Other parts of this series:
- Digital transformation exposes insurers to greater cyber-security risks
- Insurers need to build business resilience to counter the rising threat of cyber-attacks
- Insurers need to instill business resilience throughout their organizations to counter cyber-security risks
- Three key steps that will help insurers beef up business resilience to combat rising cyber-security threats
Most insurance executives are aware of the dangers of cyber-crime. However, many carriers have been slow to build up business resilience to combat this threat. Resilience needs to be established throughout the organization and driven by the leaders of the business.
Every large insurer is under threat from criminals eager to disrupt or exploit its digital systems. Sooner or later its defenses are going to be breached and valuable data will be at risk. How carriers respond will determine whether such an intrusion is a set-back or a disaster.
As I mentioned in my previous blog post, insurers should no longer just concentrate on building up defenses against cyber-attacks and trying to avert technical failures. Security breaches are unfortunately inevitable. Instead, carriers need to build business resilience. This enables them to keep strengthening their cyber-security. But also allows them to respond quickly to limit damage to their organization should their defenses be breached. Such a strategy is essential. The threat of cyber crime continues to soar. And so too does the potential damage that security breaches can cause insurers.our research shows that many carriers have been slow to beef up the resilience of their businesses.
Resilience needs to be established throughout the business. It can’t be confined to enabling technologies or IT systems. It has to be an integral part of how the business functions. Continuity plans and failure scenarios, which encompass the whole of the organization and extend across its value-chain, need to be drawn up and frequently tested and reviewed. They should incorporate the organization’s physical assets, its employees, and its agents and ecosystem partners. All of them are critical to ensuring the business functions smoothly after a cyber-attack or information systems failure.
Responsibility for business resilience can’t be consigned to a single executive such as the chief information officer, chief information security officer or chief risk officer. The head of the organization, the CEO, must take ultimate responsibility but work closely with other members of the executive to ensure resilience is inculcated throughout the business. When a cyber-security breach occurs the CEO’s first retort should be: “how is our plan working?” Not: “what is our plan?”
Only half the executives we recently surveyed said they have board-level committees that focus on business resilience. And, on average, only two executives are responsible for monitoring and improving it.
In my next blog, I’ll discuss how insurers can improve their business resilience. Until then, have a look at these links. I think you’ll find them helpful.