Insurers trying to contain cyber risks face a tricky balancing act between the desire to build an impenetrable digital fortress and demands from staff, intermediaries, and consumers for faster and easier data access.
Cyber risk is one of the biggest opportunities, as well as perhaps the scariest threat, facing insurance companies today. The opportunity is on the sales and risk management side, with all the high-profile data breaches being reported in the media prompting more businesses large and small to seek insurance coverage and loss control advice.
However, this blog is focused on the flip side of the coin — that is, the growing cyber risk confronting data-rich insurance companies. Carriers that don’t have their data management houses in order could soon be battling damage claims from irate policyholders if personal information is stolen. In addition, it will be an uphill struggle for insurers that get hacked to restore tarnished reputations and credibility with independent agents, customers, and investors.
Unfortunately, the frequency and speed of cyber-attacks are increasing, while insurers struggle to keep up in terms of their prevention and response capabilities. The problem is likely to get worse before it gets better as carriers expand their digital footprints.
More information is being made available to staff, intermediaries, and consumers via mobile devices. More data is being stored on remote systems in the cloud, or shared with third parties through offshoring and/or outsourcing arrangements. Yet fewer than half of global financial institutions responding to a recent Deloitte survey said they were “very confident” they were secure against an external cyber-attack.
Most insurers are taking steps to secure their digital borders. However, they must be careful not to erect a wall so high that access to legitimate users becomes overly difficult. The goal should be to lock down data while still enabling key business processes online, internally and externally.
Insurers therefore should seek a middle ground, creating a secure data environment that thwarts cyber thieves while avoiding digital traffic jams that could drive customers and intermediaries away in frustration.
Perhaps the first step is for insurers to shift from a compliance-focused mindset to a more comprehensive enterprise risk management approach. They also should not think of cyber risk as merely a technology issue when it’s really another first-class business exposure that should be accounted for across the organization.
In addition, the answer is not just to buy more technology, but to have the talent — in-house, from outside experts, or more likely a combination of both — that knows how to go about securing systems without having to reinvent the wheel.
This is a cultural issue as well, emphasizing awareness and adoption of basic “cyber hygiene” among all employees. Data security ultimately starts with the people who have their hands on the keyboard. Indeed, it only takes one staff member to click on an e-mail infected with malware to throw open the barn door and let all the data horses escape.
This also isn’t an exposure that insurers should try to tackle on their own. Knowledge is power, so the more perspectives and experiences are shared, the more effective a loss control program will likely be. Collaboration with peers, partners, law enforcement, regulators, and loss control specialists can save carriers a lot of unpleasant surprises.
Insurers should consider a multi-pronged approach to cyber security, emphasizing a triangle of key principles in which carriers strive to be secure, vigilant, and resilient. Being secure means having mutually reinforcing defense layers that can slow down and hopefully prevent an attack. Being vigilant means establishing a continuous monitoring system, with adaptive signaling and reporting to automate the correlation and analysis of data and threat indicators.
Last but not least, resiliency means testing the ability of security systems not just to withstand an attack, but also to deal with the consequences if a breach does occur so as to limit the damage.
In the end, those running the gauntlet to help secure an insurance company’s data systems do not have an easy or glamorous job ahead of them. The aim should be to become a trusted advisor by creating an information security program that not only protects a carrier’s digital borders from intruders, but also plays an active role in supporting the insurer’s overall business strategy.
To learn more about how to handle this critical risk, listen to the archived version of Deloitte’s recent webcast on the subject: “Insurance Cyber Risk: Impacts of a Changing Technology Environment.”
Sam J. Friedman (firstname.lastname@example.org) is the research team leader at Deloitte’s Center for Financial Services in New York. For many years, he was the Editor in Chief of National Underwriter’s P&C edition. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn.