Articles - Heightened cyber threat demands risk focus

By Seth Berman, executive managing director of Stroz Friedberg
Cyber and terrorism have been rated the most significant emerging risks facing the insurance and reinsurance sector in 2015, according to a survey of US industry executives. It is a sentiment reflected by the UK government, which last month convened a group of CEOs from the country's largest insurers, to encourage collaboration and "to make the UK one of the safest places to do business in cyberspace". While the insurance sector is set to play a key role in minimising the long-term financial fallout from an attack, cyber risks cannot

 be tackled with insurance alone. In some cases, even a significant insurance pay-out may prove inadequate in the face of sliding customer confidence and corporate reputation.
 Hackers are increasingly playing the long game and a number of recent high-profile incidents have shown that perpetrators have been able to maintained access for weeks or even months, before the breach was discovered. But in reality, not all hacks can or will be prevented.
 Corporate Britain must, therefore, take responsibility, alongside insurers carrying the underwriting risks, to improve cyber resilience. It is a process that should start with a wide-ranging security assessment, carried out by an external third party. The assessment is an in-depth review of the company’s risk profile, based on the specifics of how it does business, how its network operates and the kind of information held by the company. In scope, the assessment is much wider than a traditional IT audit, as the primary focus of a conventional IT audit is to ensure that the company meets a certain predefined security standard. Through this assessment companies can prioritise their security needs and make intelligent decisions about what they need to do to reduce their actual risk – not just to meet an arbitrary and often inapplicable standard.
 However, relying on an IT audit alone amounts to 'checklist syndrome', which could see the security strategy fail to address the real-life business risks, even though the demands of the security standard were met on paper. While standards are important, it is worth keeping in mind that almost every high-profile breach in the recent past occurred after the corporates had passed their IT audit and been certified as compliant with the relevant security standard. By contrast, a company’s security assessment will allow management to judge a company’s central risk profile and take steps to reduce that risk.
 The security assessment will determine the extent to which security is seen as a companywide priority, as IT security cannot be the exclusive domain of the IT team. Everyone involved in using the IT systems has a crucial role to play. Organisations should aim to foster an environment where users are alert to what a threat may look like and know how to respond and who to contact, without fear of reprisal.
 Imposing IT policies from the top, without really setting out why a particular policy is being implemented, is a process that is fundamentally flawed. Users need to understand the rationale behind IT policies and only where individuals understand why restrictions have been introduced will they avoid bypassing or undermining these rules and, inadvertently, creating new vulnerabilities in the process.
 Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Individuals must be taught to be vigilant about such email attacks, which will make it more difficult for attackers to catch someone unaware. However, this is not the end of the process. Users also need to understand what to do if they suspect a problem after they click on a suspicious link or open a mysterious file.
 Careless executives or disgruntled employees represent a significant risk to cyber security, according to a poll of US companies. The Stroz Friedberg 'On the Pulse: Information Security Risk in American Business' survey found that a key challenge for companies is to strengthen cyber security from within, with 87% of senior managers regularly using personal email or cloud account to work remotely, placing such information at a much greater risk of being breached. The survey also found that more than half (58%) of senior management reported having accidentally sent the wrong person sensitive information, compared to just one quarter of workers overall.
 The concerns raised by US insurance executives over the heightened risks of cybercrime are not universally recognised by senior business leaders, with reports suggesting widespread indifference to data security. However, as further evidence emerges of corporate systems being penetrated by hackers, executives will have no option but to accept their governance, legal and regulatory obligations. The financial services sector must play its part in ensuring that organisations take steps to safeguard sensitive and confidential information.

Back to Index

Similar News to this Story

Will general election call shake up pensions policy agenda
With the Prime Minister calling for a summer election, LCP Partner David Fairs looks at how this could affect the pensions policy agenda. What does th
Risk Transfer do more insurers mean more capacity
Nikhil Patel takes an in-depth look at current trends in the risk transfer market, including the implications of record-breaking demand and how new en
Aiming for calm seas in our market reforms
The size and scale of the UK financial sector is worth reflecting on. It employs more than 2.5 million people and produced £278bn of economic output,

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS


Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.