Cyber Risk Strategy Must Evolve to Match Changing Threats

Howard Mills
Insurance Experts' Forum, August 5, 2014

Technology is the lifeblood of financial services today, with platforms designed for sharing data acting as the circulatory system linking insurers internally as well as externally with customers. While the Internet and mobile access and cloud computing among others are seen as the standard by most consumers, they also offer irresistible targets for bad actors with various motivations — from larceny to political protest to industrial espionage and everything in between.

So I thought it was time to check in to see the current state of cybersecurity. I listened to a recent presentation by my Deloitte colleagues Jim Eckenrode and Adam Thomas to find out, and what they had to say raised both concern and hope. In this blog, I’ll share with you some of what they told me.

The financial services industry was the most targeted of 26 different industries by cyber criminals, according to a recent study by Mandiant. Financial loss resulting from cyber attacks is the top concern of 36 percent of financial services institutions, but 39 percent are more concerned about disruptions to business and reputational risks, Deloitte reported.

Who are the bad guys? My colleagues at Deloitte found that 37 percent of financial services companies believe individual hackers pose the greatest threat to their organization, while 29 percent believe insiders and third parties pose the biggest threats.

How are the bad guys doing? An analysis by Verizon Risk and Deloitte’s Center for Financial Services found that 88 percent of cyber attacks against financial services firms were successful in less than a day, but only 21 percent of the firms were able to discover these attacks in less than a day, and just 40 percent could restore service in less than a day.

The bad guys are winning, primarily because they can keep one step ahead by deploying a wider array of attack methods.

In a recent Deloitte survey, 75 percent of global financial institutions believed their info security program was at a maturity level 3 or higher (on a 1 to 5 scale, with 5 being best), but only 40 percent were confident that they would be protected from outside attack.

That’s a scary number, but completely understandable. The cyber threat landscape is constantly evolving, and cybersecurity must transform itself to keep pace. The basis of this new approach is easy to understand. An effective cybersecurity strategy includes three legs: security, vigilance and resilience.

The “secure” part of this cyber strategy is aimed at keeping intruders out, both by using risk-prioritized controls and by working with others in industry and cybersecurity to establish and comply with standards and regulations. Vigilance is aimed at detecting intruders when they do get in, as they often will, no matter what. Resilience is about repairing damage and returning quickly to normal operations.

My colleagues have a whitepaper devoted to this that you can read at your leisure, so I’ll spare you the details, but there are some questions they raise that they have found useful in the field as they assess the state of an organization’s cyber risk strategy. How would you answer?

  • Is your strategy executive-driven with clear accountability? Senior leadership may be necessary to cut across silos and functions and ensure true enterprise risk management — in other words, to make cyber risk strategy an integral part of the core company strategy.
  • Do you have a dedicated cyber threat management unit? Such a unit can help break down the silos between IT and businesses, and enable a dynamic, intelligence-driven approach to cyber security.
  • Is there a focused effort on automation and analytics? This could drastically increase the ability to identify anomalous behavior and risk patterns, among other positives.
  • Has the “people” link in your defense chain been strengthened? No matter how good your cyber defense, one careless employee can negate it. Boring trainings may get the facts across, but not their importance. It might be worthwhile to consider a more “human-centric” approach while delivering this training in a way that considers user experience and at the same time is informative.
  • Do you work with others outside the company against common threats and enemies? Industry associations, law enforcement, homeland security and others like service providers, consultants and lawyers can all help with information sharing and reducing the risk to individual organizations.

The one thing we know for sure is that the bad guys will not go away. We have to do all we can to be ready for them.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Strategic Initiatives for 2015: Making Sense of the Shifts

Insurers must choose between embracing innovation or just continuing with business as usual and run the risk of becoming a casualty in the new competitive battle.

To Stay in the Game, Insurers Must Aggressively Embrace New Consumer Technologies

Emerging technologies displayed at the CES could be some of the greatest change agents since the introduction of the Internet, offering breakthroughs that could challenge many businesses.

The Usage-Based Insurance (UBI) Short Cut

Developing a usage-based insurance program has now gotten easier.

Marketing: The Insurer’s Shadow IT Department

Marketing executives continue their march into the insurance data center.

Digital Failings

We live in a brave new world now with digital devices and equipment surrounding us in a sea of capabilities that (generally) improve the quality of our experiences.

Life in the Cloud – Vendor Activity is High

Celent surveyed 41 vendors about their cloud applications, pricing models, platform investments and their expectations of where the market is going.