资源描述
Blockchain Truth Digital Identity in the Insurance Industry Transformation The Actuarial Society of Hong Kong David Piesse, Guardtime 16 May 2017 ASHK Evening Talk 2 Agenda Opening Remarks and Definitions Latest Cyber Trends and Accumulation Risk Digital Identity and Data Ownership Data Integrity and Fraud Reduction New Products - Business Interruption Insurance Exponential Technologies AI + Blockchain Dovetail Operational Efficiency Result Regulatory Issues Case Studies Marine, Motor, Life, Health Conclusions 3 Good Questions How do you transform an industry that was founded in 1688 and turn it into a 21st Century industry leader In the process of doing this will exponential technology eventually make insurance as we know it today obsolete. How do we replace dwindling traditional premium with new revenue. 4 Exponential Technology This will drastically affect insurance industry as cost of computing power drops Exponential means doubling in speed or halving in cost every year Likely the law of large numbers or risk pools will become an individual risk pool Insurance will be completely embedded in the smart devices and ecosystems. Wake up call for the industry not to just play balance sheet game but get to customer 5 2009 DIGITAL CURRENCY 2015 SMART CONTRACTS 2008 SECURITY ASSURANCE Intended Blockchain Use Cases Taking a technology designed for Cryptocurrency and applying it to Smart Cities can never work. Estonias KSI Blockchain is an optimized protocol for massive scale data management and cybersecurity. 6 The practical consequence is for the first time, a way for one Internet user to transfer a unique piece of digital property to another Internet user, such that the transfer is guaranteed to be safe and secure, everyone knows that the transfer has taken place, and nobody can challenge the legitimacy of the transfer. The consequences of this breakthrough are hard to overstate. Marc Andreessen, Inventor of the internet browser Blockchain Opportunity “Blockchain Consensus Model is the most important invention since the Internet itself and a much deeper concept than currency.” 7 The Future Digital Insurer DIGITIZATION Customer Centric Courtesy of EQUINIX and ACORD 2015 Fuji Xerox Co., Ltd. All rights reserved. 7 8 Update on Cyber Risk Digitization/Lack of Attention to Data Integrity Lack of Mitigation Process in place Products are not what Risk Managers need Covers falling short of overall exposure Lack of claims data and future predictions Need to Improve Data Classification Multiple reinsurance layers required government, capital market, captives and traditional reinsurance 9 Customer Centric and Real Time Data Decisions good news Opens up Identity theft 6 bill identities stolen in 3 years bad news Milennials are driving the pace of change Aggregators will increase and take the customers Rise of INSURETECH is major game changer Digital laggards will be challenged by digital innovation and newcomers Huge emergence of digital fraud and ghost brokers Digitization is causing cyber crime to go up Need to understand (device + location + identity + threat intelligence) Stolen identity floods the dark web UBERIZATION of the Insurance Industry 10 Opening Remarks on Identity The basis of blockchain is self sovereign identity Identity is the common denominator across all blockchains Digital identity means you know who or what owns the data Placing identity on blockchain is strong and immutable Validation of identity by location STARBUCKS example Blockchain builds a long trail of identity HKID/FB ID/LINKEDIN If lose identity can get back on the blockchain without biometrics 11 Difference between Blockchain and Distributed Shared Ledger (DLT) With over 700 blockchain solutions on the market it is key to know this A distributed database is spread across multiple locations and across many computers. It can define ownership of data. Both DLT and Blockchains are distributed databases Blockchains are a form of shared ledger and so have ownership. What identifies a blockchain over a DLT is the trust and truth properties This is identity, consensus and having a multiple copy of each transaction on every computer, For many blockchains this has caused scalability and redundancy problems so they have returned to being a DLT. When you do this then trust is sacrificed. Caveat Emptor. 12 Hash Key DNA for DATA How do you maintain user privacy while keeping identity on the blockchain. Sensitive data is not stored on the blockchain Instead pointers and references are used and data stored off ledger This is essential for cybersecurity and scalability An encrypted hash key is used that is unique cannot be reversed In the same way a fingerprint identifies a person and you cannot recreate persons body from the fingerprint the same applies here for data. As meta data is used the data never leaves the perimeter. The user is now in charge of their own identity and does not need a bank. 13 Open versus Closed Blockchains Is there a common platform were all identities are stored There is no such identity store as would not be scalable Open blockchains are public ledgers and anyone can wrIte to them Private permissioned blockchains are only for a set group of users Financial services will adopt the private blockchains An exception could be microinsurance due to the nature of the sector There is race to be a leader in a common standard for blockchain Estonia have this leadership for government 14 It is not all about identity but also about money efficiency and operational efficiency. As know the owner of the account one can remove the two step process of debit and credit only one update on the blockchain to transfer money. International banks on a blockchain will speed up exchange, remove pseudo IDs , KYC/AML is assured and identity guaranteed. Sensitive data never on the blockchain as the customer is the one with the identity ownership and needs to give permission. No need to store multiple identities anymore 15 What is the Impact of Blockchain to Internet of Things For IOT the same thing applies except we are identifying devices The blockchain paves the way to the autonomous devices so we can also identify the owner of the device and the data provenence. Enables sensor as a service to collect payments Blockchain is all about the data layer Identity of person + identity of data + identity of device. 16 Blockchain Sweet Spot Mathematics used to enable trust between parties mutual auditability Secure but shared view and consensus Full data provenance, lineage and immutability Provision of comprehensive rich information (big data/AI) Automated verification and reconciliation Self enforcing contract capability (smart contracts) 17 Latest Cyber Trends and Accumulation Risk 18 Welcome to Guardtime 18 DATA ASSET RECOGNITION AT LAST 19 Cyber Security: one of the biggest problems facing Asian Companies 19 29 Aug 2016 SWIFT, the global banking system is (still) under attack. The messaging network that connects the worlds banks, says it has identified new hacks targeting its members, and it is warning them to beef up security in the face of ongoing attacks” cyber attacks on banks in Bangladesh, Vietnam, the Philippines and Ecuador in which malware was used to circumvent local security systems, and in some cases, steal money”. 26 Aug 2016 Police check Taiwan ATM hacking suspects “The ATM heist, which was reported in Phuket, Surat Thani, Chumphon, Prachuap Khiri Khan, Phetchaburi and Bangkok, forced the state-run bank to close more than 3,000 ATMs, half of its total number of ATMs”. 24 Aug 2016 Asian companies have worlds worst cyber security says study “Many Asian organisations are badly defended against cyber-attacks, a year-long investigation by US security company Mandiant indicates. The median time between a breach and its discovery was 520 days, it says. That is three times the global average. Asia was also 80% more likely to be targeted by hackers than other parts of the world, the report said”. 20 March 2016 The biggest threat in 2016? “According to research by the Business Continuity Instituterecently named cyber crime as the biggest threat to business in 2016, ahead of skills shortages and terrorist attacks”. 20 WANNACRY GLOBAL RANSOMWARE ATTACK FRIDAY 12TH 2017 21 Time to compromise vs. time to discovery Over the last decade: Time to compromise has decreased, 90% of attacks take less than one day Average time to discover a cyber attack in Asia is 1.5 years (520 days) For insider threats, 69% of compromise detections take more than a day; 35% take weeks or more Source: 2014 Verizon Data Breach Report CYBER resilience goes beyond network to supply chain and partners 22 Pricing Silent Cyber Risk Regulators consider silent cyber risk to be insurers potential exposure to cyber risks implicit within broad insurance cover they provide beyond that explicitly accounted for in cyber insurance policies, such as data breach cover. This is hitting SOL II drafts This is in light of more limits being put out by insurers plus rates going down and property / casualty undwriters weighing in. How do you price a risk with no accumulated data over time , loss data not being available and how do you cover a hacked power grid taking down suppliers. There is a grave risk of underpricing as the underwriters are chasing the tnends and not actuarial data. 23 The CISO and Underwriter Mexican Stand Off CISOs think underwriters should understand the tactics of the bad actors and the attack surface better . Also they should anticipate human error better Understand the highly sensitive data and why people want it. Understand the provenance of data Understand the access of third and fourth parties The need to move to data driven underwriting at the earliest possible opportunity. 24 24 A loss database across all lines of business in insurance D&O, E&O, General Liability and more. A cyber database consisting of 350,000 events with frequency, severity, cause and cost of breach. This is expect to double every 3 months. A technical database with network and digital asset information that can be used for rating. A taxonomy based on insurance event, litigation, penalties and fines, third party costs, response information, insider involvement and subrogation. A company database close to S&P Enterprise Information that holds corporate details of 20 Million companies. Data Sources Do Exist 25 Where Does The Data GO MALWARE AS A SERVICE 25 26 Cybersecurity is now a $8 trillion dollar plus risk and modern security solutions do not address the problem. Cyber insurance is limited in many cases to entry cover, lower limits, non acceptance by insurers, frustration from risk managers and no wording cover for physical infrastructure damage caused by cyber breach. With increased connectivity (e.g. connected car) there are no means to prove exactly what happened when. There is no equivalent of a photo in the digital world as there is in commercial fire line of business. We need to provide mathematical certainty, an independent audit trail for all human and machine activity in digital society. This is the mitigation required. Why We are Dicussing Cyber Risk ? 27 CYBER RISK RESILIENCE Mandatory regulation leading to fines is a temporary solution to cyber risk and RESILIENCE is the solution and proactive mechanism to enable organizations to prevent, resolve and recover from cyber issues in a fast manner also reducing reputational risk as part of the process. The blurring of territorial boundaries by the cloud and the threat to data integrity becomes a challenge to maintain and define the auditability of what had happened as any process is only as good as its weakest link The physical world used resilience and mitigation to look at the natural catastrophes. This is the equivalent in the digital world. People now know they must mitigate. 28 Breakdown of critical infrastructure and networks (power grids, nuclear power stations, transport systems, telecommunications, water supply, steel mills, maritime systems, and oil energy plants) leading to business interruption and economic loss. Use of smart devices M2M (machine to machine) must be well defined in the risk assessment process OT/IT. Long term data corruption or integrity which can be disastrous if going on for a long period of time without detection having a similar effect as IBNR (Incurred But Not Reported) claims on an insurers balance sheet. Large scale cyber attacks on Fortune 500 companies and state sponsored attacks A massive incident of data fraud or theft for example in the healthcare sector. MAJOR CONCERNS 29 Cyber Risk Trends 2016-2017 Ist Qtr Type Description DATA Physical loss, malicious breach NOT DATA INTEGRITY PRIVACY Un-authorised data collection PII NETWORK Network/Website Disruption EMERGING RISKS Data Integrity, Email Compromise, Social Engineering Ransomware events tripled in 2016 at least IOT Attack Surface is Increasing The Risk Landscape is Changing so Should the Cover 30 Cyber Risk 2016 by Sector without data integrity Business Sector Acvitivity Financial Services Gradual improvement due to mitigation Healthcare Gradual improvement due to privacy Retail Very small improvement need data integrity Information Services Gradual improvement due to leak notification Utility/Energy Increased risk IOT Attack Surface Manufacturing Supply chain risk and cyber espionage increase risk Education Increase risk of universities around IP/Theft Government Increase risk social engineering and email breach Emerging Sectors Operational Technology Meets Information Technology Professional/Scientific Increase risk ransomware 31 Ransomware Issues Payments in USA in 2016 were $1 Billion with a Rate of incidents set at 4000 per day. Encrypt victim data and demand payment for encryption key M&A a good target and cryptocurrencies improve bad actor success Victims back up the virus along with their data infects over time Solution is smart backup and retention policies to clean state Backup vendors need to partner with cybersecurity companies Virus enters data centre network when link is clicked Data is usually kept intact Encryption key is bought with bitcoin no central bank no trace/track LOCKY 32 Consumer Risk Default Settings A Message You Can Hug 33 Business Risk YAHOO Merger and Acquisition Discount RATINGS STILL DO NOT INCL
展开阅读全文