Other parts of this series:
In my previous post, I looked at the cyber attack landscape in Europe and argued that insurers should take a new approach to data protection. That approach is cyber resiliency, which is the ability to operate business processes in normal and adverse scenarios without adverse outcomes.
It strengthens the firm’s ability to identify, prevent, detect and respond to process or technology failures, while helping to speed up recovery time and reduce customer harm, reputational damage and financial loss. With a tougher line on data privacy and security from regulators and legislators across the continent, it should be at the top of the agenda for insurers.
For example, European legislators have agreed to a new cybersecurity law that will require financial services providers (among other industries) to report breaches to national authorities.1 And in the United Kingdom, the Prudential Regulation Authority (PRA) has sent a cyber resilience questionnaire to insurers in an effort to “understand firms’ current policies and capabilities in this area.”2
Three pillars of cyber resilience
Against this backdrop, European insurers should no longer limit cyber risk management to being prepared for a worst case scenario. Cyber risks are multidimensional, so cyber resilience strategies should focus on managing three types of risks in particular:
Systems and infrastructure risks
At a minimum, leading technology risk management programs incorporate the following elements:
- Application development standards: How applications, systems and infrastructure are architected and developed to reduce risk.
- Systems and data surveillance: Monitoring and surveillance techniques for identifying, assessing and responding to potential vulnerabilities or breaches.
- Penetration testing: Establishing the resilience of the infrastructure to attacks and proactively identifying where vulnerabilities may occur.
An operational risk management program should encompass the following:
- Risk appetite levels: These define and incorporate the tolerance and parameters by which resiliency should be established for cyber risk management programs and how cyber events should be handled.
- Process and technology risk assessments: Processes that examine gaps in controls around business processes, products or services.
- Control reviews: Effectiveness assessments that show evidence of proper controls and that help prevent or detect cyber risk-related losses.
- Integrated framework: A cyber risk framework for identifying, preventing, detecting and responding to cyber risks.
Fraud and financial crime
Fundamental elements include:
- Surveillance: The ability to monitor and detect anomalies inside the institution.
- Detective business processes: Business processes designed to be both compliant and detective of criminal or nefarious activities.
- Industry data sharing: Sharing of attack data to improve detection and response techniques and to help reduce unexpected losses tied to fraud and financial crime.
We believe holistic capabilities across risk and security should underpin the approach used to define and deliver cyber resiliency. I’ll elaborate further in my final post in this series.
1. “European Union lays down first cybersecurity rules,” Engadget, December 9, 2015. Access at: http://www.engadget.com/2015/12/09/european-union-cybersecurity-rules/
2. “PRA seeks deeper understanding of insurers’ ‘cyber resilience’,” Out-law.com, August 14, 2015. Access at: http://www.out-law.com/en/articles/2015/august/pra-seeks-deeper-understanding-of-insurers-cyber-resilience/