The threat of cyber attacks is very real. Over the past few decades, the adoption of technology to support activities across the insurance value chain coupled with using the Internet as a viable sales channel has led to tremendous gains in efficiencies for insurance companies. Unfortunately the pace of adoption of cyber protection mechanisms has not caught up; in some cases, companies have focused too narrowly on either government mandates or regulations.
Cyber threats are constantly evolving. Many are focused on hijacking financial transactions using phishing techniques. With the convergence of financial products within insurance companies -- which now offer brokerage, investment management and banking products -- the opportunities for hackers to realize financial gain from their cyber attacks have increased significantly. Gone are the days where the primary motivation for these attacks was personal glory.
Recent focus has been on protection technologies, such as malicious-code detection tools, content filters, wireless handheld device security and endpoint security. For this to be effective, however, carriers need comprehensive strategies that include all aspects of the enterprise: people, process and technology.
Insurers need to understand the risks associated with the information contained within their systems. When companies understand the risks, they can then design appropriate mitigation strategies that include technologies that can detect and, in some cases, prevent cyber attacks. Given the rapid evolution of these attacks, it is important that insurers are proactive in seeking and deploying technologies that aid in prevention. This is where senior management commitment is extremely important.
Technology alone can never be the silver bullet. It is only one aspect of a comprehensive information protection strategy that can help insurers mitigate cyber risk.
While there are several elements of a good cyber risk management plan, the key ones include senior management commitment; organizational education and awareness; thorough understanding of information and data risks; implemention of effective policies, procedures and technologies; and a proactive approach toward management of emerging risks. In fact, PwC's research has shown that there are two things companies can do that correlate with lower levels of security breaches and downtime: 1) have a senior executive, such as a CISO, dedicated to security, and 2) have a documented security strategy. If insurers develop effective organizational capabilities that include all of these elements, they can be more confident of defending against the threats of today and the future.