With the amount of personal and sensitive customer information needed to accurately ensure a client, it’s no wonder the Insurance industry is a target for data security threats.
While all businesses across every industry are at risk, there are a few things that make the insurance industry particularly attractive – and susceptible – to data breaches and cyber-attacks.
- The sheer volume of information available
- The highly sensitive nature of the information
- Large amounts of unstructured data
In this webinar, our speakers illustrated the state of art, including the technical and legal framework, to protect your most relevant information from cyberattacks. You will learn:
- How to define a roadmap that optimizes the impact of cyber security expenditure
- How to adopt a general risk management approach to identify Cyber security risks
- What are the most relevant technologies available today to protect your data
3. Business Development
Manager @Xenit
Speakers
Francois Collienne
Chief Risk Officer @ ERGO
Insurance
Tim Wouters
Associate Professor at the
Department of Computer Science
@ KU Leuven
Vincent Naessens
Principal Cybersecurity
Consultant and BU Director
@ Tereon
Siebe de Roovere
4. What you need to know about data
protection and cybersecurity
• KU Leuven | Unlocking the potential
of digital data
• Tereon | Security for Insurance,
related archives & content
• Ergo | Cyber security for Insurance
companies: risks and regulatory
expectations
• Xenit | How to archive, preserve,
retrieve your information
• Q&A
• Wrap up and conclusions
With the amount of personal and sensitive customer information needed
to accurately ensure a client, it’s no wonder the Insurance industry is a
target for data security threats.
While all businesses across every industry are at risk, there are a few
things that make the insurance industry particularly attractive – and
susceptible – to data breaches and cyber-attacks.
• The sheer volume of information available
• The highly sensitive nature of the information
• Large amounts of unstructured data
Agenda
7. Digital Data is the new gold
› Digitization (first wave)
Personnel management
Customer data
Maintaining inventories
› Advanced decision making (second wave)
recommendations
Predictions
Strategic decisions
7
8. Improving business intelligence
› Increasing data collection
Fine-grained data collection
Integrating multiple data sources
› Increasing processing power
Machine learning and AI technology
Optimization algorithms
8
9. Integrating external data sources
9
› Crime control
Goal: optimal allocation of police forces
Combining governmental and financial data
Personal + company data
› Health, activity and lifestyle
Goal: improving lifestyle
Health, food and activity tracking
Sensitive personal data
10. Controlled release of sensitive data
› Why controlled release?
Compliance with privacy regulation
Economic loss
Reputation damage
› How controlled release?
13. Techniques for controlled release
› User control
Data minimization
Local differential privacy
› Controlled query handling (pull)
Query perturbation
Restricted query handling
Differential privacy à privacy budget
13
14. Controlled dataset transfer
› User control
Data minimization
Local differential privacy
› Controlled query handling (pull)
Query perturbation
Restricted query handling
Differential privacy à privacy budget
› Controlled release of datasets (push)
14
15. Controlled dataset transfer
› Pseudonymization
Replacing fields with pseudonyms
Reversible
› Anonymization
Stripping elements
Generalization, swapping, noise, …
Irreversible
15
24. Outsourcing :: Software Development
› Synthetic (~fake) data
testing of software/scripts without privacy
risks
with similar statistical properties
› Format-preserving encryption
avoiding identifying data in test environments
preserving structure/format of original data
24
26. Outsourcing :: Processing
› Trusted Execution Environments (TEE)
TEE isolates data and code from OS
Trust required in TEE vendor
› Encrypted processing
Fully homomorphic encryption
Static set-up / simple operations
26
27. › The privacy ó utility balance
› Outsourcing
› Evolving attack(er)s
› Every increasing complexity
28. Evolving Attacks
› Attack vectors
Data in Transit à secure communication channels
Data in Rest
Data during computation
› Attacks on publicly available datasets
The Prosecutor à targeting a specific induvial in dataset
The Journalist à targeting any individual
The Marketeer à re-identifying a large number of IDs
28
29. › The privacy ó utility balance
› Outsourcing
› Evolving attack(er)s
› Every increasing complexity
29
33. w YOUR COACH IN DIGITAL SECURITY w
Security for Insurance,
related archives and content.
34. w
About Me & Toreon
• Principal GRC consultant @ Toreon
• Business Unit Director @ Toreon
• Studied (Applied) Economics
• 8+ years of Security Experience
• Certified ISO27001 LA
• Certified DPO
• Lecturer @ Data Protection Institute, NCOI, Kluwer
35. Cyber Threats
Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to our privacy,
denial of service, ...
This has become a way of life for all of us in cyberspace.
Trust & Compliance
Ever-growing landscape of Cybersecurity/Privacy laws,
regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA
Rulings, ….
The Bad
News
36. Cyber Threats
Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to our privacy,
denial of service, ...
This has become a way of life for all of us in cyberspace.
Trust & Compliance
Ever-growing landscape of Cybersecurity/Privacy laws,
regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA
Rulings, ….
The Bad
News
Negative: More
Threats, Organized
Threats
Positive: Hackers
have a Business
mindset > We know
how to compete in
business!
37. Cyber Threats
Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to our privacy,
denial of service, ...
This has become a way of life for all of us in cyberspace.
Trust & Compliance
Ever-growing landscape of Cybersecurity/Privacy laws,
regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA
Rulings, ….
The Bad
News
Source: https://www.eiopa.europa.eu/document-library/report/cyber-risk-insurers-challenges-and-opportunities_en
Sector Specific: Top Risks for
Insurance Companies
38. Ransomware België - Painfull Facts
• 30% heeft een jaar later nog steeds niet alle data kunnen herstellen
• 10% krijgt effectief alle data terug na betalen.
• 60% wordt binnen het jaar terug aangevallen.
• Sector aanvallen worden de standaard!
39.
40. Cyber Threats
Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to our privacy,
denial of service, ...
This has become a way of life for all of us in cyberspace.
Trust & Compliance
Ever-growing landscape of Cybersecurity/Privacy laws,
regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA
Rulings, ….
The Bad
News
Cyber Defense
• We have access to an extraordinary array of security tools
and technology, standards, training and classes,
certifications, vulnerability databases, guidance, best
practices, catalogs of security controls, and countless
checklists, benchmarks, and recommendations.
• We have threat information feeds, reports, tools, alert
services, standards, and threat sharing frameworks.
• We are surrounded by security requirements, risk
management frameworks, compliance regimes, regulatory
mandates, and so forth.
There is no shortage of information available to security
practitioners on what they should do to secure their
infrastructure.
The Good
News
41. Cyber Threats
Massive data losses, theft of intellectual property, credit
card breaches, identity theft, threats to our privacy,
denial of service, ...
This has become a way of life for all of us in cyberspace.
Trust & Compliance
Ever-growing landscape of Cybersecurity/Privacy laws,
regulations & standards: ISO27k, NIST, CIS, GDPR, NIS, FDA
Rulings, ….
The Bad
News
Cyber Defense
• We have access to an extraordinary array of security tools
and technology, standards, training and classes,
certifications, vulnerability databases, guidance, best
practices, catalogs of security controls, and countless
checklists, benchmarks, and recommendations.
• We have threat information feeds, reports, tools, alert
services, standards, and threat sharing frameworks.
• We are surrounded by security requirements, risk
management frameworks, compliance regimes, regulatory
mandates, and so forth.
There is no shortage of information available to security
practitioners on what they should do to secure their
infrastructure.
The Good
News
The Ugly Challenge
The
“Fog of More”
• Define what risk should be addressed?
• How to prioritise security spending?
• Which actions have the greatest value?
57. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 57
58. Public
Risk Identification
Cyber security risks for insurance companies - Tim Wouters
Risk sources
Data at hand
• Company specific information
• Policyholder basic information
− name, address, …
• Risk insured:
− house, family
− medical profile
− salary information
• Claim information
• Mainly Operational risks
− Failed processes / human errors.
− Restrictions from GDPR
− Cyber events
With a lot of possible impact on reputation.
Specific attention for cloud
• Strategic risks from legacy systems
• Sustainability related risks
58
59. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 59
60. Public
Measuring the risks via likelihood and impact
Cyber security risks for insurance companies - Tim Wouters
Potential impact
Likelihood
• Loss of data
• Financial loss
• Business continuity
Or worse
• Loss of reputation
• Depends on set-up
− Type of data
− Exposure to internet
− Cloud
− Automation of processes
− Legacy systems
− Teleworking
• Can be measured with tools, audits, …
60
61. Public
From Black Swans to Gray Rhinos
Cyber security risks for insurance companies - Tim Wouters 61
Hardly any risk
Black Swan
Mitigated in
processes / pricing
Gray Rhinos
62. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 62
63. Public
Controlling the risks
Cyber security risks for insurance companies - Tim Wouters
Bring down undesired levels
E.g.
• Patching
• Hardening
Defining a risk appetite
• Board level expression
• What can (not) be tolerated?
Drill down to specific KPIs
E.g.
• Number of cyber attacks
• Reputational events
Put governance in place
• Incident process with clear
responsibilities
• SIRT, ISO, …
If needed, apply for risk
transfer or acceptance
• Cyber insurance
• Deliberately accept the risk
Ensure measuring can be
executed
• Can require tools (SIEM,
pentesting).
• Put processes in place
Controlling
the risk
exposure
63
64. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 64
65. Public
Regularly monitoring the exposure based on defined
KPIs
Cyber security risks for insurance companies - Tim Wouters 65
• Recurrent execution of the KPIs (e.g. number of cyber attacks,
required patches, access management, reputational risk, …)
• Of own company and third parties.
• Where needed, taking actions to bring them in line with the risk
appetite, via additional measures or ensuring that predefined
processes are being carried out.
• Includes creating cyber risk awareness.
66. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 66
67. Public
Reporting to create top management awareness
Cyber security risks for insurance companies - Tim Wouters 67
• Involving in risk management strategy as end responsible.
• Regularly reporting monitoring results to top management.
• Allowing for steering and support.
• Creating awareness.
Can also involve situation exercises.
68. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 68
Legislation
69. Public
Financial sector is heavily regulated
Cyber security risks for insurance companies - Tim Wouters
Governance requirements
NBB circular on governance NBB_2016_31
NBB circular on information security
NBB_2021_15
Outsourcing requirements
Strong requirements regarding
outsourcing (to ensure to stay in control)
Cloud computing
Specific NBB circular regarding cloud
computing requirements
GDPR
Privacy requirements impacting data set-
up and treatment.
Anti Money Laundering and Financial
Sanctions
Heavy data requirements to ensure
compliance with laws
Business Continuity Requirements
Ensuring to stay up and running through
crises
69
70. Public
Cyber security risks can be identified via a general
risk management approach
Measure
Control
Monitor
Report
Identify
Cyber security risks for insurance companies - Tim Wouters 70
Legislation
72. About Xenit
Back in 2008…What were the issues in the Insurance Industry?
• Merger and Acquisition
• Centralization of Digital Archives
• Modernization – Cost control
Those issues were not Cybersecurity related
• Not the main driver
• ISO 27001 Certifications
• OWASP Top 10
• Security by design -> Object storage
73. Where do we stand today?
5 Customers in
Insurance
300+ M
documents
1/3 of revenues
come from the
Insurance Industry
Long Lasting
Relationship
50% increased
documents stored in
the archives in 5 years
74. Our recipe to secure Insurance related archives
• Internal breaches (80%) versus external (20%)
• Password protections
• VLANs separations
• Security logs / access logs
1. Zero Trust
75. Our recipe to secure Insurance related archives
• We are always (at least) one step behind of an
hacker
• Ex. SLR Amazon S3 : 99,9999999999 durability
• To achieve close to zero risks, you need at least 2
different technologies (3-2-1 rule)
2. Zero Risk does not exist
76. Our recipe to secure Insurance related archives
• On premise Object Storage Pioneer in 2007
• High level of protection at rest
• High availability with replicas/erasure coding
• Lifecycle management
• Encryption
3. Security by design
77. Object Storage for data protection
Safeguard Data from attacks, failures, and mistakes
Ransomware
Protection
Continuous
Self-Healing
Secure
Access
Disaster
Recovery
High
Availability
Alternative to
tape & cloud
78. The present and the future
How does the future look like for Archives ?
• Acceleration of digital business -> More documents created -> More documents to
archive
• General purpose ECM are not scalable to become Digital Archive
• Archives are an interesting target for Hackers (contains a footprint of the whole
organization activity)
What are the cyber risks associated with a future archive?
• Sensitive information leakage
• Personal information leakage
Which one are the main threats for insurance companies?
• Business Continuity
• Reputational
• Legal
82. OWASP* Top 10 security threats
More and More APIs in cloud architecture = widening access
But ! Broken Access Control has moved to top place!
(*) OWASP= The Open Web Application Security Project
83. The limits of access control
• Poorly Agile
• Static
• Does not scale
Companies that haven’t solved for access control are
not only putting themselves at risk --
they are also suboptimizing every dollar
of their cybersecurity spend - Richard Bird
Risk :
• Access Control is the barrier against internal exposure
• Bad practice to use general user (portal user)
• Admin account for troubleshooting should not have
access to all content (least privilege)
84. Next generation access control
ABAC (Attribute based access control) leading to PBAC (Policy based access control)
85. Next generation access control
Benefits:
• Fine grained protection : ex. Meta-data versus Content
• Context aware dynamic access rules
• Better traceability
• Is testable
Example: Dynamic rules
• Allow all access from the Benelux (IP geofencing) between 7 and 21 H, for all documents
having classification “external” and have a Non-Null name for customer
• Report any access user Jean had on documents containing user Pierre, either in
the content or the meta-data of the document
88. Metadata based archives
1. Metadata will be crucial
• Because finding back information relies on it
• Because Access Control needs it
• Because new business initiatives will rely on it
2. Metadata completeness and correctness is the key
3. Governance
91. API Architecture & Security
Organizations with high traffic sites offering a wide range of services often feature a large number of third-party
integrations. These integrations rely on APIs to collect data from third-parties and serve it up to the user in a
seamless fashion
APIs tend to be compromised in
ways similar to breaches of other
web applications, but because they
are both increasingly important and
hidden from view, they arguably
represent a bigger risk to the
business than other assets.
92. API Architecture & Security
ü Use secure tokens
ü Rotate keys
ü Use up-to-date signing algorithm
ü Make sure to use Fail safe/fail secure
ü Use centralized open policy agent
ü Avoid caches (or refresh frequently)
93. Layered Security
CONTENT IN MOTION
CONTENT SERVICE AT THE API END POINT
SECURING AUTHENTICATION
PROTECTING AUTHORISATION
CONTENT AT REST