Other parts of this series:
While many carriers are attempting to better manage cyber risk, few have mastered the combination of loss prevention and loss mitigation in this area. As Accenture explains in its report, Making Your Enterprise Cyber Resilient, several challenges are holding them back, as is failing to take a holistic approach to defining and delivering cyber resiliency.
Carriers, like all companies, face at least four challenges.
One is sequestering cyber risk in the technology silo. If only the chief information security officer (CISO) owns the risk, the resulting disparities in risk ownership could lead to insufficient interaction with the chief risk officer (CRO) or with the business. That will limit the visibility of the risk’s frequency and impact.
Insufficient business involvement is another challenge. Companies should manage cyber security risk from a business-centric, enterprise-holistic perspective.
Many companies’ cyber risk mitigation programs also rely too heavily on employee training and communications. Their cyber risk control mechanism, in large part, is an effort to change human behavior.
But the weakest link in cyber resiliency is the human element. Systems usually don’t fail; failings typically are due to human error. A cyber resilient organization can mitigate the impact of a cyber attack without relying solely on people. But that requires right-sized risk-control processes that protect the organization, yet are not overly sensitive.
And because of the high demand for technology-savvy talent, which often follows either the business or technology path, the availability of talent to build a resilient business may be limited.
To overcome those challenges, we recommend that carriers adopt a holistic approach to building cyber resiliency. Carriers should tap all of their capabilities to execute risk assessments, support effective surveillance, enhance incident response and strengthen controls to become more cyber resilient.
A cyber resilient carrier:
- Can identify its vulnerabilities. We believe that carriers should go beyond penetration testing and move to advanced adversary impersonation by inside or outside groups, or both, that are assigned or hired to attempt to breach the company’s cyber security defenses. The findings often demonstrate that defense gaps and deficiencies are with people, rather than technologies. Hackers, as a recent high-profile attack demonstrated, can access a carrier’s data by stealing the network credentials of employees with high-level IT access.
- Is organized so it can control its environment and steel it against successful cyber attacks. Carriers should be, among other things, establishing the proper technology hygiene in terms of developing and coding systems, implementing proper change management, ensuring that proper access protocols are in place and providing employees adequate training.
- Implements the tools and metrics needed to identify and log threats to operations. That includes operational monitoring. At most companies, surveillance is a reactive process using tools that look at past patterns to determine whether a breach has occurred. To realize its full potential as part of cyber resilience, surveillance should be proactive. In our experience, the total cost of investing time and resources in comprehensive, preventive surveillance is often less than the cost of investing in disconnected, group-by-group efforts, and the results are usually better.
- Has a response plan—including a crisis management plan—in place in the event of a successful cyber attack. The plan should include validating that an attack is underway and mobilizing the response team; triggering stopgap measures to prevent the exposure from expanding; determining the timing for alerting authorities, regulators and the company’s external media team; and managing public relations to prevent reputational and brand damage.