Other parts of this series:
Insurers have worked diligently to shield themselves—and their policyholders’ data—from cyber criminals. But cyber risk is evolving. Cyber criminals are becoming increasingly capable of evading traditional measures of protection.
Consider the cyber risk statistics that Accenture highlights in its report,
Making Your Enterprise Cyber Resilient. According to Symantec’s April 2015 “Internet Security Threat Report,” the number of successful data breaches globally rose 23 percent in 2014. Plus, 83 percent of large companies–those with more than 2,500 employees—were attacked, a 40 percent increase in just one year. Attacks against mid-sized and small companies spiked by 30 percent and 26 percent, respectively. Strikingly, nearly one million new malware threats were unleashed every single day in 2014.
The cost of successful cyber attacks—as measured by revenue losses, deterioration of customer trust and loyalty, litigation costs and higher insurance premiums—has increased to in the financial services industry, according to the Heritage Foundation’s “Cyber Attacks on U.S. Companies in 2014.” Among all organizations, the number reporting losses exceeding $20 million nearly doubled that year, the report notes.
The risk associated with data breaches extends beyond those costs. Standard & Poor’s Financial Services LLC has announced that it might downgrade the credit ratings of financial services companies with weak cyber security capabilities, even if the company has not been attacked. We expect other rating agencies will follow S&P’s lead.
What does all of this mean for insurers, especially with cyber security experts suggesting that just about every company faces an inevitable data breach at some point? Besides continuing to harden their data-protection measures, carriers must be prepared to withstand a successful attack without suffering a significant hiccup in operations. To that end, carriers will have to be able to identify potential process and technology failures, detect them as they are occurring and respond to them in a way that mitigates customer harm and their own financial loss and reputational damage.
It’s what we call cyber resiliency. It’s like being the pliable willow rather than the unbending oak that’s at greater risk of breaking during a storm.
And it’s what regulators may well be requiring within a year. The Cybersecurity Task Force of the National Association of Insurance Commissioners has adopted principles which include that state regulatory guidance must be “consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology (NIST) framework.” In New York, where most insurers are admitted, regulators have indicated they will begin holding carriers to that framework within a year.
Companies that already are working on their cyber resiliency share several characteristics. They have:
- More secure processes and systems.
- Strong controls with a strong control environment.
- A solid risk culture.
- Digitized and automated processes.
Cyber resiliency should span business processes and infrastructure. For example, it should include restructuring business processes to reduce the access, dissemination, and reliance on highly sensitive data. It also should involve restructuring infrastructure and systems to limit the extent of potential damage when an attack occurs or systems and processes fail. And it may include re-working ways in which legal and liability protections are incorporated into service agreements to prevent fraud-related losses or expenses associated with remediating affected customers.
Next time: Addressing insurers’ top cyber exposures.
- Download Making Your Enterprise Cyber Resilient (PDF)