In the wake of high-profile attacks against large companies and even the US government, corporate leadership is paying more and more attention to cyber-crime. Unfortunately, many of the actions that corporations take can be described as closing the barn door after the horse is gone – management and IT teams take actions to prevent the last breach from taking place again, but the cyber-criminals have already moved on to new approaches and new technologies.
As reported recently in Canadian Underwriter, attendees at an Insurance Institute of Canada event on emerging risks were told that the barriers to entry for cyber-crime are very low. All that potential criminals need are computers, Internet connections and readily available software. The returns for criminals are potentially high and the risk of detection and apprehension are relatively low.
A recent report based on survey research conducted by Accenture and the Ponemon Institute highlighted some of the practices that leading companies use to manage cyber security. These changes include creating a new Chief Information Security Officer (CISO) role, establishing a budget specifically for cyber security and/or significantly expanding the security team. Leading companies are more likely to consider information security a business priority and to align their security objectives with business objectives.
We expect the insurance industry to play a larger and larger role in cyber security. Companies are providing specific coverage against cyber risk (which may fall outside the bounds of standard coverage). More importantly, however, insurers are gathering the data needed to identify both the likelihood and the scope of cyber risk, and to help companies put practices in place to limit and manage these risks. It’s much more desirable to prevent or at least deter cyber-crime than to pay for cleaning up the damage later.