Articles - Heightened cyberthreat demands risk focus


By Seth Berman, executive managing director of Stroz Friedberg

 Cyber and terrorism have been rated the most significant emerging risks facing the insurance and reinsurance sector in 2015, according to a survey of US industry executives. It is a sentiment reflected by the UK government, which last month convened a group of CEOs from the country's largest insurers, to encourage collaboration and "to make the UK one of the safest places to do business in cyberspace".
  
 While the insurance sector is set to play a key role in minimising the long-term financial fallout from an attack, cyber risks cannot be tackled with insurance alone. In some cases, even a significant insurance pay-out may prove inadequate in the face of sliding customer confidence and corporate reputation.
  
 Hackers are increasingly playing the long game and a number of recent high-profile incidents have shown that perpetrators have been able to maintained access for weeks or even months, before the breach was discovered. But in reality, not all hacks can or will be prevented. Corporate Britain must, therefore, take responsibility, alongside insurers carrying the underwriting risks, to improve cyber resilience. It is a process that should start with a wide-ranging security assessment, carried out by an external third party. The assessment is an in-depth review of the company’s risk profile, based on the specifics of how it does business, how its network operates and the kind of information held by the company. In scope, the assessment is much wider than a traditional IT audit, as the primary focus of a conventional IT audit is to ensure that the company meets a certain predefined security standard. Through this assessment companies can prioritise their security needs and make intelligent decisions about what they need to do to reduce their actual risk – not just to meet an arbitrary and often inapplicable standard.
  
 However, relying on an IT audit alone amounts to 'checklist syndrome', which could see the security strategy fail to address the real-life business risks, even though the demands of the security standard were met on paper. While standards are important, it is worth keeping in mind that almost every highprofile breach in the recent past occurred after the corporates had passed their IT audit and been certified as compliant with the relevant security standard. By contrast, a company’s security assessment will allow management to judge a company’s central risk profile and take steps to reduce that risk.
  
 The security assessment will determine the extent to which security is seen as a companywide priority, as IT security cannot be the exclusive domain of the IT team. Everyone involved in using the IT systems has a crucial role to play. Organisations should aim to foster an environment where users are alert to what a threat may look like and know how to respond and who to contact, without fear of reprisal.
  
 Imposing IT policies from the top, without really setting out why a particular policy is being implemented, is a process that is fundamentally flawed. Users need to understand the rationale behind IT policies and only where individuals understand why restrictions have been introduced will they avoid bypassing or undermining these rules and, inadvertently, creating new vulnerabilities in the process.
  
 Education is not only useful to ensure compliance with security standards, it is also critical that users do not become the weak link in the security chain. Individuals must be taught to be vigilant about such email attacks, which will make it more difficult for attackers to catch someone unaware.
  
 However, this is not the end of the process. Users also need to understand what to do if they suspect a problem after they click on a suspicious link or open a mysterious file. Careless executives or disgruntled employees represent a significant risk to cyber security, according to a poll of US companies. The Stroz Friedberg 'On the Pulse: Information Security Risk in American Business' survey found that a key challenge for companies is to strengthen cyber security from within, with 87% of senior managers regularly using personal email or cloud account to work remotely, placing such information at a much greater risk of being breached. The survey also found that more than half (58%) of senior management reported having accidentally sent the wrong person sensitive information, compared to just one quarter of workers overall. The concerns raised by US insurance
 executives over the heightened risks of cybercrime are not universally recognised by senior business leaders, with reports suggesting widespread indifference to data security.
  
 However, as further evidence emerges of corporate systems being penetrated by hackers, executives will have no option but to accept their governance, legal and regulatory obligations. The financial services sector must play its part in ensuring that organisations take steps to safeguard sensitive and confidential information.
  

Back to Index


Similar News to this Story

Five step approach vital for DB schemes looking to buyout
Insurers may refuse to quote and provide pricing for buy-ins and buy-outs where the DB pension schemes’ data is of a poor quality, warns Hymans Robe
What insurers must know about the hidden risks of silent AI
Anja Vischer, Senior Emerging Risk Manager at Swiss Re Institute, discusses the emerging risks of AI for insurers. She stresses the need to reassess c
September 2024 Edition of the Actuarial Post Magazine
Our cover story comes from Jon Jacobson from Omnisient who looks at applications of Privacy-Preserving Data Collaboration (PPDC) for actuaries. We als

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.