Insurers trying to contain cyber risks face a tricky balancingact between the desire to build an impenetrable digital fortressand demands from staff, intermediaries, and consumers for fasterand easier data access.

Cyber risk is one of the biggest opportunities, as well asperhaps the scariest threat, facing insurance companies today. Theopportunity is on the sales and risk management side, with all thehigh-profile data breaches being reported in the media promptingmore businesses large and small to seek insurance coverage and losscontrol advice.

However, this blog is focused on the flip side of the coin —that is, the growing cyber risk confronting data-rich insurancecompanies. Carriers that don't have their data management houses inorder could soon be battling damage claims from irate policyholdersif personal information is stolen. In addition, it will be anuphill struggle for insurers that get hacked to restore tarnishedreputations and credibility with independent agents, customers, andinvestors.

Unfortunately, the frequency and speed of cyber-attacks areincreasing, while insurers struggle to keep up in terms of theirprevention and response capabilities. The problem is likely to getworse before it gets better as carriers expand their digitalfootprints.

More information is being made available to staff,intermediaries, and consumers via mobile devices. More data isbeing stored on remote systems in the cloud, or shared with thirdparties through offshoring and/or outsourcing arrangements. Yetfewer than half of global financial institutions responding to arecent Deloitte survey said they were “very confident” they weresecure against an external cyber-attack.

Most insurers are taking steps to secure their digital borders.However, they must be careful not to erect a wall so high thataccess to legitimate users becomes overly difficult. The goalshould be to lock down data while still enabling key businessprocesses online, internally and externally.

Insurers therefore should seek a middle ground, creating asecure data environment that thwarts cyber thieves while avoidingdigital traffic jams that could drive customers and intermediariesaway in frustration.

Perhaps the first step is for insurers to shift from acompliance-focused mindset to a more comprehensive enterprise riskmanagement approach. They also should not think of cyber risk asmerely a technology issue when it's really another first-classbusiness exposure that should be accounted for across theorganization.

In addition, the answer is not just to buy more technology, butto have the talent — in-house, from outside experts, or more likelya combination of both — that knows how to go about securing systemswithout having to reinvent the wheel.

This is a cultural issue as well, emphasizing awareness andadoption of basic “cyber hygiene” among all employees. Datasecurity ultimately starts with the people who have their hands onthe keyboard. Indeed, it only takes one staff member to click on ane-mail infected with malware to throw open the barn door and letall the data horses escape.

This also isn't an exposure that insurers should try to tackleon their own. Knowledge is power, so the more perspectives andexperiences are shared, the more effective a loss control programwill likely be. Collaboration with peers, partners, lawenforcement, regulators, and loss control specialists can savecarriers a lot of unpleasant surprises.

Insurers should consider a multi-pronged approach to cybersecurity, emphasizing a triangle of key principles in whichcarriers strive to be secure, vigilant, and resilient. Being securemeans having mutually reinforcing defense layers that can slow downand hopefully prevent an attack. Being vigilant means establishinga continuous monitoring system, with adaptive signaling andreporting to automate the correlation and analysis of data andthreat indicators.

Last but not least, resiliency means testing the ability ofsecurity systems not just to withstand an attack, but also to dealwith the consequences if a breach does occur so as to limit thedamage.

In the end, those running the gauntlet to help secure aninsurance company's data systems do not have an easy or glamorousjob ahead of them. The aim should be to become a trusted advisor bycreating an information security program that not only protects acarrier's digital borders from intruders, but also plays an activerole in supporting the insurer's overall business strategy.

To learn more about how to handle this critical risk, listen tothe archived version of Deloitte's recent webcast on the subject:“InsuranceCyber Risk: Impacts of a Changing Technology Environment.”

Sam J. Friedman ([email protected])is the research team leader at Deloitte's Center for FinancialServices in New York. For many years, he was the Editor in Chief ofNational Underwriter's P&C edition. Follow Sam onTwitter at @SamOnInsurance,as well as on LinkedIn.