We Need New Templates for Cyber Risk Management

Howard Mills
Insurance Experts' Forum, May 6, 2014

How many CIOs are in the audience, and how many board members have they brought with them?

That was the thought going through my mind as I sat listening to presentations at the Cyber Liability Risk Spring Event presented by the NAIC’s Center for Insurance Policy and Research (CIPR) in Orlando days after news of the Heartbleed virus broke.

We have seen major changes in corporate governance in the recent past. The role of the chief financial officer (CFO) has changed from one primarily concerned with reporting results to that of a forward-looking adviser intimately involved in and partnered with every aspect of the business. The role of the chief risk officer has similarly enlarged as enterprise risk management has become recognized as a key to success in business.

Now it is time for CIOs to make sure their role expands, and take with them their board members — many of whom may be as complacent about cyber risk as I once was. Board members need to know what CIOs already do: the finest technical capabilities in the world — the best programmers, the most effective cyber defenses, the most detailed risk management — is not enough to protect against cyber risk. We need to find new tools.

Also see: Is the Insurance Industry Facing a Cyber-Cat? Thousands of Websites at Risk to Heartbleed Bug 

Insurance company CIOs are wonderfully positioned to lead this transition. Not only are insurers on the front lines in the cyber risk fight themselves, they can also help clients discover and leverage best practices across industries.

Doing this is just good business, because otherwise, insurers are going to be the ones paying out as courts evolve to recognize data, privacy and other damages — as well as already recognized concerns like supply chain damage — that often evolve from cyber-attacks.

There is no completely safe cyber interaction. If your company has cyber relations with another — and who doesn’t these days — it is also having cyber relations with everyone that company has had cyber relations with. And so on, and so forth … and no barrier can keep you completely safe.

Also see: 10 Cybersecurity Tips from the FCC

The scary part is this is just with the connections we have today. What happens as the Internet of Things develops? We’ve seen with mobile devices that consumers don’t want walls. What happens when a customer’s refrigerator becomes the way into your network?

Professor Lance Hoffman of George Washington University shared one possible answer at the event. He suggested a consortium of stakeholders — including the insurance industry, government and academia — would be one way to figure out the best approach to security in the future.

As the Internet of Things expands, such a consortium could begin to set standards instead of having unreasonable or unworkable standards built in. In the absence of insurance industry leadership or involvement, tech firms could build their own devices with little or no privacy, security or audit logging built in.

As an alternative to that anarchy, a consortium could move toward the establishment of a research agenda that would examine policy management and technology questions, including the potential of a global cyber loss database with proper privacy controls in a business model that would make such a database viable and sustainable.

Perhaps this is not the only alternative, but it is one route to consider. It seems obvious to me that we need to start considering something. That means that CIOs must take the lead, even if it means having to give a wake-up call to board members who, like me, may feel pretty good about all we have already done to keep our systems secure.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Don’t Wrap Your Organization Too Tight With Metrics

Metrics provide a picture of how business is going, and systems are performing. But do they provide the right picture?

Insurance: The Original Shared Economy

Insurers should look to revisit the roots of the insurance process.

The Seven Flavors of Virtualization

There is no one single form of virtualization – rather, different parts of the IT infrastructure require different approaches.

Can New Technology Turn Older Cars into Safer Cars?

Unless you have the means and motivation to buy a new car every year, your newest car is quickly about to become an older car.

What if Someone Kickstarted an Insurance Company

Our industry is evolving and implementing new innovations, particularly focusing on the customer experience, including the web and mobile.

The Transformative CIO

Today's technology leaders are expanding well beyond their traditional role.