We Need New Templates for Cyber Risk Management

Howard Mills
Insurance Experts' Forum, May 6, 2014

How many CIOs are in the audience, and how many board members have they brought with them?

That was the thought going through my mind as I sat listening to presentations at the Cyber Liability Risk Spring Event presented by the NAIC’s Center for Insurance Policy and Research (CIPR) in Orlando days after news of the Heartbleed virus broke.

We have seen major changes in corporate governance in the recent past. The role of the chief financial officer (CFO) has changed from one primarily concerned with reporting results to that of a forward-looking adviser intimately involved in and partnered with every aspect of the business. The role of the chief risk officer has similarly enlarged as enterprise risk management has become recognized as a key to success in business.

Now it is time for CIOs to make sure their role expands, and take with them their board members — many of whom may be as complacent about cyber risk as I once was. Board members need to know what CIOs already do: the finest technical capabilities in the world — the best programmers, the most effective cyber defenses, the most detailed risk management — is not enough to protect against cyber risk. We need to find new tools.

Also see: Is the Insurance Industry Facing a Cyber-Cat? Thousands of Websites at Risk to Heartbleed Bug 

Insurance company CIOs are wonderfully positioned to lead this transition. Not only are insurers on the front lines in the cyber risk fight themselves, they can also help clients discover and leverage best practices across industries.

Doing this is just good business, because otherwise, insurers are going to be the ones paying out as courts evolve to recognize data, privacy and other damages — as well as already recognized concerns like supply chain damage — that often evolve from cyber-attacks.

There is no completely safe cyber interaction. If your company has cyber relations with another — and who doesn’t these days — it is also having cyber relations with everyone that company has had cyber relations with. And so on, and so forth … and no barrier can keep you completely safe.

Also see: 10 Cybersecurity Tips from the FCC

The scary part is this is just with the connections we have today. What happens as the Internet of Things develops? We’ve seen with mobile devices that consumers don’t want walls. What happens when a customer’s refrigerator becomes the way into your network?

Professor Lance Hoffman of George Washington University shared one possible answer at the event. He suggested a consortium of stakeholders — including the insurance industry, government and academia — would be one way to figure out the best approach to security in the future.

As the Internet of Things expands, such a consortium could begin to set standards instead of having unreasonable or unworkable standards built in. In the absence of insurance industry leadership or involvement, tech firms could build their own devices with little or no privacy, security or audit logging built in.

As an alternative to that anarchy, a consortium could move toward the establishment of a research agenda that would examine policy management and technology questions, including the potential of a global cyber loss database with proper privacy controls in a business model that would make such a database viable and sustainable.

Perhaps this is not the only alternative, but it is one route to consider. It seems obvious to me that we need to start considering something. That means that CIOs must take the lead, even if it means having to give a wake-up call to board members who, like me, may feel pretty good about all we have already done to keep our systems secure.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Driverless Cars: Unintended Consequences for Insurers to Watch

When bad or unexpected or unusual things happen, the computer gives up control and hands it back to the now woefully unprepared occupant.

Why Insurers are Leading on Data and Analytics

A State Street survey finds insurance companies are more likely to be further along in becoming “data innovators” than their financial services counterparts.

The Other Auto Insurance Telematics Shoe Drops

Progressive's decision to charge Snapshot drivers more if their driving data indicates higher risk has started the industry down a road of data-driven adverse selection.

Core Transformation – Configuring in the Rain

The whole point of core transformation is that changes at the micro level can be used as a stimulus for changes at the macro level.

6 Ways to Develop a Productive IT-Business Dialog

Relationship management 101 for keeping IT and business on the same page.

Unified Digital Strategy: Succeeding in the Digital Revolution

A unified digital strategy recognizes that all business strategies and technologies touch the customer in some way and that a one-size-fits-all channel model is obsolete.