Upload
phungliem
View
225
Download
1
Embed Size (px)
Citation preview
Blockchain Truth –
Digital Identity in the Insurance Industry Transformation
The Actuarial Society of Hong Kong
David Piesse, Guardtime
16 May 2017
ASHK Evening Talk
2
Agenda
• Opening Remarks and Definitions
• Latest Cyber Trends and Accumulation Risk
• Digital Identity and Data Ownership
• Data Integrity and Fraud Reduction
• New Products - Business Interruption Insurance
• Exponential Technologies – AI + Blockchain Dovetail
• Operational Efficiency Result
• Regulatory Issues
• Case Studies – Marine, Motor, Life, Health
• Conclusions
3
Good Questions
• How do you transform an industry that was
founded in 1688 and turn it into a 21st
Century industry leader
• In the process of doing this will exponential
technology eventually make insurance as
we know it today obsolete.
• How do we replace dwindling traditional
premium with new revenue.
4
Exponential Technology
• This will drastically affect insurance industry as cost of computing power
drops
• Exponential means doubling in speed or halving in cost every year
• Likely the law of large numbers or risk pools will become an individual
risk pool
• Insurance will be completely embedded in the smart devices and
ecosystems.
• Wake up call for the industry not to just play balance sheet game but get
to customer
5
2009
DIGITAL
CURRENCY
2015
SMART
CONTRACTS
2008
SECURITY
ASSURANCE
Intended Blockchain Use Cases
Taking a technology designed for
Cryptocurrency and applying it to
Smart Cities can never work.
Estonia’s KSI Blockchain is an
optimized protocol for massive
scale data management and
cybersecurity.
6
The practical consequence […is…] for the first time, a way for one Internet user to transfer a unique piece of digital property to another Internet user, such that the transfer is guaranteed to be safe and secure, everyone knows that the transfer has taken place, and nobody can challenge the legitimacy of the transfer. The consequences of this breakthrough are hard to overstate. Marc Andreessen, Inventor of the internet browser
Blockchain Opportunity
“Blockchain Consensus Model is
the most important invention since
the Internet itself and a much
deeper concept than currency..”
7
The Future Digital Insurer – DIGITIZATION – Customer Centric
Courtesy of EQUINIX and ACORD
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 7
8
Update on Cyber Risk
• Digitization/Lack of Attention to Data Integrity
• Lack of Mitigation Process in place
• Products are not what Risk Manager’s need
• Covers falling short of overall exposure
• Lack of claims data and future predictions
• Need to Improve Data Classification
• Multiple reinsurance layers required – government, capital
market, captives and traditional reinsurance
9
• Customer Centric and Real Time Data Decisions – good news
• Opens up Identity theft – 6 bill identities stolen in 3 years – bad news
• Milennials are driving the pace of change
• Aggregators will increase and take the customers
• Rise of INSURETECH is major game changer
• Digital laggards will be challenged by digital innovation and newcomers
• Huge emergence of digital fraud and ghost brokers
• Digitization is causing cyber crime to go up
• Need to understand (device + location + identity + threat intelligence)
• Stolen identity floods the dark web
UBERIZATION of the Insurance Industry
10
Opening Remarks on Identity
• The basis of blockchain is self sovereign identity
• Identity is the common denominator across all blockchains
• Digital identity means you know who or what owns the data
• Placing identity on blockchain is strong and immutable
• Validation of identity by location – STARBUCKS example
• Blockchain builds a long trail of identity – HKID/FB ID/LINKEDIN
• If lose identity can get back on the blockchain without biometrics
11
Difference between Blockchain and Distributed Shared Ledger (DLT)
• With over 700 blockchain solutions on the market it is key to know this
• A distributed database is spread across multiple locations and across
many computers. It can define ownership of data.
• Both DLT and Blockchains are distributed databases
• Blockchains are a form of shared ledger and so have ownership.
• What identifies a blockchain over a DLT is the trust and truth properties
• This is identity, consensus and having a multiple copy of each transaction
on every computer,
• For many blockchains this has caused scalability and redundancy
problems so they have returned to being a DLT.
• When you do this then trust is sacrificed. Caveat Emptor.
12
Hash Key – DNA for DATA
How do you maintain user privacy while
keeping identity on the blockchain.
• Sensitive data is not stored on the blockchain
• Instead pointers and references are used and data stored off ledger
• This is essential for cybersecurity and scalability
• An encrypted hash key is used that is unique cannot be reversed
• In the same way a fingerprint identifies a person and you cannot recreate
person’s body from the fingerprint the same applies here for data.
• As meta data is used the data never leaves the perimeter.
• The user is now in charge of their own identity and does not need a bank.
13
Open versus Closed Blockchains
Is there a common platform were all identities are
stored
• There is no such identity store as would not be scalable
• Open blockchains are public ledgers and anyone can wrIte to them
•
• Private permissioned blockchains are only for a set group of users
• Financial services will adopt the private blockchains
• An exception could be microinsurance due to the nature of the sector
• There is race to be a leader in a common standard for blockchain
• Estonia have this leadership for government
14
It is not all about identity but also about money efficiency and operational efficiency.
• As know the owner of the account one can remove the two step process of
debit and credit – only one update on the blockchain to transfer money.
• International banks on a blockchain will speed up exchange, remove
pseudo ID’s , KYC/AML is assured and identity guaranteed.
• Sensitive data never on the blockchain as the customer is the one with
the identity ownership and needs to give permission.
• No need to store multiple identities anymore
15
What is the Impact of Blockchain to Internet of Things
• For IOT the same thing applies except we are identifying devices
• The blockchain paves the way to the autonomous devices so we can also
identify the owner of the device and the data provenence.
• Enables sensor as a service to collect payments
• Blockchain is all about the data layer
• Identity of person + identity of data + identity of device.
16
Blockchain Sweet Spot
• Mathematics used to enable trust between parties – mutual auditability
• Secure but shared view and consensus
• Full data provenance, lineage and immutability
• Provision of comprehensive rich information (big data/AI)
• Automated verification and reconciliation
• Self enforcing contract capability (smart contracts)
17
Latest Cyber Trends and Accumulation Risk
18 Welcome to
Guardtime
1
8
DATA ASSET RECOGNITION AT LAST
19
Cyber Security: one of the biggest problems facing Asian Companies
1
9
29 Aug 2016
SWIFT, the global banking system is (still) under attack. The messaging network that connects the world's banks, says it
has identified new hacks targeting its members, and it is warning
them to beef up security in the face of "ongoing attacks” cyber
attacks on banks in Bangladesh, Vietnam, the Philippines and
Ecuador in which malware was used to circumvent local security
systems, and in some cases, steal money”.
26 Aug 2016
Police check Taiwan ATM hacking suspects “The ATM heist, which was reported in Phuket, Surat Thani,
Chumphon, Prachuap Khiri Khan, Phetchaburi and Bangkok,
forced the state-run bank to close more than 3,000 ATMs, half of
its total number of ATMs”...
24 Aug 2016
Asian companies have world's worst
cyber security says study “Many Asian organisations are badly defended
against cyber-attacks, a year-long investigation
by US security company Mandiant indicates.
The median time between a breach and its
discovery was 520 days, it says. That is three
times the global average.
Asia was also 80% more likely to be targeted by
hackers than other parts of the world, the report
said”.
20 March 2016
The biggest threat in 2016? “According to research by the Business Continuity
Institute…recently named cyber crime as the
biggest threat to business in 2016, ahead of skills
shortages and terrorist attacks”.
20
WANNACRY GLOBAL RANSOMWARE ATTACK FRIDAY 12TH 2017
21
Time to compromise vs. time to discovery Over the last decade:
• Time to compromise has decreased,
90% of attacks take less than one day
• Average time to discover a cyber
attack in Asia is 1.5 years (520 days)
• For insider threats, 69% of
compromise detections take more
than a day; 35% take weeks or more
Source: 2014 Verizon Data Breach
Report
CYBER resilience goes beyond
network to supply chain and
partners
22
Pricing Silent Cyber Risk
• Regulators consider 'silent' cyber risk
to be insurers' potential exposure to
cyber risks implicit within broad
insurance cover they provide beyond
that explicitly accounted for in cyber
insurance policies, such as data breach
cover. This is hitting SOL II drafts
• This is in light of more limits being put out
by insurers plus rates going down and
property / casualty undwriters weighing in.
• How do you price a risk with no
accumulated data over time , loss data not
being available and how do you cover a
hacked power grid taking down suppliers.
• There is a grave risk of underpricing as the
underwriters are chasing the tnends and
not actuarial data.
23
The CISO and Underwriter Mexican Stand Off
• CISO’s think underwriters should
understand the tactics of the bad
actors and the attack surface
better .
• Also they should anticipate human
error better
• Understand the highly sensitive
data and why people want it.
• Understand the provenance of
data
• Understand the access of third and
fourth parties
The need to move to data driven
underwriting at the earliest possible
opportunity.
24 24
• A loss database across all lines of business
in insurance – D&O, E&O, General Liability
and more.
• A cyber database consisting of 350,000
events with frequency, severity, cause and
cost of breach. This is expect to double every
3 months.
• A technical database with network and digital
asset information that can be used for rating.
• A taxonomy based on insurance event,
litigation, penalties and fines, third party
costs, response information, insider
involvement and subrogation.
• A company database close to S&P Enterprise
Information that holds corporate details of 20
Million companies.
Data Sources Do Exist
25
Where Does The Data GO – MALWARE AS A SERVICE
2
5
26
• Cybersecurity is now a $8 trillion dollar plus risk and modern
security solutions do not address the problem.
• Cyber insurance is limited in many cases to entry cover,
lower limits, non acceptance by insurers, frustration from
risk managers and no wording cover for physical
infrastructure damage caused by cyber breach.
• With increased connectivity (e.g. connected car) there are
no means to prove exactly what happened when. There is
no equivalent of a photo in the digital world as there is in
commercial fire line of business.
• We need to provide mathematical certainty, an independent audit trail for
all human and machine activity in digital society. This is the mitigation
required.
Why We are Dicussing Cyber Risk ?
27
CYBER RISK RESILIENCE • Mandatory regulation leading to fines is a temporary
solution to cyber risk and RESILIENCE is the solution and
proactive mechanism to enable organizations to prevent,
resolve and recover from cyber issues in a fast manner
also reducing reputational risk as part of the process.
• The blurring of territorial boundaries by the cloud and the
threat to data integrity becomes a challenge to maintain
and define the auditability of what had happened as any
process is only as good as it’s weakest link
• The physical world used resilience and mitigation to look
at the natural catastrophes. This is the equivalent in the
digital world. People now know they must mitigate.
28
• Breakdown of critical infrastructure and networks (power grids, nuclear
power stations, transport systems, telecommunications, water supply, steel
mills, maritime systems, and oil energy plants) leading to business
interruption and economic loss. Use of smart devices M2M (machine to
machine) must be well defined in the risk assessment process – OT/IT.
• Long term data corruption or integrity which can be disastrous if going on
for a long period of time without detection having a similar effect as IBNR
(Incurred But Not Reported) claims on an insurer’s balance sheet.
• Large scale cyber attacks on Fortune 500 companies and state sponsored
attacks
• A massive incident of data fraud or theft for example in the healthcare
sector.
MAJOR CONCERNS
29
Cyber Risk Trends 2016-2017 Ist Qtr
Type Description
DATA Physical loss, malicious breach – NOT
DATA INTEGRITY
PRIVACY Un-authorised data collection – PII
NETWORK Network/Website Disruption
EMERGING
RISKS
Data Integrity, Email Compromise, Social
Engineering
Ransomware events
tripled in 2016 at least
IOT Attack Surface is Increasing
The Risk Landscape is Changing so Should the Cover
30
Cyber Risk 2016 by Sector – without data integrity
Business Sector Acvitivity
Financial Services Gradual improvement due to mitigation
Healthcare Gradual improvement due to privacy
Retail Very small improvement – need data integrity
Information Services Gradual improvement due to leak notification
Utility/Energy Increased risk IOT Attack Surface
Manufacturing Supply chain risk and cyber espionage – increase risk
Education Increase risk of universities around IP/Theft
Government Increase risk – social engineering and email breach
Emerging Sectors Operational Technology Meets Information Technology
Professional/Scientific Increase risk ransomware
31
Ransomware Issues
Payments in USA in 2016 were $1 Billion with a
Rate of incidents set at 4000 per day.
• Encrypt victim data and demand payment for encryption key
• M&A a good target and cryptocurrencies improve bad actor success
• Victims back up the virus along with their data – infects over time
• Solution is smart backup and retention policies to clean state
• Backup vendors need to partner with cybersecurity companies
• Virus enters data centre network when link is clicked
• Data is usually kept intact
• Encryption key is bought with bitcoin no central bank – no trace/track
• LOCKY
32
Consumer Risk – Default Settings
• A Message You Can Hug™
33
Business Risk
YAHOO Merger and Acquisition Discount
RATINGS STILL DO NOT INCLUDE DATA INTEGRITY
34
Secondary Causes of Critical Hacks – April 2017
Impact of the sirens could cause panic and create accidents which affect a
broader range of insurance policies.
Weather Service Interference can affect evacuation
35
IOT Attack Surface is Increasing – October 2016
• Any device transmitting data on the INTERNET
• Distributed Denial of Service (DDOS)
• Flood with data and bring down whole network
• 4 % of the USA Internet down
• Insurance claim to 4% of portfolio
• Warning to insurance industry
36
Accumulated Cyber Attacks in the Cloud
Risk Impact Risk Mitigation
Many firms are leaner so are
opting to use cloud computing,
offshoring data and processes
to third party firms.
Critical functions outsourced
include catastrophe modelling,
actuarial analysis and
compliance functions.
A cyber attack could affect a
firm’s ability to process
premiums and issue
insurance contracts
affecting cashflows and
covers – particularly an
issue for compulsory
insurances.
A cloud service provider
concentration could
become a second order risk
if such providers were
subject to multiple cyber-
attacks causing a failure of
services.
Ensure and monitor that
third party firms provide the
security and service that
they are contracted to
deliver.
Constantly monitor data
intergrity.
Rectify breaches
immediately to minimise
security risks is paramount.
Limit staff use of mobile
devices to minimise
damage to high risk critical
areas of the infrastructure.
37
Cyber Group Risk exposure leads to your aggregation of liabilities
• Financial fines will be
assessed based on a
corporations Gross
Turnover:
– US 10% (now)
– EU 5% (2016)
– Asia emerging
• Class Action Law Suites
are becoming world wide
• Your multinational footprint
is your cyber attack
surface without boarders
and risks the will involve all
countries meaning your
liabilities will increase
38
Accumulation Risk – Regional Risk
Hosting Provider - $100 Mill
Electric Utility
Car Manufacturing
Factory
Retailer $20 Mill
$25 Mill $10 Mill
$30 Mill
$15 Mill
39
Fortune 500 Accumulation Risk
65% F500 use for Domain Name Service
69% F500 use for Hosting
77% F500 use for Content Delivery
40
REINSURANCE PORTFOLIO CONUNDRUM
• A reinsurer is presented with 10 company cyber portfolios
• How does the reinsurer know the accumulation risk ?
• Risk assessments must delve deep into third and fourth parties
• These parties must be turned into trusted server providers as in Estonia
• Then they can be mutually audited
41
Serious International Risks
Alleged and proven cyber attacks that could
change the course of history.
42
Supply Chain Protection - Provenance
Give every physical
product an identity
(digital passport)
and origin with
auditable record of
the journey to avoid
selling fake goods. .
Vast journey of
logistics ,
retailers,
transportation and
the chance of
fraud or frozen
supply chain error
is high.
Horse Meat Scandal
– limiting access to
health and safety
checks. Tracing fish
back to the
fishermen. Vulnerable
target for social
engineering and
hacking.
43
Transformative Decentralised Power of Blockchain
• Non-localization: Global computer running by consensus
• Unparalleled digital security
• Perfectly auditable system
44
Ooops what were we thinking - we forgot the authentication layer!
Dr. Vin Sir Tim
45
Removing Reliance On
Central Trusted Authority
“No matter what you do online you are trusting
someone to tell you the truth – whether it is
your bank giving you the statement balance,
your email service provider telling you your
message was delivered or your anti-virus tells
you all is OK. This is why INTERNET Security
is such a disaster today.”
46
What is Blockchain – lets avoid blocks and chains
4
6
• A Highly Secure Tamper Proof Shared Online Distributed Ledger
• Living on the internet Accessible to Anybody who downloads it
• Allowing People, Devices and Data to Interact and Transact together
• Requires no third party involvement
• With the ability to store assets, liabilities, contracts and more.
• This gives rise to …….
• Value Transfer, Data Storage and Smart Contracts which give rise to
new processes/product.
• How does it work ??
FUTURE BLOCKS
• Each block contains transactions (transfers from one block to another plus
• Data - should not be sensitive and an identity pointer with identity proof
• A reference to the previous block making the block immutable
47
48
Separate Ledgers – Collaboration
A Blockchain is a Shared Ledger that every one trusts to be
accurate forever – ultimate bureaucrat. Interoperability. 4
8
MINE
YOURS
OURS
49
Blockchain Principles
P1
P2
P4
P3
P5
Ag Ag AgAg
AGGREGATION NETWORK
TIME
BLOCKCHAIN
CORE NEWORK FOR DISTRIBUTED CONSENSUS
C1 C3
C5 C4
C2
DISTRIBUTED CONSENSUS
“Blockchain” is a distributed database
that maintains a continuously growing
list of data records, chained together
against revision and tampering.
“Distributed consensus” is an
agreement between different
compute-nodes over whether
an update is correct
As every client has a copy of the
blockchain it is impossible to
manipulate history.
50
Digital Identity and Data Ownership
51
Estonia
• Regained independence from
Soviet Union in 1991
• 100% Electronic Banking
• 100% Electronic Health Care
• Over 3000+ Online
Government Services
• Victim of a worlds first State
Sponsored Cyber attack in
2007
• Headquarters of NATO
Cooperative Cyber Defense
since 2008
• Digital Identity mandatory for
16 years.
• Everything related to digital
identity.
• E-residents have the same
assurance with approved
KYC/AML.
5
1
ESTONIA
RUSSIAN FEDERATION
NATO CCDCOE
52
Easy Identifcation e-Solutions simplify and benefit our lives.
BLOCKCHAIN IDENTITFICATION IS KEY BUSINESS
PROOF OF IDENTITY plus LONG TRAIL of IDENTITY (FB ID)
DIGITAL IDENTITY MEANS YOU KNOW WHO OWNS THE DATA
SENSITIVE DATA NOT STORED ON THE BLOCKCHAIN
Benefits of Digitization
53
Empowering in Estonia Everything can be done online except for ?
ONCE-ONLY PRINCIPLE
NO LEGACY
DIGITAL BY DEFAULT
SINGLE POINT OF ENTRY
USER FRIENDLINESS
OMNI-CHANNEL
SERVICES
OPEN STANDARDS
24/7
54
e-Residency Become an e-Resident like 12 000 others
Over 650 new companies established in 1 year!
55
2% of GDP
DIGITAL TRANSFORMATION
SAVES ESTONIAN SOCIETY
ALLOWING TO SPEND
WHERE IT REALLY MATTERS
56 SWIFT 5
6
57
THE QUEST FOR DIGITAL
TRUTH – Trust vs Truth
Estonian scientists have built blockchain technology that allows the
entire planet to verify EVERY event in cyberspace in such a way that
the PRIVACY of each event is maintained but the integrity of events
cannot be denied. Everyone can verify the integrity of events
independently from those presenting them.
You can’t be perfect at preventing crime, but you can be perfect at detecting
crime’.
Estonia has implemented at the digital level is TRUST BUT VERIFY
– independent verification of everything that happens in
cyberspace.
58
Guardtime’s KSI
Blockchain is implemented
as an integrity layer
throughout Estonian
Government Networks.
There is complete
transparency and
accountability between
citizens and government.
Estonia: 100% Government Data on Blockchain Blockchain Integration Points
59
$ 2.1 Trillion GLOBAL COST OF CYBER BREACHES BY 2019
$ ZERO COST OF CYBER BREACHES IN ESTONIA
60
• Devices need to be
• authenticated
• verified,
• permitted
• Governed
• trusted third party
• just like people
Internet of Things - Device Immersion
61
Public (Open) vs Private (Permissioned) Blockchains – Pseudo Identity - pseudononymous
DAO Investment Hack – an
autonomous investment vehicle fund
managing $150 Mn. The smart
contract code was the legal contract.
Hacker took $60 mn - Covered
tracks
Financial Services will only select private
and permissioned blockchain ledgers. The
individual is in charge of own identity –
permission is required to view data.
Cannot get the identity of
BITCOIN back to a real person.
COIN is not the CHAIN.
On the blockchain no one knows
you are a fridge.
Traces Identity Back to the Real
World – concept of FACEBOOK
And LINKEDIN ID’s.
The case of Edward
Snowden.
62
Cost Saving on KYC/AML
• Data Protection and Security
• Permissioned Blockchains
• Regulatory Compliance
• Transaction trail for audit
• Non repudiation and widely witnessed evidence
• Data can be maintained in blockchain
repository, and access controlled by the
applicant. Serves as a “fast-track” for
compliance by providing the most recent,
cryptographically verifiable evidence to support
application processing.
KSI for Financial Services
6
2
63
Consortiums
R3 B3i
• Streamline Business Processing
• Improved Policy Administration
• Faster Customer Payments
• New Investment Management
• Better Distribution of Proceeds
• Fraud Reduction
• Need Digital Identity Frameworks
64
Blockchain Primer
Shared Contract
Cryptography Shared Ledger
Consensus
Ensuring secure,
authenticated & verifiable
transactions
Business terms embedded
in transaction database &
executed with transactions
All parties agree to network
verified transaction
Append-only system of
record shared across
business network
Broader participation, lower cost, increased efficiency and fraud reduction.
65
• Consensus Cryptography
6
5
Shared Ledger Shared Contract
+
+
MAPPING THE NEW INTERNET TO INSURANCE PROFITABILITY METRICS
Overlaying the blockchain protocol to the combined ratio.
Claims Expenses
Earned Premium / New Products / Operational Efficiency
66
• Secure and trustworthy digital record of transactions replicated
• against many distributed ledger nodes in a peer
• to peer network alongside
• cryptographic audit trails.
BLOCKCHAIN
Shared
Ledger
Cryptography
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 66
67
• A mechanism to validate a transaction via node to node
communication . Transaction is committed after a consensus is
achieved by a majority of participating nodes.
Consensus Model
Consensus
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 67
Smart Contracts
Pre-programmed business logic stored within the blockchain
and executes the terms of the multiparty contracts. This
includes identity and permission checks , auto approval and
data validity checks on transaction received by the ledger.
Smart contracts trigger smart business processes.
Smart
Contract
BLOCKCHAIN
DAO – Automomous Organizations
68
Implementation Flexibility
Both Private and Public Sector
are free to use the best
technology for their use-case.
That can be legacy – such as
traditional RDBMS systems or
ledger technology.
A single ledger makes no sense
across all government services.
The Land Registry does not
need to come to consensus
about anything with the tax
department!
Land
Registry
MS SQL
eHealth
Oracle
Business
Registry
Postgres
eID
Ethereum
eVAT
KSI Ledger
Payments
Hyperledger
Ap
plic
ati
on
Laye
r
Anti-Tamper Hardware
Anti-Tamper Nodes
Virtualized Nodes
Inte
gri
ty L
aye
r
Physical Nodes
Blockchain - Immutability
APIs time
integrity
identity
69
Blockchain Payments – whats new ?
• Payments immutable on the chain – fast and free service
• Payment resides in an electronic wallet
• Multiple copies held by each customer
• Access, ownership and permission controlled by customer
• Very powerful for the P2P market passing gain to customer
• Blockchain becomes the notary of owners assets
• Every owner has a wallet and digital signature (or hashkey)
• Settlement is immediate with huge cost reduction
• Extra Services made possible
70
The End of Credit Cards ?
• Cannot reverse or claw back digital currencies
• Independence mismatch with credit cards and crypto currency
• Credit card companies will adapt and already doing so
• Cannot work with both on same network – no need for credit card
• Blockchain is unpacking the credit card so do not have to pay for all services
71
• Claims Handling
• KYC/AML/E-IDENTITY
• Reconciliation
• Crowd Funding
• Asset Transfer
• Audit/Compliance
• Clearing / Settlement
• Regulatory Reporting
BLOCKCHAIN USE CASES IN FINANCIAL SERVICES
71
• Cross Border Payments
• Remittance
• Interbank Clearing
• Proof of Ownership
• Title Protection
• Health Records
• Real Time Asset Tracking
• Cyber Security
FINANCIAL SERVICES PAYMENT PROOF
© 2015 Fuji Xerox Co., Ltd. All rights reserved.
72
• Automated Process for Claims Creation, Supporting
Documents, Invoice Creation , Approval/Rejection of
Invoices and interaction of Multiple Parties
• Various parties can take different roles and have
permissions to view data
• Smart Contracts are used to automatically approve
claims meeting pre-agreed conditions
Application of Blockchain in the Claims Process
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 72
73
Advantages of Blockchain in the Claims Process
• Reduced Costs of Claims
• Improve Speed of Payment Process
• Operational Efficiency Eliminating Errors/Duplicates
• Allow Experts to Focus on more complex claims
• Multiple Parties all Accountable on the Blockchain
• Remove Paper Inefficiencies
74
• Blockchain is a key enabler to help drive the insurance industry
forward because of multiple consensus and auditability.
• Distributed Ledger – access to all relevant parties in transaction
• Data Traceability – original source of information and ownership
• Processes – focus on value add activities not data transfer
• Automation – business rules for agreement/validation/regulation
• Security – client data identified in ledger by KSI fingerprint
Key Features Beyond Cost Reduction
• Compliance – accuracy of information for board governance
• Regulation – checks, balances and compliance
• New Propositions to Customers/Opportunities – new products
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 74
75
USE CASE – basic insurance cycle
• Data Capture
• Policy Creation
• Non Financial Endorsements
• Financial Endorsements
• Claims
• Settlement
Function Block Chain Ledger Action
Assets and Clients can be created /amended with
standardised set of data with ownerships clearly defined.
Agreements set up between clients and multiple insurers
covering co-insurance, reinsurance and premium splits
Asset data can be updated instantly and interested parties
notified in real time.
Asset data acts upon changes resulting in calculated
additional premium and changes in cover. Parties are
notified.
Loss event details captured, documents attached.
claim is associated to a given asset agreement and
affected parties notified.
Billing and Receivables views showing Premium and
commission values across multiple agreements.
76
Data Integrity Mitigation - Fraud Reduction
77
The Problem: Governance and Trust
1. How do I prove that vital data is authentic (original), reliable (tamper
free) and from a credible source (known origin)?
2. How do I eliminate manual processes and establish automated
mechanisms to ensure long-term integrity in my digital supply chain.
3. How can I prove chain-of-custody and provenance for vital data
moving through my systems?
Generally, “How do I trust my data, and how can I prove it?”
End-to-end systems have no representation of veracity at the
digital asset level.
78
Cyber Security: the problem of how to protect your data
Explosion in cyber-espionage and enterprise data tampering
Cyber attackers increasingly good at hiding their tracks
Over 50% of fraud is conducted by insiders Management, regulators, auditors are not disclosing
all attacks
Outside the organisation: minimal validation
Inside the organisation: validation based on procedure and
trusted insiders
Most data is assumed to be real Phishing, malware, electronic fraud is increasing Cloud computing makes “outsiders” become
“insiders”
Over US$80 Billion in cyber security equipment, software and
services
Over US$150 Billion in shifting physical paper around the
world
79
Cyber Risk Requires Business Executive Management
5 Key Questions CEOs Should Ask
regarding Cyber Risk
1. What is current level and business
impact of cyber risks to our company?
What is our plan to address identified
risks?
2. How is our executive leadership
informed about the current level and
business impact of cyber risks to our
company?
3. How does our cyber security program
apply industry standards and best
practices?
4. How many and what types of cyber
incidents do we detect in a normal
week? What is the threshold for notifying
our executive leadership?
5. How comprehensive is our cyber
incident response plan? How often is the
plan tested?
Cyber Risk is a
Boardroom
Responsibility and not
a ‘voluntary program’
80
Preventing the disclosure
of information to
unauthorized individuals or
systems.
Making sure that the computing
systems, the security controls,
and the communication channels
are functioning correctly.
Maintaining and assuring
the accuracy and
consistency of systems
data, and processes
Data
Model
Confidentiality ID-card Mobile-ID
Integrity KSI Blockchain
Availability X-ROAD
81
Data Security: The Blockchain Killer App
The Absence of
Compromise
AVAILABILI
TY INTEGRITY
CONFIDEN-
TIALITY
SECURITY MODEL
82 SWIFT 8
2
blockchain
83
• Truth can be measured – it means undeniable independent proof,
which can be proven forensically in a court of law. Truth, not trust is
essential for any network, enterprise, or data storage asset – it’s
operation and interactions with the data being hosted should be able
to be independently verified with forensic proof that holds up in a
court of law. The organisations hosting the data are not involved in
the verification process. Mutual auditability and non repudiation. The
basis of who is liable.
Provide a “digital chain of command
over events” is a major part of the
resilience process and provide the
truth making networks and the
INTERNET attributable
84
Who is responsible ?
8
4
85
Using Secrets for Integrity is a BAD idea
PKI
Throughout the 1990s what mattered was confidentiality of data in motion – not the integrity of
systems. With IOT, Cloud, mobile devices the integrity of systems and supply chains has
come to the fore.
ORGANIZATION A
ORGANIZATION B
ORGANIZATION C
PRIVATE KEY
PUBLIC KEY
86
Cloud
“how do I comply with the law and trust my mission critical
processes to an
outsourced vendor who has little if any accountability?
87
Widely Witnessed Evidence
There must be transparency and accountability if indemnification is to
be identified when a mishap or compromise occurs – who was
responsible and can the evidence be irrefutably proven in a court?
Today, how can you possibly trust the service provider to say, ‘it’s not
our fault, we are not liable’, when there is no evidence to confirm or
contradict the statement and what little evidence that remains might be
presented is entirely shaped from the perspective of that service
provider.
Auditor provide little confidence as they also rely on the same
evidence, which can be erased without attribution by the responsible
party.
88
Integrity Breach Confidentiality Breach
Your car Your braking system stops
working
Your braking patterns are
exposed
Your flight
Your plane’s instruments report
that you are 1,000 feet lower
than you actually are
Your flight plan is posted on
Internet (note: it already is)
Your local power
station
Critical systems compromised
leading to shutdown and
catastrophic failure
Your electricity bill is published
online
Your pacemaker Shutdown and death Your heartbeat becomes public
knowledge
Your home Your security system is remotely
disabled
The contents of your fridge are
‘leaked’. You drink how much
beer?
Why Does Integrity Matter ?
89
Based on the lessons learned from the 2007 state sponsored cyber-attacks Estonian
scientists were set a challenge: design and building a tagging system for electronic data
which could prove the time, integrity and identity (human or machine) without reliance on
centralized trust authorities. Data must stay in the country. Keyless Signature Infrastructure
(KSI)
The Estonian Challenge: A New Form of Meta-Data
DATA
SIGNATURE
90
Cryptographic Hash Functions
A hash function takes arbitrarily-
sized data as input and
generates a unique fixed-size bit
sequence as output.
ONE-WAY ONLY.
REVERSING IMPOSSIBLE
INPUT DATA HASH FUNCTION HASH VALUE
Hash value is the digital fingerprint of the
input data!
91
Independent verification of the integrity of policy
Documents away from hosting entites.
File
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
Signature anywhere, validated periodically
Whenever it is important to be aware
of any data breaches as early as possible
92
• KSI signatures, linked to the blockchain, enable the
properties of data to be verified without the need for
any trusted third parties, keys or credentials that can
be compromised (as we see in the news everyday).
Solution to the Integrity Problem: Register Digital Assets in the Blockchain
92
• Upon verification, KSI Signature allows to assert:
• Signing time
• Signing entity
• Data integrity
© 2015 Fuji Xerox Co., Ltd. All rights reserved.
93
Estonia Blockchain
Every second hash-values of new data
created are submitted into the hash tree.
A unique hash-chain is returned which
later can be used to prove that the hash-
value participated in the computation of
the root.
Every second a new hash tree is built with
new data and only the root hash values
are kept in a public Blockchain to which
everyone has access.
The Blockchain grows at 1 hash value per
second – or 2GB per year using SHA-256.
Ministry of
Justice
• Estoni
a
• RIA • RIK
• eHealth
Foundati
on
• Ministry
of
Educatio
n
• Ministry
of
Finance
Hash Chains Hash Values
Blockchain
Global
Aggregation
Tree
94
Cyber Mitigation and Resilience with Estonia KSI®
Record digital assets in
the Blockchain.
Insurance inventory for
digital assets
Cyber Risk Assessment
Service
Prevention with a clean
slate
INVENTORY
CORPORATE ASSETS
Continuously verify that
the network is free of
compromise
Blockchain-based real-
time alert upon
compromise
Pre and Post
Observational Support
DETECT
Notify insurance
provider that there has
been a compromise
Make real-time
decisions from the KSI-
based real-time integrity
information and identify
the assets
compromised
RESPOND
Fix the problem and
then restore the
network to the original
state.
Automated processes
for eDiscovery and
Subrogation
RECOVER
Risk action TIMELINE prevention
95
KSI Blockchain Key Advantages
KSI is laser focused on
Data Integrity at Scale.
Our approach solves two
major problems present in
every other blockchain.
Scalability
Other blockchains grow
according to the number of
transactions they process.
The KSI blockchain grows
steadily over time, regardless of
the number of transactions.
Commitment time
KSI consensus is achieved
synchronously by permissioned
nodes.
No Proof-of-Work is used and a
new commitment occurs each
second.
Billions of individual events can be secured each second.
Minimal storage, compute, and network overhead.
96
Business Interuption Insurance
97
Requirement fof Standalone CyberPolicy
• The multiple patchwork product design we have today is not adequate
• There is a big need for CBI/BI based on data compromise
• IP Theft Products – in manufacturing cyber is espionage driven with trade
secrets , business plan and IP being stolen.
• Hackers let other pay for the R&D and then seal and steal on dark web.
• Mitigation in the policy wordings is required for data integrity
98
Cyber (Contingent) Business Interuption
• First, Third and Fourth Party Damage – accumulation risk
• Regulatory Consequences
• Operational Technology (OT) meets Information Technology (IT)
• Increasing use of Devices and Internet of Things (IOT)
• Increased risk of critical infrastructure attacks
• Reputational Loss + ( C ) BI + Liability Claims Costs – economic
disaster
• Because of Reputational Risk the data is not made public
99
Cyber Risk Mitigation
• Lack of understanding of complexity of risk especially data integrity
• Without data integrity there is no compete risk management framework
• Company runs the risk of customer identifying tampered data before the business
• Then increase in legal reserving and/or government fines
• Post breach action only mitigates further damage
• Pre breach action essential before risk transfer – early warning and monitoring
• BI is key to it all – financial health check, service provider checks, network infrastructure plus loss scenarios and
modeling
• Rating for underwriters 400 – 700 range.
100
Data Compromise BI
• The silent threat – time to compromise to discovery
• Physical network can be covered as visible effects to network
and partners
• As insurance based on time deduction linked to discovery
mitigation is required
• Serious threat to the economic and digital supply chain
• Data must be signed by KSI in order to get notification
• All parties involved should be linked on a blockchain for
maximum fraud reduction
101
COMPLIANCE AS A SERVICE – ALL LINES OF BUSINESS
• A bank is like an onion
• Many layers protecting the centre
from bad actors
• Regulators and auditors are good
actors that need to see the centre
• Peeling away the layers for
compliance and audit is very
expensive.
• Blockchain time permissioned
access saves money..
BANK
NODE
102
Transformation Theme Example - Genome
• There is nothing more important than medical research to save lives
• Genomic data from the masses is required to do this research
• Many ethical and privacy issues arise with genome data
• This affects people’s lives, medical research and new insurance products
• Authorities have declared genome data as not allowed to be owned
• Because of privacy data is often kept hidden by non testing.
• We will return to this during the course of the presentation.
103
How Could Blockchain Address the Genome Privacy Issue
• We can draw a parallel with the previous slide of land titles
• Holding genome data on a proper blockchain would give the
principles of privacy and ownership of the patients and the medical
industry.
• The genome data can be hidden unless permission is given for
someone to see it and anonymous data for the population can be
created for medical advancement. Interoperability of open and closed
blockchains.
• Genome data is highly sensitive and can lead to the denial of health
insurance
• Big data analytics of the genome data is important for medical
progress – each file is 5-6 GB.
• Blockchain protocol can solve the conflict between privacy and
scientific research. Science gets the metadata and sensitive data
stored off ledger.
104
Exponential Technologies – Augmentation of AI and Blockchain
105
Blockchains and Ledgers
BLOCKCHAIN LEDGER
Integrity / Immutability
Provenance
Data Level Protocol Transaction Level Protocol
Shared View of the World
Consensus
provides: provides:
Distributed Ledger Technology solves two problems: “Integrity” or “Immutability” and “Shared View of the World”. In
Estonia these are split in to two different functions – blockchain and ledger.
An exponential technology
is one that doubles in speed
every year or halves in costs
every year – Singularity University
106
BLOCKCHAIN MEETS AI/MACHINE LEARNING
1
0
6
107
Exponential Effects
• In the short term a small sum of money will buy
technology with the cognitive power of the brain.
• Medium term this sum will buy the cognitive power of all
brains on the planet.
• Technology creates more touchpoints with customer
so new players can enter the market.
• INSURETECH will bring in the smart device as the
virtual insurance agent e.g. TROV.
• This will jig traditional underwriting by behavioral
analysis.
• New generation customers have shorter attention spans
• Addressing protection gap in the micro sector
.
108
Paving the Way for Operational Efficiency
109
Operational Efficiency Transfer of Assets – no Middleman
Trusted Identity Trusted Identity
Transfer of Assets
• Eliminate the efficiencies and bottlenecks of the past
• Remove batch processing systems completely
• Real time authentication and approval
110
Cryptographic Chain of Custody: Insurance – Home Environment
KSI Blockchain can be used to
create a chain of custody,
establishing when, and who
touched or modified data
during each step in processing
a transaction
This puts everything to a
home environment –
connected car, INTERNET
light bulbs, smart cities,
connected homes and MGA
coverholders at Lloyds.
When claims payment
processing data is saved to
disk, KSI verification proves
that the data has not been
changed while it was
vulnerable.
Event Processing
step
Reference to
original
Processed
data
Archival
111
Basic Claims Payments Use-Case – the premise of a signed block is hard to get – speed and cost are the beneficiaries.
Assets: can be defined by any per-
missioned user, they are textual
ontracts and are represented by the
hash value.
Transactions: are the main type of
activity, and represent a transfer or
payment of a quantity of an asset in
this case the claim from one
Ledger Account to another, and
represent a change in the claim on
assets held at the Settlement
company.
Issues: Using smart contracts in a smart
secure container. This is know as the DLT
wallet. Ownership is now controlled by the
customer.
Accounts: represent a entities balance of an
Asset. An Account relates to one specific
asset – multiple Accounts are needed for
multiple Assets.
Ledger and
Blockchain
112
Estonian Government – e.g. death certificates / land titles
Electronic records and associated
metadata are chained to the
previous record, signed and stored
in a database.
• Provable ordering
• Impossible to delete a record
undetectably
• Metadata provides attribution and
government transparency
• Monitored and verified in real-time
Scanned
Paper
Document
XML
Metadata
Summary
Hash of
previous
Scanned
Paper
Document
XML
Metadata
Summary
Hash of
previous
113 113 Keyless Signature
Infrastructure
Immutable Ledger
Decentralized Consensus
Universal Time Source
100% Accountability Data events are captured and record time,
integrity of asset, and signer origin.
Big Data Blockchain Concepts:
Impossible for anyone to tamper with ledger
and any data tampering can be easily detected.
Time is an inherent property of the system so
events can be unified across distributed systems.
Ability for auditors, law enforcement, or third
parties to independently verify asset veracity. Veracity at Scale for Data at Scale
Enabling Big Data Regulatory Compliance
Legal Hold Chain of Custody
E-Discovery Long Term Archival
Data Assurance Forensic Readiness
Provenance Legal Impications
114
Irrefutable Chain-of-Custody & Process Compliance
PROOF OF COMPLIANCE REDUCED FRAUD
86e26a50-54d8-4bb4-99c3-e114e85f777d
DUTY OF CARE CYBER RISK MITIGATION IMMUTABLE RECORDS
86e26a50-54d8-4bb4-99c3-e114e85f777d
Globally Unique Identifier (GUID)
86e26a50-54d8-4bb4-99c3-e114e85f777d
Globally Unique Identifier (GUID)
Provable Data Provenance Allowing Data & Metadata to be Fully Traced.
Data Supply Chain Provenance
115
Bilateral Blockchain Provenance
115
Entity “A”
86e26a50-54d8-4bb4-99c3-e114e85f777d
Globally Unique Identifier (GUID)
86e26a50-54d8-4bb4-99c3-e114e85f777d
Globally Unique Identifier (GUID)
Entity “B”
Data is Cryptographically Linked Even Across Organizational Boundaries,
But Confidentiality Has Been Maintained.
Streamlined Cross-Organizational Document Settlement & Reconciliation
116
Data Provenance for Software Supply Chain – Demonstration
116
117
Enabling Veracity the 4th V of Big Data with Blockchain – IOT / IOAT
Enabling Forensics
Regulatory Compliance
Data Tagging
Digital Supply Chain Integrity
Digital Chain of Custody
E-Discovery
Data Bunker Integrity
Enabling Data Assurance
Data in Motion is moving to data at rest
118
DIGITAL ASSET VERACITY
Hadoop provides no representation of veracity
at the digital asset level.
VS
KSI introduces a blockchain-based standard of
veracity at the level of digital assets, which
make up the valuable data capital for an
organization.
KSI
The Provenance Graph is a great invention for
insurance out of blockchain technology.
119
Digital Fingerprint +
Metadata
Analysis
& Insights
Internet of
Anything
VERIFY
DATA ✔ VERIFY
DATA ✔
=
Capabilities
Native Hadoop Integration
Register at Ingestion
Continuous Verification
Indefinite Term Proofs
Evidence Export
Provenance Graph
Central
Blockchain
Service
SIGN
DATA
Sign at
Ingest
Continuous
Verification
AP
I
HTTP
INTEGRITY
AUTHENTICITY
NON-REPUDIATION
AP
I
Financial
Times
Verify
Externally
Industrial Scale
Blockchain
Apps
Enterprise
Data
Sources
In-field
Signing
Enterprise
Integration
REGISTE
R
DATA
ENTERPRI
SE
CLOUD
Defensible End-to-End Lineage
HTTP
SOC
Apache Hadoop
GO
VE
RN
AN
CE
Chain-of-
Custody
Legal Hold &
Archive
e-Discovery /
Forensics
Data Provenance at Scale for Data Lakes and Surrounding Data
Ecosystem
REGISTE
R
DATA
IoT Data Supply Chain Provenance
120
Regulatory Issues
121
The Issue at Hand
• Does Insurance Regulation Adequately Reflect Cyber Risk –
answer no.
• A relatively new type of risk that is huge in magnitude and sits
squarely in the operational risk area of the spectrum
• It is too big to leave in the operational risk all op risk bag and
needs to be pulled out to the ORSA similar to cat risk.
• Huge lack of data has put up barriers. Incident data needs to
be provided.
• Solvency II / RBC is not driving changes in models
122
The Solvency Risk Dashboard (extract)
BOARDROOM REPORTING - ORSA
123
CYBER RISK MANAGEMENT STANDARDS
FIRSTLY CYBER RESILIENCE NEEDS TO BE ADDRESSED TO ACHIEVE THIS SHIFT
124
Enterprise Risk Profiling
Source: Zurich
CYBER AND DATA RISK CURRENTLY BELOW THE RISK
RADAR
125
Capturing the Dynamics of Business within the overall Business Cycle
Economic Environment- Market Risk • Inflation indices, Bond yields, Spreads, Stock indices, FX rates.
Assets
Liabs
Free
Capital
Strategies • Risk Transfer
• Risk-taking
• Asset
Allocation
• Capital
structure
• Diversification
Product Liability Risk • Reputational Risk
• Brand Assurance
• D&O/E&O
• Business Interruption
• IP Theft
Asset Risk • Treasury / Municipal Bonds
• Corporate Bonds ‒ By sector
‒ By rating
• Equities ‒ By sector
• Real Estate
• Swaps
• Call / Put options
• Cash deposits
Credit Risk • Bond defaults
• Third Party Defaults
• Recoverables
Operational Risk • Privacy
• Fraud.
• Physical Infrastructure
• Catastrophe Risk
Liquidity Risk
Group Risk
Asset Liability Mismatch
DATA AND Cyber Risk is Buried in Product Liability and
Operational Risk
126
Uses of Internal Capital Model
Economic Capital Model
Supply Chain Risk
Risk taking Strategy
Capital Allocation & Performance
Measure
Investment Management
Risk Transfer Design
Rating Agencies & Regulatory Compliance
Once built it can recalibrate to re-run on a regular basis Modelling provides benefits for:
– Risk Transfer efficiency – Risk taking strategy – Communication with
regulators – Impact of M&As – Capital adequacy of
industry
Explore correlation and diversification of all kinds such as cyber risk
127
Regulatory Models with the Blockchain
• How will industry consortiums interact with regulators ?
• Will regulators act as another node on the network so as to have
• permissioned access in real time to the ledger.
• Will a SUPER Regulator will be required as regional
• nodes are shared to review systemic risk.
• Global Regulation vs Regional Regulation via consortia.
• Leveled model where all regulators share a private ledger
• Cannot regulate a technology but the blockchain is
a protocol spawning activities that can be regulated
• Right now there is no regulation for financial services outside
of regulatory sandboxing
• There are existing laws related to smart contracts for
commercial trade. KYC/AML, data privacy/breach
Independently Verifiable by
Regulators
128
Regulatory Arbitrage and the Blockchain
There is a convergence of law and technology.
How to stop computer code overriding legal rules when regulating INTERNET users
Is the code the law or is the law the code (LESSIG 1999).
Driven by digitization and automation of legal provisions to computer code.
Blockchain has been described as the codification of the law.
Designers are private so jurisdiction is taken beyond the INTERNET.
Arbitrage is the finding of clever and subtle ways of avoiding established
regulations.
This was the basis of Libertarian distrust with BITCOIN.
• .
People arranging affairs so they evade domestic regulations by structuring their
communications on transactions to take advantage or foreign regulatory regimes. Regulatory
arbitrage reduces policy flexibility of nations by making domestic rules difficult to enforce.
129
Blockchain Solutions for GDPR
DS v1.3 February 2017
130
EU General Data Protection Regulations (GDPR )
GDPR In a Nutshell
Is it a big deal? YES - "the most significant change to European Union (EU) privacy law in two
decades"
What is it? EU Law - tough new legal requirements for organisations relating to privacy and
data protection of the personal data owned by EU individuals
Applying where? applicable to any organization—no matter where it resides—that handles the
personal data of European Union residents or citizens—no matter where they
reside
When does it apply? 25th May 2018
Enforcement? YES – the legislation has teeth. Fines up to 4% of global turnover or Euro
20mm can be administered by the Data Protection Authorities (DPA).
Announced and unannounced audits
Do I need to do
something?
YES – it will be a legal requirement to demonstrate a ‘privacy by design and
data minimisation’ approach if your business handles the personal data of EU
citizens. There are new legal requirements and new rights for individuals for
organisations to abide by.
Can KSI help? YES – blockchain technology is ideally suited
131
GDPR – New Rights of the Individual re their Personal Data
131 - GDPR
includes
Right to be Informed Right to be informed of the personal data you hold, of
how you use it, of any breach, and of any disclosure or
usage to third parties
Right to Access Right to access of own personal data, and to any
processing or sharing details.
Right of Consent Right to withdraw consent or restrict the processing or
sharing of their data, including for the purposes of
direct marketing.
Explicit and unambiguous consent must be obtained
Right to be Forgotten Right to request the deletion or removal of personal
data whether there is no compelling reason for its
continued processing
Right to Correct Right to rectify data if inaccurate or incomplete
Right to Data Portability A copy of the data held may be requested by the
individual
EU comment: “people can be sure they are in control of
their personal information”
132
Regulation Summary
• Regulatory frameworks account for risk mitigating
measures and a reduction in capital requirement.
• Operational cyber risk is about betterment and
education
• Currently SOLII and RBC only treat cyber risk in a
crude way
• Regulatory Arbitrage is an issue for regulators
133
• In 2012, Cyber Ins was $5K per
$1M USD coverage – max $200M
limit of coverage
– Privacy and perimeter only
– No data centric model
considered
– Mega breaches happened and
raised risks
• Now, $50K per $1M USD – max
$500M USD – with caveats
– Need mitigation resilience with
KSI
– Need data centric integrity to
prove a lower risk is tolerated
• Data Integrity can be covered by
the costs of reducing risk
How Data Security will pay for itself if this was a $50M USD company a year
With Mitigation
Without Mitigation
~$3M USD
134
Presentation Date Consultant's Name 134
1 in 200 Worst Case Scenario = 99.5% chance of survival = 0.5% chance of bankruptcy
135 135
• We all believe this will happen but
do not know when and cannot put .a
return period on it like earthquakes
e.g. a 1 in 500 year event.
• Cyber is high frequency and right
now relatively low severity but a
larger correlated cyber-attack
leading to black swan proportions
which is long term corruption of
data, physical infrastructure attack
and a major fraud/forensics incident
is high frequency and high severity.
Example is printer fire in 2 million
buildings.
The Black Swan Event – Cyber 9/11
136
Reliance on Firmware – IOT Issues
• Foreign imported chips can contain malware
• Spreads to Multiple Manufacturing Devices
• Connected car, health wearable, industrials
• If hack is foreign cyber espionage then
many insurance policies exclude act of war.
137
Recent Development
• Press Releases
• RMS and AIR Launches New Data Standards for Managing Cyber
Insurance
• Cyber Exposure Data Schema provides open standard for insurance
industry
• NEWARK, Calif. – January 19, 2016 –
• April 2017 – one step further to the supply chain
• Only physical – need to overlay data integrity
138
Case Studies – All Lines
139
Marine Insurance Ledger
Direct-to-consumer
Insurance for the Marine
Industry
• Enabling improved pricing of
risk based on trusted data
• Integrated Ledger and IoT
stack
• Reduce claims fraud
• Improve capital utilization
• Enables trust/consensus
between insurers
Home Port: Basic
Insurance level
Dangerous
Waters +
Valuable Cargo =
Large Premium
Safe Waters +
Regular Cargo
=
Usual Premium
Foreign Port:
Additional
Premium
Different
premiums for
different specific
risks
140
The marine shipping and insurance industry is facing significant operational challenges …a sample ecosystem scenario
► Complicated supply chain
with multiple pain points
► Fragmented shipping
company landscape
► Overcapacity driving
worsening profitability
► Declining freight rates, and
inefficient voyages
Shipping
industry
► Declining by 5% annually
(since 2012) and is
fragmented:
► Insurers (and brokers alike)
struggle to accurately capture
cargo data
► Majority of insurer headcount
(~50-55% of FTE) is dedicated
to administrative /
reconciliation activities
Marine
insurance
Key Challenges Marine ecosystem
Marine shipping co. Shipping supply chain Financial servises
Shipping Company
Manufacturing/
sourcing
Wholesalers
Distributers
Ports
Government
bodies
End consumer
AON
Insurance
Brokers/intermediaries
Willis JLT
Insurers P&I clubs
Lloyds The London
Loss adjusters
Crawford
Reinsurance
Swiss Re Munich RE
Banks
Financing
Commodities trading
HSBC Bank of America
Bunge ADM
141
Blockchain offers an opportunity that allows connecting parties to align around distributed ledgers for real time and accurate data access
Asset ledger
External/IOT
Shipping Company and
end clients
Port Authorities
Vessels, containers
Client goods, bills of
lading
Data feeds based on
data dimensions of
assets, contextual
Asset ledger and lifecycle
Trigger point lifecycle
Add/update client data, loan
amounts
Add/update asset
Material declarations and
Premium levies based on asset
value and value of goods
Claims notifications
Cascade of smart contracts including facilities capital
Private data stores and ledger access
Settlement trigger
Broker database
Insurer and captive database
Insurer views of commercial
data and transactions
Broker view of client and
insurer ledgers Ship owner view of assets
Reinsurers
Brokers
Insurers
Shipping
Co.
Shippers
What the ledgers offer
Recordkeeping
To act as an immutable repository of
information and ownership
Verify information
To reduce fraud and speed up KYC
Smart contracts
To enable self-executing and self-
enforcing contracts
Dynamic register for
platforms/exchanges
Execution or access to data related to
transactions between parties
142
Summary and Key Findings
Blockchain is a key enabler to help drive the marine industry forward given its properties are all about
multiple consensus in a market which has to deal with ambiguity associated with multiple insureds,
chartered vessels, multiple jurisdictions etc.
Blockchain is not the answer in isolation and not needed for every problem – we recognise the need to
bring it together with consensus models, applications and other storage platforms to drive an end to
end model which is what we have tried to simulate
Key features needed
Distributed ledger access to all relevant parties in the business model
Data traceability – multiple marine clients and their sources of information locked down at source
Processes – allow brokers and insurers in particular to focus only on value-add activities and not
on the transfer of data
Automation – use of business rules to drive validation and agreement with multiple parties
Security – client data can live “off the ledger” at source but with fingerprint
Key benefits required for industry beyond cost reduction are:-
Compliance – accuracy of client information added and made available for brokers and insurers,
including timeliness of material disclosures (particularly where breaches can occur)
Regulation – accurate data captured at source to drive exposure modelling, sanctions checks
and tax
New propositions to end clients – specific to client needs (either tailored to existing clients, or
developing new opportunities for new clients or client groups)
143
• Automated Process for Claims Creation, Supporting
Documents, Invoice Creation , Approval/Rejection of Invoices
and interaction of Multiple Parties
• Various parties can take different roles and have permissions
to view data
• Smart Contracts are used to automatically approve claims
meeting pre-agreed conditions
• Staff are freed to concentrate on more
complex claims.
Application of Blockchain in the Claims Process
© 2015 Fuji Xerox Co., Ltd. All rights reserved. 143
144
AssureNet – Guardtime Collaboration
145
Connected Car Dashboard
Keyless Signature
Infrastructure
1
4
5
146
• ClearView ‘Big Data Platform’ – 4000 NYC TLC vehicles
• Managing ‘connected car’ sensor data – Aftermarket & OEM
• Integration w. Insurance & Regulatory Systems and Services
• Qualcomm and Georgia Tech Research partnerships
• Every Human or Machine-driven
Event is Registered in the
Blockchain
• Blockchain-based Claims Processing
• Enables Trust and Prevents Fraud in
Claims Handling
• Guarantees Data Privacy & Veracity
• FOTA/SOTA Ledger & Risk
Management Secure Vehicles!
147
Cryptographic Chain of Custody: Insurance – Car Home Environment
KSI can be used to create a
chain of custody, establishing
when, and who touched or
modified data during each
step in processing a
transaction
When claims payment
processing data is saved to
disk, KSI verification proves
that the data has not been
changed while it was
vulnerable.
Event Processing
step
Reference to
original
Processed
data
Archival
148
KSI BLOCKCHAIN
Telematics CPU Telematic Devices Industrial IoT Cloud
Insurer
ReInsurers
Managing General
Agent (MGA)
Underpinning the Telematic Risk
New products, new distribution and data lineage a guarantee.
149
Blockchain offers an opportunity that allows connecting parties to align around distributed ledgers for real time and accurate data access in the processing of a death claim.
Asset ledger
External/IOT
Hospital
Hospice
Place of Death
Data feeds based on
data dimensions of
assets, contextual
Beneficiary Government Registrar
Private data stores and ledger access
Settlement trigger
Broker database
Insurer and captive database
Funeral Home Insurance Company Intermediary
Reinsurers
Brokers
Insurers
Hospital
TPA
What the ledgers offer
All participants have a copy of the
shared ledger . This reduces tampering
and reduces fraud. End to end
auditability. And trace of ownership
Verify information
To reduce fraud and speed up KYC
Smart contracts
To enable self-executing and self-
enforcing contracts
Dynamic register for
platforms/exchanges
Execution or access to data related to
transactions between parties
150
LOST TO HEALTHCARE FRAUD IN ESTONIA
$ 272 Billion LOST IN USA TO HEALTHCARE FRAUD EVERY YEAR
$ ZERO
151 1
5
1
• In emergency, the difference between
A and B blood type is life and death.
• KSI blockchain instrumentation
enables users of the Patient
Information System to be 100%
certain of the accuracy of all the
retrieved records.
Estonian National Health Care
153
UAE Health Care
In Estonia and soon to be UAE, every medical record and every access to medical records is registered
in the blockchain, effectively eliminating fraud as access and use of medical records can be verified.
154
• Liability and Subrogation Management: Addresses the fundamental question: Who is liable in the event of an accident? The blockchain provides immutable proof of what happened. With that certainty, liability can be attached and subrogation claims can be automated.
• Blockchain Based Claims Processing: Automated claims processing utilizing high fidelity data becomes possible speeding up settlement times and dramatically reducing claims fraud.
• Security Operations: Continuous monitoring of in-network firmware, software and configuration parameters triggering alerts in the event of malicious or out-of-policy updates.
• Software Supply Chain: End-to-End management of the software supply chain for firmware and software in each device IOT network.
• Warranty Claims Management: The integration of KSI Blockchain enables insurers to have a complete and accurate picture of warranty validity at any point in time.
• An Immediate Early Warning System for Vehicle, System and Component Failure
Blockchain value proposition spans insurance, transportation and manufacturing industries
155
NETWORK ATTACK VECTORS:
ENTERPRISE OEM GRID WEB ROADSIDE HOME
SERVICES: A/V CONTENT TELEMATICS DIAGNOSTICS ADAS DSRC
ü Application and SW tamper events are detected in
real-time.
ü ECU reporting of compromise.
ü Roll-back of SW & configuration to known trusted state.
ü Real-time SW verification.
ü Real-time tamper detection.
ü Real-time mitigation and integrity monitoring of functions.
CYBERLIABILITY MANAGEMENT use case: connected car or ship
• Benefits: › Real-time monitoring of the software and data
uploaded to and / or executed on the connected
vehicle.
› Forensic traceability of data in case of disputes – the
ability to pinpoint liability, independent proof of what
happened when.
156
Continuous Monitoring
1
5
6
Using an agent on the vehicle a
hash of each firmware /software
component is generated and that
hash-value is used as a lookup in
the ledger.
The signature is extracted form
the ledger and verified against
the blockchain.
157
Future - The Car Becomes the Moving Mobile Wallet
• IOT includes sensor as a service by mobile payments
• Blockchain IOT Protocol – merge payments and IOT
• Pay for fuel, recharging of road tolls by smart contracts
• Money exchanged without banks or credit card company
• Eventually insurance will become invisible by blockchain
• Cite the INTERNET and emails
158
Estonian National Smart Grid Data Platform
1
5
8
500K
smart meters
Big Data
Platform
24 service providers
24
se
rvic
e p
rovid
ers
KSI BLOCKCHAIN
159 159
KSI for M2M Case | UAV / DRONE INSURANCE
Summary
On-board, real-time verification of
uploaded executable code makes it
impossible to inject malware or
otherwise tamper with authorized set
of UAV instructions.
On-board, real-time signing of the
collected sensor data provides
complete tamper evident chain of
custody from data capture to storage
to long-term archiving.
Authorized
executable code
repository
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
10101010101
01010101010
Collected sensor
data storage and
archive
Uploaded executable code is
verified on-board, in real-time
and only valid code is executed.
Collected sensor data is signed in
real-time during the mission and
transmitted along with the integrity proof.
160
KSI BLOCKCHAIN
Lloyds Insurance
Ledger
Trade Finance
Ledger Industrial IoT Cloud
Risk Analytics
Engines
Financing
Applications
Insurer Portals
Underpinning the Risk – Putting it Together
161
Conclusions
162
Lessons Learned from Implementing SCALE
LEGACY
CONTROL
FUTURE PROOF
PORTABILITY
SECURITY
163
• It must be remembered that cyber risks grow with each technical innovation and
this affects data integrity – corporations improve security 20% each year and the
hackers improve 300% each year – do the maths.
• The use of blockchain can show immediate developments on the top line of a
combined ratio and open doors to new products and operational efficiency for
the bottom line. There will be political will here to determine timeline. That means
we can quantify and show daily profitability on the new internet to executives
prior to investment income. Blockchain become the underpinning risk
management.
• Mitigation policies must adapt and evolve with technological innovation to keep
Enterprise Wide cyber cover and risk management still in place and ahead of the
threat.
Takeaways
164
CONCLUSIONS AND OBSERVATONS
- Developing a cyber risk management framework in line
with resilience, actuarial modeling, revision of IT contracts
within a new legal framework involves mitigation using
technology to establish a digital chain of command across
the whole holistic enterprise risk management framework
and should be part of the whole process.
- Add basic questions on how to link cyber risk to the
assessment process and service required in the
assessment area by insurers, reinsurers and clients. Sign
the crown jewels of data.
- How does the risk management process emulate cyber risk
– is it understood at C-SUITE level - which tools, processes
and control does a company have to mitigate cybersecurity –
i.e. KSI .
165
What is the Insurance Effect in 2017
• INSURETECH Solutions will double in the market .
• New and Increasing Data Breach events and resulting regulations will
increase the adoption of cyber insurance and risk transfer reinsurance or
otherwise.
• The amount of data is increasing exponentially so the insurers will have
more big data and a need to understand the provenance of that data prior
to analytics – big data 2.0.
• The amount of smart devices is increasing and that will increase the need
for insurance industry to understand the implications and wordings for
the risk.
• Cyber Terrorism is on the increase and governments need to work with
private industry to ensure backstop.
•InsureTech
166
National Digital Currency – the Eureka Moment
KSI LEDGER
Digital Currency that can be traced, tracked
and controlled. In Sri Lanka for example like
other countries less of the monetary value
of benefits ends up in the hands of the
beneficiary – much is lost through fraud.
Once the digital currency is pegged to the
national currency then the consumer will
see the benefits of blockchain and data
ownership. That is where everyone says –
ahaaa
GOVERNMENT
SYSTEMS
BENEFICIARIES
POS
PURCHASES
ONLINE
PURCHASES
PHYSICAL
CASH
167
New Asset Classes
• $24 Bill to date
• BITCOIN/ETHER
• 500 ALTCOINS
• 50 Tokens
168
Where is it all Going by 2018
• Automation of insurance companies into a smart contract
• Automatic payment of claims – no filing claim or admin expenses
• Ability to eliminate digital fraud
• Tampered documents will be caught reducing errors and omissions
• Management by consensus for liability
• Insurance goes under the bonnet
169 169
• The capital markets will
eventually enter the
enterprise risk management
modeling .
• This will be via ILS or
insurance linked securities,
pension funds, hedge funds,
sidecars and others. .
• These can be in the form of
bonds as in cat bond, cyber
indexes and other vehicles.
• Discounted cash flow
models will need to show
different output to investors.
Alternate Capital Market Solution
Also CAPTIVES
170
END GAME SHARED LEDGERS WITH NO PRIVATE KEY
171
FUTURE
PROOF The cryptography behind the technology needs to be able to
withstand attacks by quantum computers
171
172
Formal Security Proof
Unlike with other blockchains, KSI has a formal
peer reviewed security proof that it does exactly
what is says it does.
As we have seen with the latest DAO attack,
this is important
1
7
2
173 173
So for this industry weighing and
insuring cyber risks… how can you
achieve truth to calculate in real-
time the integrity of the applicable
interfaces, applications, and
service layers responsible for the
data? For the insurance industry
to back these assets, it should be
required that evidence of integrity
in the organizations data and
information rules governing the
systems that manage that data is a
must – and should be
independently verifiable without
having to trust the organization
hosting those assets.
FINAL WORDS 101
174
Q&A
ASHK Evening Talk, 16 May 2017 Blockchain Truth – Digital Identity in the Insurance Industry Transformation