A recipe for cyber defense

Companies clearly need to manage their cyber risks more proactively to meet the requirements of the new rules and regulations and, at the same time, protect their business, customers and reputations

A recipe for cyber defense
Insurance carriers, with their large repositories of high-value personally identifiable information (PII), are increasingly threatened by cyber-attacks. Such attacks could have an immense impact, affecting not only the carriers, but also their insureds, and even ripple through to customer supply chains.

In his recent report on this critical area, Scott Corzine said that the potential damage from such threats is underscored by the impact of recent attacks on large companies in numerous sectors as well as a US government agency. "Such attacks have the potential to embarrass management, place valuable relationships at risk, result in employment terminations, and influence governments,” pointed out Mr Corzine.

As the frequency and severity of high-profile cyber-attacks escalate, Federal and State government in the US are imposing regulations that require organisations to demonstrate better preparedness and resilience in the event of a cyber-attack.

At the same time, the media is increasing public awareness and cyber-security organisations are providing improved tools and methodologies that can help companies meet their cyber-security requirements. This is a fast-growing area of risk and risk management.

Mr Corzine stressed that in this environment, companies clearly need to manage their cyber risks more proactively to meet the requirements of the new rules and regulations and, at the same time, protect their business, customers and reputations.

Hackers or state-backed online espionage may grab the headlines but it is important to be aware of the fact that a significant portion of cyber security breaches occur from inside the organization, stressed the expert.

The non-profit body Online Trust Alliance recently reported that for the first six months of 2014, only 40% of data breaches that involved the loss of PII were caused by external intrusions. Some 29% were caused either accidentally or maliciously by employees, it found.

The Online Trust Alliance cited lack of internal controls, lost or stolen devices and documents, as well as social engineering and fraud as the main factors.
In the most recent Corporate Board Member/ FTI Consulting, Inc. Law and Boardroom Study, approximately 50% of polled directors and general counsels named ‘data security’ as their number one legal and risk management concern.

As the risk rises, regulators are expanding the scope of their cyber security requirements as well as compliance enforcement. "Regulators are increasingly holding insurers accountable for their own internal cyber-security measures in order to better protect policyholders,” wrote Mr Corzine.

"Insurers maintain significant data that is potentially desirable for cyber thieves. Dependence on outside partners and third party service providers additionally opens insurers to the cyber-vulnerabilities of these outsourced contractors,” he added.

Predictably, regulators are starting to compel improvements in cyber security through new rules that require insurers to implement comprehensive cyber security programs.

The National Association of Insurance Commissioners (NAIC) stated in January, for example, that it plans to propose guidance for insurance examiners who review companies’ risk management practices for cyber security risks.

The Department of Homeland Security’s National Protection and Programs Directorate has also discussed a cyber-incident data repository with the insurance industry to create a warehouse of cyber risk "actuarial data and consequence-oriented analytics” that is needed to grow the cyber security insurance market.

New York State Department of Financial Services announced last December that it will take measures that help in-state insurers strengthen their cyber security defenses and will begin assessments to determine the degree of preparedness and compliance. Virtually all of these evolving regulations have specific deadlines for the reporting of data breaches to authorities and affected customers, and explicit penalties for non-disclosure, said Mr Corzine.
Security organisations such as ISO and ISACA are also stepping up their efforts in this areas too.

"In their quest to achieve cyber-security resilience, insurers have a dual responsibility – they must address the cyber security of their own organisation as well as the cyber security of the customers that they insure,” stated Mr Corzine.

The author has identified seven key points that insurers should consider to help build a more robust and mature cyber security capability. These can be summarised as the following:

_ View cyber security as an organisational issue, not simply as a technical issue. Management must take responsibility for this risk and not just leave it up to IT departments;

_ Obtain access to trusted third party resources, partly to help tackle the internal threat;

_ Adhere to governance and compliance doctrines and establish a risk management framework to help accomplish program objectives;

_ Understand and document your definition of risk appetite that is the level of risk that an organisation is willing to accept in order to achieve its business objectives before it needs to take measures to reduce the risk.

_ Perform a threat, vulnerability and impact assessment. This analysis should work out the value of information, the potential operational and financial impact of impairment or loss of that information and provide guidance on steps needed to protect it. The assessments should include an examination of the organisation’s cyber insurance policy to help decision makers understand if coverages are adequate and effectively aligned with the organization’s remaining cyber risks, and if limits, retentions, and exclusions are appropriate. Develop mitigation programs and strategy. This should decide which exposures, vulnerabilities, and risks require a cost/benefit analysis, resource determination, funding, and decision-making, including whether to self-insure or purchase insurance.

_ Prepare a Cyber Incident Response Plan (CIRP) that documents how the organisation will respond to a breach in a planned and effective way. The CIRP is designed to ensure that cyber-security incidents are managed in a way that limits impact, gains stakeholder confidence in the organization’s capacity to handle incidents, and reduces the time and cost-to-recovery. The CIRP should be formally reviewed and adopted by the Board, and exercised at least once every year.

"Adopting this comprehensive approach to cyber risk management should help insurers sustain financial viability and meet regulatory compliance requirements. Insurers should likewise require some level of this approach from their cyber-insureds in order to promote a culture of risk awareness, reduce the chance of a disastrous breach, and avoid paying costly claims that could have been avoided or minimized,” concluded.

Scott Corzine is a Managing Director and Co-Leader of the Risk Management Practice at  FTI Consulting, a global consulting firm with a specialty in the insurance sector. He is responsible for providing risk mitigation and resilience services – business continuity, IT disaster recovery, crisis management, and information security assessment and planning – to public and private sector clients globally. Scott was a co-founder of Risk Solutions International (RSI) which was acquired by FTI Consulting in 2013.

He has been part of Brokerslink for a number of years, and has spearheaded initiatives in business continuity planning for airports globally, visibility into contingent business interruption in the supply chain, and business continuity solutions to help mitigate supply chain resilience risk.
Scott is passionate about providing these services to Brokerslink members to help improve their competitive advantage in broking transactions.
Discover MDS World