Cyber Attacks

kpmg.ca/insuranceconference2017

What Directors and C-Suite professionals need to know

2© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Breaches are at an all time high and criminals more than every are targeting personal and health data:

− for direct sale − for extortion− for health insurance fraud− to bypass financial fraud detection systems

Top data breaches December 2013 – 2016

Reported data breaches of recognized companies involving at least 1M records by size and type

Ebay145M

Michaels 3M

2014

Home Depot109M

2015

2016

Trip AdvisorS 1.4M

CarPhoneWarehouse2.4M

Excellus10M

Ashley Madison

32M

AOL20M

SnapChat4.6M

Yahoo x21.5 B

Adult Friend Finder400M

My Space360M

LinkedIn167M

Tumblr65 M

Dropbox68.6 M

LastFM43M

Mexican Voter Database

93.4M

Minecraft 7M

MossackFonseca 11M

Premera11M

Alibaba 20M

PhillipinesElection

55M

Target110M

Anthem78.8M

CareFirst2.4M

Adult Friend Finder 4M

JP Morgan Chase83M

Yahoo22M

OPM25M

The threat landscape – data breaches

3© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

What risks do Directors and C-Suite face?Risk to the ongoing operation− Continuity− Day to day− Loss of revenues

Risk to reputation− Possibly most difficult to repair− Likely to impact BOTH organization AND individual

Risk of Costly Litigation− Organizational− Director− In some cases C-Suite if alleged careless

4© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Fighting Cyber

Be vigilant with internal threats − Investigations− Forensic D&A− Whistleblowing programs/outsourcing

Know your business partners & third parties− 3rd Party Risk Management− Corporate intelligence/Astrus

Perform risk assessments− Fraud Risk Management− Regulatory positioning services

Fight back with technology− Forensic technology− Cyber security− D&A

5© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Source: http://sensorstechforum.com/remove-jigsaw-ransomware-and-restore-fun-kkk-btc-encrypted-files/

Source: http://www.zdnet.com/article/the-cost-of-ransomware-attacks-1-billion-this-year/

Top industry threats Reactive extortion-driven attacks

Source: http://www.zdnet.com/article/the-cost-of-ransomware-attacks-1-billion-this-year/

6© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Run like a vendoR

Help line

Most often pRovide tHe key, bad foR business otHeRwise

once Hit, likely to ReoccuR

waR stoRy!!!

7© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Top industry threats – Social engineering fraud

Source:https://www.fbi.gov/news/stories/business-e-mail-compromise/@@images/image

8© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

waR stoRy!!!

financial institution in uk

13 eMailed Requests

Requests looked legit

inside job

law fiRM and pRofessional seRvice exaMple

9© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

How do Director’s/C-Suite protect their organization and themselves?Board− Training− Board Director with Cyber Risk expertise− The SEC “Highly Recommends” this!

− Understanding your organizations Cyber stance− STAY UPDATED! This should be a standing agenda item

C-Suite− Training− Ensure CIO/CTO positions or equivalent− Have a plan!!!! AND regularly review/update it

Both Board and C-Suite needs to be part of any Cyber Communication Plan!

10© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Rise of “cyber fatigue” There is a rising chorus of “cyber fatigue” permeating boardrooms, as cyber security is becoming understandably tiresome. As IT professionals concede that a breach is no longer a matter “if” but “when,” it’s a given that some decisions makers are exhausted as they revisit the same decision every year, every quarter, and every month.

“What’s the use?!Still got hacked.”

Despite asserting compliance, companies often discover procedural lapses months later.

“We’ve got to do more. We’ve got to spend more to do more.”

Continual admission that the status quo has become insufficient to evolving hacking tactics.

Onslaught of corporate

introspection and second-guessing

Reactionary enhancements to

existing compliance standards

Seemingly endless appeal for resources

Security failures or media

saturation of high-profile cases

“Is there any end in

sight?”

It’s real and here is what people are saying

11© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

How do we communicate with the board?

What are the new cyber security threats and risks and how do they affect our organization?

Is our organization’s cyber security program readyto meet the challenges of today’s (and tomorrow’s) cyber threat landscape?

What key risk indicators should I be reviewing at the executive management and board levels to perform effective risk management in this area?

KPMG’s global cyber maturityframework domains

Board engagement &

oversight

12© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Symptoms of cyber fatigue

Double-digit, compound annual growth rate (CAGR) in cyber

budgets over the last five years

Ever-increasing depth and breadth

of executive and board briefings on

cyber issues

Continual net addition of cyber-related

technologies – with few, if any, being retired

13© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Five ways to combat cyber fatigueOur approach is industry-agnostic and incorporates a systematic risk based process. Such an emphasis steers attention from the never-ending appeal for resources and redirects it to an objective assessment that reflects a company’s business strategies and innovation, risk tolerance, and unique cyber security costs.

Make measured investments in cyber based on risk – optimization without sacrificing security 1

Regularly measure the effectiveness of your security investments2

Develop/align the right cyber risk management model3

Continually update your model to reflect emerging threats4

Build/promote risk aligned security organization5

14© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Assistance with

− Containing an incident

− Investigating an incident / breach

− Improving cyber resiliency after a breach

− Obtaining independent advice

Cyber Emergency….

Thank you

16© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Contact usJoseph ColtsonPartner, National LeadForensic Technology Clients & MarketsT: 416-777-8786E: jcoltson@kpmg.ca

John HeatonPartnerRisk Consulting – Cyber SecurityT: 416-476-2758E: johnheaton@kpmg.ca

kpmg.ca

© 2017 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.