Cyber Risk Strategy Must Evolve to Match Changing Threats

Howard Mills
Insurance Experts' Forum, August 5, 2014

Technology is the lifeblood of financial services today, with platforms designed for sharing data acting as the circulatory system linking insurers internally as well as externally with customers. While the Internet and mobile access and cloud computing among others are seen as the standard by most consumers, they also offer irresistible targets for bad actors with various motivations — from larceny to political protest to industrial espionage and everything in between.

So I thought it was time to check in to see the current state of cybersecurity. I listened to a recent presentation by my Deloitte colleagues Jim Eckenrode and Adam Thomas to find out, and what they had to say raised both concern and hope. In this blog, I’ll share with you some of what they told me.

The financial services industry was the most targeted of 26 different industries by cyber criminals, according to a recent study by Mandiant. Financial loss resulting from cyber attacks is the top concern of 36 percent of financial services institutions, but 39 percent are more concerned about disruptions to business and reputational risks, Deloitte reported.

Who are the bad guys? My colleagues at Deloitte found that 37 percent of financial services companies believe individual hackers pose the greatest threat to their organization, while 29 percent believe insiders and third parties pose the biggest threats.

How are the bad guys doing? An analysis by Verizon Risk and Deloitte’s Center for Financial Services found that 88 percent of cyber attacks against financial services firms were successful in less than a day, but only 21 percent of the firms were able to discover these attacks in less than a day, and just 40 percent could restore service in less than a day.

The bad guys are winning, primarily because they can keep one step ahead by deploying a wider array of attack methods.

In a recent Deloitte survey, 75 percent of global financial institutions believed their info security program was at a maturity level 3 or higher (on a 1 to 5 scale, with 5 being best), but only 40 percent were confident that they would be protected from outside attack.

That’s a scary number, but completely understandable. The cyber threat landscape is constantly evolving, and cybersecurity must transform itself to keep pace. The basis of this new approach is easy to understand. An effective cybersecurity strategy includes three legs: security, vigilance and resilience.

The “secure” part of this cyber strategy is aimed at keeping intruders out, both by using risk-prioritized controls and by working with others in industry and cybersecurity to establish and comply with standards and regulations. Vigilance is aimed at detecting intruders when they do get in, as they often will, no matter what. Resilience is about repairing damage and returning quickly to normal operations.

My colleagues have a whitepaper devoted to this that you can read at your leisure, so I’ll spare you the details, but there are some questions they raise that they have found useful in the field as they assess the state of an organization’s cyber risk strategy. How would you answer?

  • Is your strategy executive-driven with clear accountability? Senior leadership may be necessary to cut across silos and functions and ensure true enterprise risk management — in other words, to make cyber risk strategy an integral part of the core company strategy.
  • Do you have a dedicated cyber threat management unit? Such a unit can help break down the silos between IT and businesses, and enable a dynamic, intelligence-driven approach to cyber security.
  • Is there a focused effort on automation and analytics? This could drastically increase the ability to identify anomalous behavior and risk patterns, among other positives.
  • Has the “people” link in your defense chain been strengthened? No matter how good your cyber defense, one careless employee can negate it. Boring trainings may get the facts across, but not their importance. It might be worthwhile to consider a more “human-centric” approach while delivering this training in a way that considers user experience and at the same time is informative.
  • Do you work with others outside the company against common threats and enemies? Industry associations, law enforcement, homeland security and others like service providers, consultants and lawyers can all help with information sharing and reducing the risk to individual organizations.

The one thing we know for sure is that the bad guys will not go away. We have to do all we can to be ready for them.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Despite Valiant Efforts, Insurers' Consumer Ratings Drop

Insurers also are confronting waves of disruptive changes, including big data analytics, an aging population, ongoing economic uncertainty and the growing frequency and severity of natural disasters, which threaten to challenge and undermine businesses.

Why You Can't Take a Wrecking Ball to Your Legacy System

If you think of enterprises like collections of neighborhoods that need to be nurtured, you quickly see that architecture, not obliteration, is the key.

The Apple Bounce: Are Wearables Truly this Big?

I just don’t believe it; only 720,000 Androidwear watches were sold in 2014. Apple has been amazingly successful in so many markets. Were they always first? No, a lot of products before. Were they always best? Again, no, superior devices have fallen.

Ten Stats About Social, Mobile, Analytics, Big Data, Cloud and Digital

Deployment rates have grown in the year since Novarica’s last study on these topics.

Trends in P&C and L/H/A Policy Administration Systems

Novarica research shows that nearly 40 percent of P&C and life/health/annuity carriers are currently replacing or planning to replace a policy administration system.

How Quote Data Can Deliver Powerful Business Insights

Quote data often is disregarded due to its volume, but properly managed can offer insights into product and pricing strategy, expense control, cross selling and upselling.