“Cyber Risk”– Implications for the insurance industryPIAM General Insurance Knowledge Seminar “CyberRisk”

Aloft, Kuala Lumpur24 July 2019

Lee Han Ther MBA, CISA, CISM, CRISC, CISSP, PMP, DRCS, TTT

Director, Emerging Tech Risk and Cyber (ETRC)

Document Classification: KPMG Confidential

5© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

A True Story

1 3 5 74 6 82

Initial Attack

• Ransomware on servers and virtual machines.

• Later identified only as a decoy.

Internal security Crisis

CFO raised high severityincident to CIO.

On-site

Third party finally onsite after 1 week.

Containment

End point detection and response tools deployed. Took time to complete.

Lack of internalcapabilities

• Internal team not prepared. Speaking to all technology vendors.

• Desperately requesting for IR assistance.

Detection

Identified whole Active Directory has been compromised. Via “golden ticket attack”.

Resolution &Lesson learnt

• Finally resolved after 2 months.

• Very painful experience.

• Focus on ability to detect and respond.

Data leaked onInternet

Confidential M&A reports appearing on Paste Bin. Notified via third party.

Document Classification: KPMG Confidential

6© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Global Risk Landscape 2019

Source: “World Economic Forum (WEF) Global Risk Report 2019”

Document Classification: KPMG Confidential

7© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cost of Data Breach

Source: “2018 Cost of Data Breach Study from the Ponemon Institute”

Document Classification: KPMG Confidential

8© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Footnotes

World’s Biggest Data Breaches

Document Classification: KPMG Confidential

9© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cyber Risk

Financial Impact

Legal Impact

Reputational Impact

Operational Impact

Health & Safety

Cyber Risks

Document Classification: KPMG Confidential

10© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Personal Risk

When the worst

happens

Document Classification: KPMG Confidential

12© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

In The Headlines South East Asia

Source: TheStar, 13 November 2018

Document Classification: KPMG Confidential

13© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Document Classification: KPMG Confidential

14© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Threat Actors

Nations state

Hacktivist

Malicious insider /

third party

Cyber Criminals

Corporate espionage

Footnotes

Threat Actors

Document Classification: KPMG Confidential

15© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Nation State

Document Classification: KPMG Confidential

16© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cyber Criminals

Document Classification: KPMG Confidential

17© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Hacktivist

Document Classification: KPMG Confidential

18© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cyber Risk Framework WEF

Source: “World Economic Forum (WEF) Advancing Cyber Resilience

Document Classification: KPMG Confidential

19© 2018 KPMG Management & Risk Consulting Sdn. Bhd., a company incorporated under Malaysian Law and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Denial

Cyber security isn’t an issue for us… Its all hype anyway

Worry

I am worried… but not sure what to do

False confidence

I have robust policies/defences…

And… a strong compliance function

Here?

Hard lessons

I don’t understand how we were breached…

There is no absolute security, we need to manage risk

Here?

On the journey…Se

curit

y ca

pabi

lity

A true leader

We need a more agile approach to match the threat

We cant do this alone – we are part of the community

Or Here!

Thank YouHan Ther, Lee

Director of ETRC, Emerging Tech Risk & Cyber

hantherlee@kpmg.com.my

03 - 7721 7752