Cyber-attacks are not an “if” but a “when and how.” Traditional preventive measures can slow attackers down, but not ultimately stop them. The threats are too frequent and too varied and attackers are nimble and adapt quickly. That means insurers should think differently about risk and security.
In addition to improving their traditional preventive measures, they also should make themselves cyber-resilient. Cyber-resilience is the ability to operate business processes in normal and adverse scenarios without adverse outcomes.
Cyber-risks are multi-dimensional, so cyber-resilience strategies should focus on managing three types of risks:
System and infrastructure risks
Technology systems and infrastructure are often ground zero for cyber-attacks and other breaches, so technology risk management is increasingly important to a cyber-resilient firm. At a minimum, technology risk management programs should incorporate the following:
Application development standards: How applications, systems and infrastructure are architected and developed to reduce risk.
Systems and data surveillance: Monitoring and surveillance techniques for identifying, assessing and responding to potential vulnerabilities or breaches.
Penetration testing: Establishing the resilience of the infrastructure to attacks and proactively identifying where vulnerabilities may occur.
This refers to the potential for a firm’s business processes or technology infrastructure to fail, with adverse consequences such as reputational harm and being unable to communicate with customers, generate transactions or conduct billing. An operational risk management program should encompass:
Risk appetite: Levels that define and incorporate the tolerance and parameters by which resilience will be established for cyber-risk management programs and how cyber-events will be handled.
Process and technology risk assessments: Processes that examine gaps in controls around business processes, products or services.
Control reviews: Effectiveness assessments that show evidence of proper controls that can prevent or detect cyber-risk-related losses.
Integrated framework: A cyber-risk framework for identifying, preventing, detecting and responding to cyber-risks.
Fraud and other financial crime
This can result from the exploitation of vulnerabilities in digital services and failed controls in business processes, technology and even third-party organizations. Losses in insurance can come either from large, one-time events or frequent, small and harder-to-detect, low-cost events. Fundamental elements include:
Surveillance: The ability to monitor and detect anomalies inside the institution.
Detective business processes: Business processes that are designed to be both compliant and capable of detecting criminal or nefarious activities.
Industry data sharing: Industry sharing of attack data to improve detection and response techniques can help reduce unexpected losses tied to fraud and financial crime.