Insurance companies are facing new and growing cyber risks and need to develop a comprehensive, multi-pronged approach to address them, according to panel of Deloitte & Touche executives who spoke on the topic earlier this week.
“Insurance Cyber Risk: Impacts of a Changing Technology Environment,” presented as part of Deloitte & Touche’s Dbriefs Insurance Series, detailed the evolving cyber threat landscape, provided industry insights and mapped out a series of steps and processes insurance companies can implement to build an effective cyber risk program.
See also:
Insurers focus on cyber security has lagged other sectors, such as banking and financial services, according to Taryn Aguas, a senior manager with Deloitte. She was joined by colleagues, Rich Godfrey, principal and national insurance advisory leader, Ash Raghavan, principal, and Adam Thomas, principal with the firms cyber risk group.
The Internet, cloud, mobile and social networking technologies—platforms inherently oriented for sharing—are becoming more pervasive. Insurance clients want real-time access to their information, and insurance companies are grappling with changing business models including outsourcing, offshoring, contracting and a remote workforce. There is also more data to protect, and increased compliance requirements. All of these factors, in addition to a growing force of hackers that are difficult to catch, make cyber threats tougher to manage and risk harder to mitigate, the Deloitte executives say. And insurance companies are becoming a target for attacks, they say.
Traditional security controls are no longer sufficient to address the risk, according to the executives. Thomas says insurance companies need to consider their threat landscape and take a right-sized approach. In addition, various stakeholders need to work together to share intelligence about who is trying to attack, especially among public and private sectors. Companies also need to get their boards involved. “There’s a growing sentiment among investors that cyber risk requires persistent involvement and oversight,” he says. Insurance companies, and the industry at large, also need to focus on talent, so there’s the expertise and “muscle memory” on hand to know how to detect and respond to threats.
To craft a multi-pronged approach to combat and mitigate cyber threats, Thomas suggests companies:
Move away from a compliance-first activity to one that focuses on where the risks are and how and where to spend time and resources;
Treat cyber threats as less of a technology problem and more of a business problem. “It should be part of a company’s daily DNA, and treated like any other risk,” he says;
Remember technology is a great enabler but not the only answer. Companies need to address the talent issue, collaborate with peers including law enforcement agencies and regulators, and focus on embedding cyber security into the corporate culture.
Specifically, Thomas recommends insurance companies adopt agile risk management policies that, for example, embed security policies and practices into processes from the start. He also says companies need to focus on obtaining good cyber intelligence by making use of predictive and other analytics, mobile security, and the security practices of any third-party they engage with, as well as the security of cloud computing services they may leverage. Finally companies, need to pay attention to regulatory requirements. “We are seeing more interest from regulators regarding insurance companies and how their cyber security is being done,” Thomas says.
