Other parts of this series:
A comprehensive study from Accenture Security estimates that it will take two to three years for insurers to achieve mastery in cybersecurity. But what does mastery look like, and where should insurers prioritize their efforts to achieve it?
Cybercrime can be extremely expensive. The 2017 Cost of Cyber Crime Study from Accenture Security found that the potential scale of cyber crime is rising, costing on average $2.4 million to address a malware attack.
To better understand insurers’ cyber resilience, Accenture Security’s 2018 State of Cyber Resilience survey evaluated 33 cyber capabilities of insurers across seven domains: business exposure, cyber-response readiness, strategic threat context, resilience readiness, investment efficiency, governance & leadership and extended ecosystem.
The study found that between 2017 and 2018, the number of cyber capabilities mastered by insurers almost doubled, from 12 to 20. The report also projects that it will take two to three years for insurers to achieve mastery in cybersecurity.
But what does mastery in cybersecurity look like?
Seven keys to mastering cybersecurity
In an ideal world, an insurer would master all 33 cyber capabilities that were included in our research. In reality, our report outlines seven that are paramount to mastering cybersecurity:
- Identify breaches quickly. To contain the damage caused by a cyber breach, insurers should be able to recover in hours, if not days. But 67 percent of insurance companies said it takes 30 days to remediate a breach.
- Involve groups beyond the immediate cybersecurity team. Our study found that the immediate cybersecurity team identified only 64 percent of all breaches. Of the remaining attacks, 66 percent were identified internally by employees.
- Focus on the right performance measures. When insurers manage risk, they’re mostly focused on minimizing underwriting losses. To properly analyze the threat of cyber risk, insurers need to take a broader view of risk management: one that includes operational risk metrics.
- Keep an eye on internal threats. When it comes to causes of cyber attacks, 72 percent of insurers ranked malicious insiders as the most frequent source. Insurers with large workforces of employees and contractors are especially at risk.
- Extend cybersecurity standards across your ecosystem. Ecosystems are critical for insurers’ ability to provide living services: highly relevant, personalized interactions that go beyond the insurance transaction. But less than half (41 percent) of insurers surveyed hold their partners to the same cybersecurity standards as they do their own business. What’s more, in a broad ecosystem where insurers share data with partners, the need to manage a massive number of connection points brings tremendous risk.
- Test and stress test. Insurers must be more rigorous and persistent than the most highly motivated attacker and as I’ve said before, the only way to truly understand your defenses is to actively test them. White-hat hacking or bug bounties are some of the ways that insurers manage this.
- Don’t overemphasize perimeter controls. As mentioned above, malicious insiders are the most frequent source of cybersecurity breaches. In addition, insiders may inadvertently expose their organization through social engineering or phishing. Advanced perimeter controls don’t compensate for weaker security elsewhere, so insurers should think about the entire attack chain and shore up defenses at every step.
By focusing on these seven capabilities, insurers can master cyber resilience—and reduce cyber risk to a manageable level. However, it’s important to note that even insurers that have mastered cyber resilience cannot be complacent, because there will always be another threat on the horizon.
Join me next week as I look at how IT trends are fueling the future of cybersecurity.
Register to download the full report, “Insuring the Future: 2018 State of Cyber Resilience for Insurance.”
To learn more:
- Read my previous blog series on the current state of cyber insurance—and what the future might look like.
- Read Werner Rapberger’s blog series on the cyber insurance opportunity.
- Contact me to discuss how Accenture can help you foster cyber resilience.