Other parts of this series:
In my previous post, I looked at what cyber resiliency means. It is an area where European companies—and not just insurers—lag the US with its tough laws on data privacy and the reporting of data breaches. This picture is expected to change as European legislators introduce more stringent data privacy laws over the next year or so.
Here’s a four-step process European insurers can follow to improve cyber resiliency and prepare for new data protection laws and regulations, as well as to protect their reputations and information assets when breaches inevitably happen:
Insurers should develop the capability to quickly identify where a cyber attack is taking place so they can prevent, detect and respond as necessary. What scenarios can help to proactively prevent events from happening? What are the risk mitigation strategies that a firm could put into place to address impacts before they become real?
Efforts should be focused on preventing and mitigating attacks and breaches instead of minimizing the cost of breaches after they occur.
The questions at the heart of prevention include: How do we control our environment? How do we establish the proper technology hygiene in terms of developing and coding systems? How do we see that proper access is in place—by using standards such as ISO5 to help develop systems or how they’re accessed or reviewed, and also how they operate?
With an IT organization that’s focused on development and technology innovation, how are people in their roles organized to be able to check and double check code for vulnerabilities or use automated controls and solutions to protect those vulnerabilities?
Detection includes tools and metrics to identify and log aspects to help manage operations. It includes operational monitoring—aligning the tools to identify and detect threats along with their escalation and oversight.
As currently structured at most firms, surveillance is a reactive process using tools that look at past patterns to determine if a breach has occurred. For surveillance to realize its full potential as part of cyber resilience, it should become more proactive.
In the event a cyber attack occurs, insurers should have in place an event response plan—the structure to help identify and manage action plans—as well as a crisis management process to manage incidents and notify impacted parties.
A firm’s structured approach to cyber risk analysis should span each of the lines of defense to identify the risk components and aspect of change necessary to provide better clarity to key stakeholders.
Insurers cannot protect themselves at all times from the myriad of potential attacks through multiple channels. So putting in place structures, technologies and processes to build resilience—or fast recovery—is critical to operating effectively in today’s connected world.
It’s worth noting that the new cyber risk landscape can be an opportunity as well as a risk for Europe’s insurers. According to a prominent reinsurance firm, the global market for cyber security insurance policies is estimated at around $1.5 billion in gross written premiums.1
The United States accounts for $1 billion of those premiums and Europe only $150 million or so. As Europe’s data privacy and protection laws become stricter and the penalties more onerous, cyber security insurance premiums are likely to show strong growth.2
1. “Cyber Policies on the Rise,” Communications of the ACM, October 2015. Access at: http://cacm.acm.org/magazines/2015/10/192376-cyber-policies-on-the-rise/fulltext