Other parts of this series:
Insurers understand the threat that cyber criminals pose and have made strides in protecting themselves, but the risk still requires supervisors to redouble their cyber security efforts. As the International Assn. of Insurance Supervisors (IAIS) suggests in its recent Issue Paper on Cyber Risk to the Insurance Sector, cyber security has to rise to priority status, even as insurers juggle so many other critical challenges.
In this blog series on cyber risk resilience, we have examined insurers’ cyber security weaknesses and the guidance on overcoming them that insurance supervisors can find in the Insurance Core Principles (ICPs) that IAIS has developed. Although ICPs do not directly address cyber risk, they are instructive. In wrapping up this series, let’s examine what insurers’ best practices in cyber resilience should entail, based on ICPs:
- Governance. The board and senior management must be committed to a robust cyber resilience framework. A senior official responsible for developing and implement the framework should have board access.
- Identification and ongoing reviews of business functions, processes and data that must be protected from cyber risk, as well as identification of third-party business relationship that could pose a risk.
- Comprehensive monitoring to quickly detect and prevent or mitigate any cyber security incidents.
- Protection resilience—against both external and internal threats—that includes not only rigorous information technology controls but also adequate training to mitigate the human error risk.
- A plan to respond to, recover from, investigate and communicate about extremely sophisticated cyber attacks that evade an organization’s detection and protection efforts.
- Testing of cyber security systems, both during development and after integration.
- Maintaining cyber threat awareness. Situational awareness can be critical to modifying an organization’s cyber security system to guard against the latest cyber criminal activity, which can evolve daily. For example, through July, 84 million new malware programs have appeared this year, according to AV-TEST—The Independent IT-Security Institute.
- Continual improvement based on lessons learned from your own and others’ cyber incidents and technological advancements.