Five Questions Insurers Should Ask Themselves About Cyber Risk
In the insurance industry, cybersecurity demands promise to escalate with alarming speed, driven by increasingly sophisticated threats, vigilant regulators and frustrated stakeholders. A failure to honestly assess a firm’s exposure to risk can transition quickly into failures of operations, careers — even companies.
Even if an insurer’s top executives do not yet have security expertise, they can still help manage the risks their company faces by asking these questions:
1. What new actions can we take to protect our firm from the increasingly high risks associated with cybersecurity incidents?
Yesterday’s security approach focused primarily on investing in compliance, basic detection and response to malware. It was a reactive model.
In the same way that wellness visits allow us to stay on top of our health even when we’re not sick, periodic cyberassessments have become an important component of any complete cybersecurity roadmap.
These assessments should include a cyberstrategy and proactive identification of weaknesses with the intent to fill the gaps in the security posture. Reactive security practices should be augmented with periodic penetration testing and social engineering security awareness to improve user behavior when phishing attacks inevitably occur. Red team/blue team exercises, meanwhile, can help insurers test how quickly and effectively they’re able to discover threats and measure how rapidly each operational line of service eliminates the malware.
Last year, the Federal Financial Institutions Examination Council (FFIEC) issued a framework for conducting cybersecurity assessments. In addition to banks, the framework applies to nonbank financial institutions (NBFIs), such as insurance companies. Having a qualified independent party leverage this framework to conduct a cyberassessment can provide valuable insights into an organization’s cybersecurity health.
2. Security is separate from compliance, and we need both. What is our proactive plan to match real countermeasures to our real cybersecurity threats over the next 3 years?
Security and compliance functions should work together for the best approach. As functions, they ultimately serve the same purpose — to protect the enterprise. The difference is simply in why firms need these functions. Compliance is something you have to do. Security is something you need to do.
To address both concerns, focus on conducting an enterprise risk assessment to determine your compliance and security strengths and weaknesses. Prioritize the findings and then allocate funds to strengthen those that meet both compliance and security needs or that offer the most opportunity for improvement. Ensure that compliance and security improvements result in actionable information. Test security incident escalation processes to validate that improvements are understood and have efficient and effective escalation outcomes.
Although risk from threats continues to increase and potential economic fallout is real, dramatic improvements have been made in technology’s ability to capture massive amounts of data, conduct targeted analyses to quickly detect problems in that data, and prioritize rapid response to address key risks.
A 3-year enterprise risk strategy should incrementally address the weaknesses discovered in the risk assessment process. The organization can then determine an acceptable level of risk and target the state of maturity and effectiveness necessary to attain that level. The assessment relies on an industry standard of measurement, the COBIT maturity assessment baseline, to examine and assign a score. This repeatable measurement can be used to validate improvements as the weaknesses are addressed.
3. Since attempts to steal from and damage our organization are inevitable, what is our response plan with specifics regarding our internal/external team, tools, rehearsal schedule, peer analysis, expert analysis, standards and regulatory adherence?
Organizations should look to invest in their own incident response programs, encompassing planning and prebreach preparedness activities, as well as what to do after a breach. Look to work with a firm that can help you manage this multistep process and bring your operations back up as soon as possible after a breach occurs.
A formal incident response plan needs to be shared with stakeholders and tested periodically through penetration tests or simulated internal attacks. Most important, evaluate the users’ awareness of social engineering and phishing attacks, as business users are often the weakest links. Security awareness training and exercises to determine effectiveness will demonstrate the likelihood of users inadvertently introducing malware/ ransomware. Quarantine areas will help isolate suspicious downloads for incident response and analysis.
By partnering with a team that is designed to act quickly, your company will be prepared to deal with many of the common challenges associated with a cybersecurity incident, such as a sudden need to contain the malware and then remediate or execute a forensic analysis of how the malware was introduced into the environment.
Cybersecurity responses must be increasingly more sophisticated to combat threat actors that have seemingly unlimited resources to support their efforts. However, insurers’ core competency is not cybersecurity. Leveraging a third party to help run exercises such as periodic penetration testing from a hacker’s view, as well as tabletop exercises where an incident response team practices responding to different cybersecurity scenarios, is a good way to identify gaps in your firm’s response as well as areas that should be de-emphasized.
4. How can we adapt as cybersecurity talent grows scarce and criminals get smarter?
Cybercriminals continue to expand their organizations, skills, tools and knowledge. Staying ahead requires greater effort. Securing your organization will become more challenging as you look to capitalize on digital shifts occurring in the market, such as those related to mobility, the Internet of Things (IoT), and big data and analytics.
IoT in particular presents a big opportunity for insurance companies in the form of usage-based insurance and other telematics-driven programs. And with these programs comes an added need to analyze and store new, sensitive types of data. Managing that data will require new cybersecurity discipline. Insurers need to adjust their response accordingly. A C-level position should be established to ensure accountability and top-level monitoring of cybersecurity risks and issues.
Partnerships, meanwhile, are a good way to quickly determine cybersecurity maturity and address weaknesses as a strategic roadmap. Cyberincident response is a field that is inherently about specialized work executed in a small window of time. Maintaining an ongoing relationship with a partner allows you to avoid cumbersome delays in a time of heightened stress.
5. How does the cyber risk team work with the organization’s broader enterprise risk function?
Communication within the organization, between partners and supply chains, and with industry organizations has become more important as cybercriminals continue to extend their reach and capabilities. Within your organization, the enterprise risk, cyber risk and compliance functions must all be connected and speak the same language. This helps create a clearer picture of business context and how cyber risk translates into business impact. More important though, it ensures that these functions are not all competing with one another for attention and investment dollars.
By answering these questions, an insurance company can begin a dialogue to spur security improvements and conduct disciplined and planned risk management. However, to ingrain more stringent cybersecurity practices into the organization’s culture, insurers must require their IT security executives to deliver answers in common language, not cybersecurity technobabble. Clear progress reports should be agreed upon by all stakeholders and communicated throughout the organization, as employee negligence is and always will be among the most popular targets for hackers. The best way to combat this is to keep cybersecurity top of mind, clearly understood by all and debated in the normal course of business.