We Need New Templates for Cyber Risk Management

Howard Mills
Insurance Experts' Forum, May 6, 2014

How many CIOs are in the audience, and how many board members have they brought with them?

That was the thought going through my mind as I sat listening to presentations at the Cyber Liability Risk Spring Event presented by the NAIC’s Center for Insurance Policy and Research (CIPR) in Orlando days after news of the Heartbleed virus broke.

We have seen major changes in corporate governance in the recent past. The role of the chief financial officer (CFO) has changed from one primarily concerned with reporting results to that of a forward-looking adviser intimately involved in and partnered with every aspect of the business. The role of the chief risk officer has similarly enlarged as enterprise risk management has become recognized as a key to success in business.

Now it is time for CIOs to make sure their role expands, and take with them their board members — many of whom may be as complacent about cyber risk as I once was. Board members need to know what CIOs already do: the finest technical capabilities in the world — the best programmers, the most effective cyber defenses, the most detailed risk management — is not enough to protect against cyber risk. We need to find new tools.

Also see: Is the Insurance Industry Facing a Cyber-Cat? Thousands of Websites at Risk to Heartbleed Bug 

Insurance company CIOs are wonderfully positioned to lead this transition. Not only are insurers on the front lines in the cyber risk fight themselves, they can also help clients discover and leverage best practices across industries.

Doing this is just good business, because otherwise, insurers are going to be the ones paying out as courts evolve to recognize data, privacy and other damages — as well as already recognized concerns like supply chain damage — that often evolve from cyber-attacks.

There is no completely safe cyber interaction. If your company has cyber relations with another — and who doesn’t these days — it is also having cyber relations with everyone that company has had cyber relations with. And so on, and so forth … and no barrier can keep you completely safe.

Also see: 10 Cybersecurity Tips from the FCC

The scary part is this is just with the connections we have today. What happens as the Internet of Things develops? We’ve seen with mobile devices that consumers don’t want walls. What happens when a customer’s refrigerator becomes the way into your network?

Professor Lance Hoffman of George Washington University shared one possible answer at the event. He suggested a consortium of stakeholders — including the insurance industry, government and academia — would be one way to figure out the best approach to security in the future.

As the Internet of Things expands, such a consortium could begin to set standards instead of having unreasonable or unworkable standards built in. In the absence of insurance industry leadership or involvement, tech firms could build their own devices with little or no privacy, security or audit logging built in.

As an alternative to that anarchy, a consortium could move toward the establishment of a research agenda that would examine policy management and technology questions, including the potential of a global cyber loss database with proper privacy controls in a business model that would make such a database viable and sustainable.

Perhaps this is not the only alternative, but it is one route to consider. It seems obvious to me that we need to start considering something. That means that CIOs must take the lead, even if it means having to give a wake-up call to board members who, like me, may feel pretty good about all we have already done to keep our systems secure.

Howard Mills is director and chief advisor for the Insurance Industry Group at Deloitte LLP and a former Superintendent of the NY Insurance Department.

Readers are encouraged to respond to Howard using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Peer-to-Peer Economy and the Uberization of Insurance

Insurance is about risk sharing, so what better model to bring in technology and make that risk sharing as efficient and effective as possible?

Rethinking Commercial Lines Underwriting Automation

The value an insurer can achieve from the powerful combination of a modern policy system and a complete suite of advanced underwriting solutions will far outweigh any effort involved.

Students are Pushed to Look Past Obstacles, and so Should We

Student teams, in the space of a few weeks, developed a variety of fresh ideas leveraging unique technologies that could help build products and services for insurance customers.

The Best Policy Administration System I Have Ever Seen

So many systems we view look like they screens were designed by a programmer and, worse, could only be used by a programmer.

Living with the Internet of Things (and crowd funding)

The Internet of Things has it’s teething problems.

6 Technology Priorities for Individual Life Carriers

While many aging, generally mainframe-based systems, remain capable of supporting basic policy processing and accounting functions, the costs associated with enhancing them are becoming increasingly problematic.