are targeting personal and health data: for direct sale for extortion for health insurance fraud to bypass financial fraud detection systems 2

3 What risks do Directors and C-Suite face? Risk to the ongoing operation Continuity Day to day Loss of revenues Risk to reputation Possibly most difficult to repair Likely to impact BOTH organization AND individual Risk of Costly Litigation Organizational Director In some cases C-Suite if alleged careless 3

4 Fighting Cyber Perform risk assessments Fraud Risk Management Regulatory positioning services Fight back with technology Forensic technology Cyber security D&A Know your business partners & third parties 3 rd Party Risk Management Corporate intelligence/astrus Be vigilant with internal threats Investigations Forensic D&A Whistleblowing programs/outsourcing 4

5 Top industry threats Reactive extortion-driven attacks Source: Source: Source: 5

6 WAR STORY!!! Run like a vendor Help line Most often provide the key, bad for business otherwise Once hit, likely to reoccur 6

7 Top industry threats Social engineering fraud 7

8 WAR STORY!!! Financial institution in UK 13 ed requests Requests looked legit Inside job Law firm and professional service example 8

9 How do Director s/c-suite protect their organization and themselves? Board Training Board Director with Cyber Risk expertise The SEC Highly Recommends this! Understanding your organizations Cyber stance STAY UPDATED! This should be a standing agenda item C-Suite Training Ensure CIO/CTO positions or equivalent Have a plan!!!! AND regularly review/update it Both Board and C-Suite needs to be part of any Cyber Communication Plan! 9

10 Rise of cyber fatigue It s real and here is what people are saying There is a rising chorus of cyber fatigue permeating boardrooms, as cyber security is becoming understandably tiresome. As IT professionals concede that a breach is no longer a matter if but when, it s a given that some decisions makers are exhausted as they revisit the same decision every year, every quarter, and every month. What s the use?! Still got hacked. Security failures or media saturation of highprofile cases Onslaught of corporate introspection and second-guessing Despite asserting compliance, companies often discover procedural lapses months later. Is there any end in sight? We ve got to do more. We ve got to spend more to do more. Seemingly endless appeal for resources Reactionary enhancements to existing compliance standards Continual admission that the status quo has become insufficient to evolving hacking tactics. 10

11 How do we communicate with the board? KPMG s global cyber maturity framework domains What are the new cyber security threats and risks and how do they affect our organization? Board engagement & oversight Is our organization s cyber security program ready to meet the challenges of today s (and tomorrow s) cyber threat landscape? What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area? 11

12 Symptoms of cyber fatigue Double-digit, compound annual growth rate (CAGR) in cyber budgets over the last five years Ever-increasing depth and breadth of executive and board briefings on cyber issues Continual net addition of cyber-related technologies with few, if any, being retired 12

13 Five ways to combat cyber fatigue Our approach is industry-agnostic and incorporates a systematic risk based process. Such an emphasis steers attention from the never-ending appeal for resources and redirects it to an objective assessment that reflects a company s business strategies and innovation, risk tolerance, and unique cyber security costs. 1 Make measured investments in cyber based on risk optimization without sacrificing security 2 Regularly measure the effectiveness of your security investments 3 Develop/align the right cyber risk management model 4 Continually update your model to reflect emerging threats 5 Build/promote risk aligned security organization 13

14 Cyber Emergency. Assistance with Containing an incident Investigating an incident / breach Improving cyber resiliency after a breach Obtaining independent advice 14

15 Thank you

16 Contact us Joseph Coltson Partner, National Lead Forensic Technology Clients & Markets T: E: John Heaton Partner Risk Consulting Cyber Security T: E: 16

17 kpmg.ca 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.