Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

04:00 PM
Jody Westby, CEO, Global Cyber Risk (Washington, D.C.)
Jody Westby, CEO, Global Cyber Risk (Washington, D.C.)
News
Connect Directly
RSS
E-Mail
50%
50%

Building an Enterprise Security Program Key to Managing Risks

Evaluating potential for loss and magitude of harm helps establish risk categorization, a central piece of any insurer's security program.

There really is no difference between how insurance companies deal with cyber risks and how any other major industry sector deals with them; they all need to have an enterprise security program. This requires the involvement of people from across the organization. It means conducting risk assessments and understanding all of the compliance requirements, implementing controls and metrics, developing policies and procedures, and conducting training and annual reviews.

Jody Westby, Global Cyber RiskThere are many steps in developing and maintaining an enterprise security program, but insurance firms need to pay particular attention to risk assessments, compliance requirements and controls to ensure that their risks are properly managed. Insurance companies are particularly vulnerable because they house so much sensitive data.

Much of their data may not be protected under a specific law, but it is so personal or private that customers have an expectation of privacy. Expectations of privacy should be treated as a risk and managed equivalently to compliance requirements. If data that policyholders provide to insurance companies is breached, the damage to the reputation of the company could exceed that involving a breach of personally identifiable information. Policyholders want the insurance they are paying for, but they also want the assurance that the data they provide to their insurance companies is being kept confidential.

Insurance companies' systems also often are interconnected with a number of third-party systems, such as outsourced services vendors, third-party companies that service carriers' clients or process claims, and insurance data banks. With interconnected systems, other systems' risks can become the insurance company's risk because a vulnerability can enter through a third-party system.

Risk management is particularly important for insurance companies, and it should involve a risk categorization process that ranks risks according to risk of loss -- of data or a system or business function -- and the magnitude of harm that loss would cause the organization. Categorizing risks is a best practice that enables an insurance company to identify the kinds of controls and technologies needed to mitigate each risk; the process requires business, technical and legal personnel to work together.

Effective enterprise security programs are not isolated activities that are delegated to technical staff. It is particularly important that boards and senior executives of insurance companies exercise oversight of their company's enterprise security programs, in turn ensuring that the proper governance structures are in place and that key roles and responsibilities are defined to ensure that cyber risks are effectively managed.

Drew Bartkiewicz, The Hartford
Prasad Balakrishnan, PricewaterhouseCoopers
Jody Westby, Global Cyber Ris

Register for Insurance & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos