Other parts of this series:
- Digital transformation exposes insurers to greater cyber-security risks
- Insurers need to build business resilience to counter the rising threat of cyber-attacks
- Insurers need to instill business resilience throughout their organizations to counter cyber-security risks
- Three key steps that will help insurers beef up business resilience to combat rising cyber-security threats
Insurers can’t counter the threat of cyber-security attacks by just spending more money on their defenses. Security breaches are inevitable. What’s needed is a strategy that builds business resilience. This enables insurers to respond to a digital incursion quickly and effectively.
The need for strong defenses against rising cyber-security threats is putting a brake on many insurers’ plans to expand their digital services. Spending on much-needed cyber-security solutions is depleting the funds available for rolling out new digital offerings.
This juggling between investing in protection and enabling technologies is far from satisfactory. And insurers are coming to recognize this. As I mentioned in my previous blog post, only 38 percent of the insurance executives we surveyed “strongly agreed” that balancing spend-to-protect and spend-to-enable is mature and continuously managed in their enterprise. A further 49 percent merely “agreed.” This indicates the need for significant improvement.
What’s required is a fundamental shift in how insurers, and other organizations, tackle cyber-security. It’s not enough to keep spending on building up defenses against cyber-attacks and trying to avert technical failures. Such an approach will continue to drain the resources insurers need to grow their digital services. It will hamper their efforts to build their businesses for the future. More important: it’s a strategy that just won’t work.
Sooner or later, a big organization, no matter how much money it spends on security, is going to suffer a breach of its defenses. The soaring number of cyber-attacks by criminals and even nation states, and the increasing sophistication of these assaults, mean that even the most robust defenses will at some time be outwitted. The important question is no longer: will we succumb to a cyber-attack? Instead, insurers need to ask themselves: how are we going to react when our defenses prove to be inadequate?
The focus needs to change from just concentrating on protection. A broader view should be taken that continues to address the need to protect the enterprise but also considers how best the organization can react to breaches of its defenses. This is a big change. It requires insurers to adopt a strategy that combines multiple layers of defense with carefully devised and frequently tested responses to limit the damage caused by such incursions. Think of a military officer or a sports coach. They have to put in place the best possible defenses but they must also be ready to respond quickly and effectively should these deterrents fail.
Businesses, just like good military units and sports teams, need to build resilience. They must be prepared to adapt quickly to a security breach or technical failure and minimize the impact of this disruption on their customers, partners and internal operations.
Our research shows that most insurers are not able to display such resilience.
A shift to a cyber-security strategy that focuses on building business resilience is vital for insurers. It will better prepare them to counter the threat, and mitigate the risks, of security lapses and technical failures. In my next blog post I’ll discus how insurers can strengthen their business resilience. In the meantime, have a look at these links. I’m sure you’ll find them useful.