Although Sony seemed to dominate the cyber-security headlines of 2014, it was just one of many corporations infiltrated by an increasingly sophisticated and driven pool of hackers. J.P. Morgan Chase, Home Depot, and Target also top the list of businesses struggling with data breaches. The most recent major cyberattack against Anthem Healthcare shook the insurance industry. In a rare show of honesty, the insurer began alerting customers and the media to the potential of a data break just eight days after it first noted suspicious activity on Jan. 27, 2015.  Immediately upon discovering it had been attacked, Anthem jumped to address the security vulnerability, contacted the FBI, and hired leading cyber-security firm Mandiant to evaluate its systems, said president and CEO Joseph Swedish in a statement. Noting the importance of protecting financial institutions, New York's Department of Financial Services responded to the Anthem breach by announcing its intent to integrate regular assessments of cyber-security preparedness at insurance companies as part of its examination process. It will also enforce "enhanced regulations" on insurers based in New York. "Recent cyber security breaches should serve as a stern wake up call for insurers and other financial institutions to strengthen their cyber defenses," said Benjamin M. Lawsky, New York State's superintendent of financial services, in a statement. He continued, "Regulators and private sector companies must both redouble their efforts and move aggressively to help safeguard this consumer data.“ Most people might expect that larger insurers, given the sensitive customer information they handle, would boast robust cyber-security programs. This is not necessarily true. As part of its investigation, the Department found that 95% of insurers already think they have sufficient staff for information security, and just 14% of CEOs receive monthly briefings on data security. Anthem, the nation's second-largest health insurer, had not even encrypted its database containing nonmedical data. It claims that the HIPAA did not require it to do so. While experts believe that Anthem was exclusively targeted in its attack, there is no doubt that all financial institutions are at risk. Here are eight things to know as the industry enters a year of increasingly heightened cyber-vulnerability.

1. 1
Information Protection &
Business Resilience
Nathan Desfontaines
September 2015
Cyber Security –
Things you need to know

2. Recognising the need for better cyber-security in the insurance sector, the National Association of Insurance Commissioners (NAIC) recently
published “ Principles for Effective Cybersecurity: Insurance Regulators Guidance.” The NAIC document provides best practices for insurance
regulators and companies, focusing on the protection of the sector’s infrastructure and data from cyber-attacks.
1. An increase in cybersecurity regulations;
2. A focus on consumer privacy;
3. An increase in cybersecurity spending;
4. The growing importance of cybersecurity information - sharing and analysis groups;
5. The Board’s and management’s involvement in cybersecurity;
6. The increased need to manage third - party risks;
7. The link between cybersecurity and risk management.
AGENDA

3. IT DOESN’T
MATTER WHO
DID IT

4. It doesn’t matter who did it
• In the event of a cyber-attack, your first response might be to
hunt down the perpetrator.
• While this might provide closure, pinning down the source of
the breach will do little to protect the business from future
hacks.
• Further, the process of finding the responsible party will cost
a lot of time and effort that could be better spent on boosting
security.
• Instead of wasting resources on searching for the cyber-
criminal, focus on identifying the vulnerability that led to the
attack and exactly which information was affected.
• Learning from past mistakes is an essential step towards
creating a more comprehensive security strategy.

5. BELIEVE IN BIG
DATA

6. Believe in big data
• The process of analysing cyber-attacks will evolve to take on
more of a big data approach.
• The quality and speed of cyber-threat analysis will increase,
and cost will decrease, as the use of real-time analytics
spreads across structured and unstructured data sources.
• Having the right capabilities at your disposal to quickly
quantify and analyse log data will be crucial in effecting a
timeous response to a cyber-attack.

7. THE COST OF
BREACHES
7

8. The cost of breaches
• Research published by NetDiligence indicates that hackers
and malware were responsible for about 97% of lost records
in 2014 - and caused a lot of pricey damage.
• The median cost of incidents caused by hackers was
$242,762 (R3,115,397), with the most expensive one totaling
$11.75 million (R150.78 million).
• The study also shows that the sources and costs of data
breaches vary widely according to industry.
• Healthcare, which filed 23% of claims, topped them all.
Financial services accounted for 22% of all claims filed and
were also hardest hit by third-party breaches.
• Financial institutions comprised 32% of all third-party
incidents. Each cost about $288,000 (R3,695,783) on average.

9. BEWARE OF
THIRD PARTIES
9

10. • Businesses are becoming increasingly more aware of the
risks inherent to working with third parties.
• Now, they are under fire to address and manage this risk.
• In the future, we'll see more insurers actively monitoring third
parties instead of undergoing less reliable self-certification.
• Instead of being pushed to the side, security will become
priority as protective measures are built into third-party
products and services.
• Upgrades and testing procedures will also be enforced.
Beware of third parties

11. CYBER-
ATTACKS ARE A
TOP CONCERN
11

12. • A report published by the Depository Trust & Clearing
Corporation (DTCC) in late 2014 revealed that 84% of financial
firms placed cyber risk among their top five concerns - up
from 59% in the first quarter of the same year.
• Almost 40% of financial institutions claim the likelihood of a
high-impact breach on the global financial system escalated
throughout 2014.
• More than three quarters claim to have added resources
intended to mitigate risk.
• No doubt last year's J.P. Morgan breach had an impact on
their response.
Cyber-Attacks are a top concern

13. COMMUNICATE
WITH
CUSTOMERS
13

14. Communicate with customers
• As demonstrated by Anthem's response to its own cyber-
attack, it's essential to communicate with customers before,
during, and after a data breach.
• By publicly announcing the attack and providing the
information it could, Anthem demonstrated transparency and
built a level of trust with its customers.
• In the aftermath of a data breach, executives may be tempted
to withhold information until they believe they have all the
answers they need.
• The problem is, customers don't expect you to have all the
answers right away - and those answers might take a long
time to find.
• So long as your company shares information as it receives it,
and is openly working with authorities to investigate the
breach, customers will be more accepting.

15. SHARE
SECURITY
STRATEGIES

16. • The sophistication of today's hackers is escalating quickly
because they work together to share tactics. Insurers, which
primarily operate on their own when it comes to security, are
moving comparatively slowly in developing protective
strategies.
• While insurers have traditionally kept to themselves, it may
be time to consider more open communication with other
financial institutions facing the same risks.
Share security strategies

17. “
17
Data breaches are now common events that affect an organisation in
many ways besides attorney fees, lost business, reputational damage,
and system remediation costs. Back in 1970, in a now classic book,
Dr. Elisabeth Kübler-Ross wrote “On Death and Dying”, which
identified five stages of grieving and emotions that terminally ill
patients experience. It is my contention that organisation’s have to deal
with similar data breach grief.
• Denial. The organisation’s initial reaction helps soften the
realization that technology, people or business processes have
broken down and customer data has been exposed, leaked, or
compromised. This stage may last for a few hours, days, or months
depending on when the organisation confirmed the breach.
• Anger. All organisation’s have irate doubters who refuse to
acknowledge a data breach was caused by a software
programming error or a lost laptop with unencrypted data, or that
the compromised system did not follow established security
hardening procedures.
• Bargaining. There are always people in an organisation who will
insist that they just need another chance and they insist that a
breach will not happen again. This is despite the fact that customer
data is already in the “Internet wild.” Promising to do better in the
future is neither timely nor practical.
• Depression. All organisation’s wish they had handled things
differently. There will be individuals who will be unable to
concentrate and second-guess their plan of action to contain the
breach.
• Acceptance. It is typically very difficult to recognize when the
critical fifth and final stage is reached after a confirmed data breach.
However, it is at this point that management understands that
security needs to be an ongoing process in order to protect the
confidentiality, availability, and integrity of the customer data.

18. Nathan Desfontaines
Information Security Manager
• 082 719 2426
• nathan.desfontaines@kpmg.co.za
The information contained herein is of a general nature and is not
intended to address the circumstances of any particular individual or
entity. Although we endeavour to provide accurate and timely
information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be
accurate in the future. No one should act on such information
without appropriate professional advice after a thorough
examination of the particular situation.
© 2015 KPMG International Cooperative (“KPMG International”), a
Swiss entity. Member firms of the KPMG network of independent
firms are affiliated with KPMG International. KPMG International
provides no client services. No member firm has any authority to
obligate or bind KPMG International or any other member firm vis-à-
vis third parties, nor does KPMG International have any such
authority to obligate or bind any member firm. All rights reserved.
NDPPS 133584
HELPING CLIENTS
SPREAD THEIR
WINGS