Cyber Risk Strategy Must Evolve to Match Changing Threats

Howard Mills
Insurance Experts' Forum, August 5, 2014

Technology is the lifeblood of financial services today, with platforms designed for sharing data acting as the circulatory system linking insurers internally as well as externally with customers. While the Internet and mobile access and cloud computing among others are seen as the standard by most consumers, they also offer irresistible targets for bad actors with various motivations — from larceny to political protest to industrial espionage and everything in between.

So I thought it was time to check in to see the current state of cybersecurity. I listened to a recent presentation by my Deloitte colleagues Jim Eckenrode and Adam Thomas to find out, and what they had to say raised both concern and hope. In this blog, I’ll share with you some of what they told me.

The financial services industry was the most targeted of 26 different industries by cyber criminals, according to a recent study by Mandiant. Financial loss resulting from cyber attacks is the top concern of 36 percent of financial services institutions, but 39 percent are more concerned about disruptions to business and reputational risks, Deloitte reported.

Who are the bad guys? My colleagues at Deloitte found that 37 percent of financial services companies believe individual hackers pose the greatest threat to their organization, while 29 percent believe insiders and third parties pose the biggest threats.

How are the bad guys doing? An analysis by Verizon Risk and Deloitte’s Center for Financial Services found that 88 percent of cyber attacks against financial services firms were successful in less than a day, but only 21 percent of the firms were able to discover these attacks in less than a day, and just 40 percent could restore service in less than a day.

The bad guys are winning, primarily because they can keep one step ahead by deploying a wider array of attack methods.

In a recent Deloitte survey, 75 percent of global financial institutions believed their info security program was at a maturity level 3 or higher (on a 1 to 5 scale, with 5 being best), but only 40 percent were confident that they would be protected from outside attack.

That’s a scary number, but completely understandable. The cyber threat landscape is constantly evolving, and cybersecurity must transform itself to keep pace. The basis of this new approach is easy to understand. An effective cybersecurity strategy includes three legs: security, vigilance and resilience.

The “secure” part of this cyber strategy is aimed at keeping intruders out, both by using risk-prioritized controls and by working with others in industry and cybersecurity to establish and comply with standards and regulations. Vigilance is aimed at detecting intruders when they do get in, as they often will, no matter what. Resilience is about repairing damage and returning quickly to normal operations.

My colleagues have a whitepaper devoted to this that you can read at your leisure, so I’ll spare you the details, but there are some questions they raise that they have found useful in the field as they assess the state of an organization’s cyber risk strategy. How would you answer?

  • Is your strategy executive-driven with clear accountability? Senior leadership may be necessary to cut across silos and functions and ensure true enterprise risk management — in other words, to make cyber risk strategy an integral part of the core company strategy.
  • Do you have a dedicated cyber threat management unit? Such a unit can help break down the silos between IT and businesses, and enable a dynamic, intelligence-driven approach to cyber security.
  • Is there a focused effort on automation and analytics? This could drastically increase the ability to identify anomalous behavior and risk patterns, among other positives.
  • Has the “people” link in your defense chain been strengthened? No matter how good your cyber defense, one careless employee can negate it. Boring trainings may get the facts across, but not their importance. It might be worthwhile to consider a more “human-centric” approach while delivering this training in a way that considers user experience and at the same time is informative.
  • Do you work with others outside the company against common threats and enemies? Industry associations, law enforcement, homeland security and others like service providers, consultants and lawyers can all help with information sharing and reducing the risk to individual organizations.

The one thing we know for sure is that the bad guys will not go away. We have to do all we can to be ready for them.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

With Google Favoring Mobile, Will The Industry Take it Seriously?

Google’s search engine will now will favor mobile friendly content over traditional website content; within the insurance industry, the greatest initial impact is likely to be felt by insurance distributors.

Why Some Technologists Get Cold Feet on Mobile

There are those who believe that favoring one channel or mode over another will lead to even more silos and dysfunction than we already have in many organizations.

Insurance IT Spending and Budgeting Benchmarks

New research from Novarica highlights areas of concern and offers insights on insurers spending and budgeting decisions.

Enterprise Mobilemania Continues Unabated

More than half of companies are spending more on developing mobile applications -- but are they more efficient?

Why Insurers Need More Than a Policy Admin System

For some insurers, not being able to handle the volume of quotes that are being submitted to them means leaving significant money on the table.

The Pitfalls of Using Assembly Line Methods to Create Software

Most of the time, when the business needs IT, it is for custom software development, just like creating a concept car.