Other parts of this series:
Although the rise of digital has revolutionized how insurers work and serve their customers, it has also added new and more severe dimensions of risk. Coping with these digital risks is now an urgent matter. Cyber-attacks are increasing dramatically:
Five out of every six large companies (those with more than 2,500 employees) were attacked in 2014—a 40 percent increase over the previous year.
Fifty-nine percent of insurers experience significant daily or weekly attacks that test the resilience of their IT systems.
More than 317 million new pieces of malware were created in 2014, meaning nearly one million new threats were released into the digital world each day.
Although technology systems and infrastructure are often “ground zero” for cyber-attacks and other breaches, operational risks—the potential for a firm’s business processes or technology infrastructure to fail—present a number of adverse consequences. Insurers might become unable to communicate with customers, generate transactions or conduct billing. Operational risks also impact brand and reputation, leading to the potential for losses in unquantifiable value as well as actual sales and revenue.
Insurers looking to become more resilient in the face of such risks must develop an operational risk management program that incorporates:
- Risk appetite: Levels that define and incorporate the tolerance and parameters by which resilience will be established for cyber-risk management programs and how cyber-events will be handled.
- Process and technology risk assessments: Processes that examine gaps in controls around business processes, products or services.
- Control reviews: Effectiveness assessments that show evidence of proper controls that can prevent or detect cyber-risk-related losses.
- Integrated framework: A cyber-risk framework for identifying, preventing, detecting and responding to cyber-risks.
A resilient organization recognizes that cyber-attacks and cyber-risks evolve rapidly, occur with high frequency and are unrelenting—meaning they cannot easily be isolated and managed. To meet these challenges, risk management models must be nimble, flexible and proactive with regard to how governance, policy, technology and processes are implemented.
Insurers cannot protect themselves at all times from the myriad of potential attacks through multiple channels. But by improving cyber-resilience, organizations can strengthen their ability to identify, prevent, detect and respond to process or technology failures, and they can recover, while reducing customer harm, reputational damage and financial loss.
To learn more, see the Cyber-resilience: Answering the cyber-risk challenge infographic or download the Making your Enterprise Cyber-Resilient report.