While safeguarding information assets is not a new business objective, cybersecurity has emerged as an area of critical concern for executives and boards of directors. As organizations’ key business operations have become more technology-reliant, they also have become more vulnerable to a cyber-attack. Increasingly frequent and high profile cyber-attacks against insurance companies, banks, and national retailers are further pushing organizations to examine their own cybersecurity profile to understand the potential threats they may face and determine how to best manage their associated risks.
At the National Association of Insurance Commissioner’s (NAIC) Spring 2014 National Meeting, Kenn Kern, Deputy Chief of the Cybercrime and Identity Theft Bureau with the Office of the New York District Attorney, outlined the following as the top cyber threats for insurance companies:
- Denial-of-service attacks: Preventing legitimate access to and use of information or services by monopolizing limited system resources or modifying key system configurations
- Hacking: Gaining unauthorized access to computer systems and data
- Theft of personally identifiable information (PII): Accessing personal data (e.g., name, address, payment card information, and user credentials) which can then be used for fraudulent purposes
- Theft of intellectual property: Obtaining proprietary strategic, operational, or financial data; often committed by commercial rivals or disgruntled employees seeking to damage the organization for their own gain
Regardless of the method of cybercrime that may be employed by attackers, a breach often leads to significant adverse consequences (e.g., loss of customers, reputational decline, and financial penalties). In addition, the daunting logistics of dealing with a cyber-attack often include simultaneously conducting a forensic analysis of the breach, initiating breach notification procedures, and fielding inquiries from customers, business partners, regulators, and the press. This often results in a loss of organizational productivity.
Insurance companies must develop a proactive cybersecurity strategy in order to manage their cyber risks before they become a problem. While the strategy details are driven by each organization’s business and information technology environment, they should incorporate the following components:
- Integrate strategies: Involve all departments and operations - cybersecurity is an organizational issue, not an information technology (IT) issue or a compliance issue
- Identify risk factors: Understand the business and information technology environment, identify key information assets, and determine risks to those assets
- Implement controls: Develop control processes to enable the organization to prevent, detect, and respond to cyber threats
- Monitor and refine: Monitor the effectiveness of the control environment and continue to adapt control processes to the changing threats and overall risk profile
- Assess and adjust: Assess and adjust the strategy as the risk and threat landscape evolves over time
Insurance companies that lack the internal resources to develop and implement a cybersecurity strategy may benefit from the support of an experienced specialist. Cybersecurity specialists can enable a company to mitigate risks efficiently and effectively by helping them:
- Develop and integrate the strategy within the organization
- Identify risk factors specific to their business and technical environment
- Design and implement control processes to mitigate risks
- Establish monitoring mechanisms to validate control environment effectiveness
In summary, a robust cybersecurity strategy can help insurance companies meet the growing challenges posed by hackers and cyber criminals by identifying risks, remediating weak control processes, and ensuring that the organization is able to withstand attacks now and in the future.
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.