Other parts of this series:
Insurance companies cannot protect themselves from cyber-attacks 100 percent of the time. In spite of their best efforts, breaches will occur over time. That means that, in addition to increasing the sophistication of their barriers, organizations need to increase their resilience—their ability to bounce back from an attack or other security event and resume normal operations.
In the face of this threat and its associated developments, insurers need to think differently about digital risk management. The protective steps they are taking are important but not enough. Cyber-attacks are not an “if” but a “when and how.” The threats are too frequent and too varied. Attackers are nimble and adapt quickly. They require little capital investment and resources to devise and mount their attacks. Many criminals are already inside a company and breaches are inevitable. Traditional preventative measures can slow them down but not ultimately stop them.
When it comes to insurers’ cyber-defenses, 43 percent of carriers consider their existing defenses to be fully functional. But we believe they could be doing more to bring together capabilities to execute risk assessments, support effective surveillance, enhance incident response and strengthen controls to become more cyber-resilient.
Only 5 percent of insurers continuously and proactively run inward-directed attacks and intentional failures to test their systems. This is a missed opportunity for companies to add more resilience by proactively identifying weaknesses in cyber-defense structures. We believe insurers need to go beyond executing prepared scripts and move to advanced adversary impersonation. Inside and/or outside groups should be hired or assigned to attempt to breach the company’s defenses, probing networks, applications and other computer systems. Security professionals can then use that information to improve a company’s defenses.
Most insurers are currently working on a better way to address cyber-risk, but few have mastered it. Why? In our view, carriers face at least four types of challenges:
- Organizational silos.
- Insufficient business involvement.
- Over-reliance on training and communications.
- Talent shortfalls.
Our research also shows that only 14 percent of carriers consistently design resilience parameters into their operating models and technology architectures. Yet technology systems and infrastructure are often “ground zero” for cyber-attacks and breaches. At a minimum, leading technology risk management programs incorporate application development standards, systems and data surveillance, and penetration testing.
Although insurers have walls in place to protect against cyber-events, threats are evolving to evade traditional measures of protection. So putting in place structures, technologies and processes to build resilience is critical to operating effectively in today’s connected world.
To learn more, see the Cyber-resilience: Answering the cyber-risk challenge infographic or download the Making your Enterprise Cyber-Resilient report.