Magazine

Dec 2017

Read the latest edition of AIR and MEIR as an Interactive e-book

It's time to join the cyber security conversation

Source: Asia Insurance Review | Oct 2017

Asia Cyber Risk Management Technology

As two waves of ransomware spread across the world and into Asia in 2017, many executives woke up to the reality that highly sophisticated cyber criminals were posing an increasing and significant threat to their businesses. Mr Chris Moyer of DXC Technology discusses the steps insurers can take to manage these risks.
 
 
The insurance industry, which manages the personal data of millions of insureds across the region, is not sheltered from cyber threats, with financial centres such as Hong Kong, Tokyo and Singapore facing the brunt of the breaches and distributed denial-of-service attacks. 
In fact, a 2016 International Association of Insurance Supervisors (IAIS) report noted that increasing cyber attacks and breaches can “harm the ability to conduct business, compromise the protection of commercial and personal data, and undermine confidence in the sector”. At the same time, consumer confidence in the business community’s ability to protect their privacy is at an all-time low. 

   Security is now a key part of most board-level conversations, though many top executives lack the security expertise to fully understand this next generation of threats, how to detect them or how to respond. But times are changing. In 2017, the World Economic Forum released Advancing Cyber Resilience, a set of security guidelines for board members. 

   In fact, insurance leaders can take immediate steps to manage the risks their companies face by asking these questions:
 
1. How can we address the increasing business risks associated with cyber security incidents?
Yesterday’s security approach focused primarily on investing in perimeter protection, compliance and core infrastructure monitoring. It was a fortress-type model. In recent ransomware attacks such WannaCry and Petya/NotPetya, the malware spread quickly from within an enterprise, moving from country to country, eventually affecting more than 400,000 computers worldwide. Even well-patched and endpoint-protected enterprises were vulnerable, as there was no antivirus or anti-malware defence.

   The best response for an insurance company to such an attack is to be prepared. Periodic security assessments are key to the success of the programme. For example, defence against the recent ransomware attacks would have been aided by periodic penetration testing of internet access points. Better awareness of social engineering threats could have increased employee vigilance to phishing attacks.

   It is also important to assess your ability to detect and respond. Attacks spread quickly. You cannot wait to plan your response at the first sign of an incident. Make sure you have a fully tested response plan in place to mitigate this risk. When an incident occurs, all stakeholders, employees and partners should know exactly what they need to do. 

   Attack simulations assist with preparation, as do practising business continuity plans. Insurers are experts at risk, but risk management plans should also include the potential impact of malware and ransomware attacks, and wider data loss affecting sensitive customer data. Hackers are known to hold stolen information for ransom, so it is important that every organisation has a clear policy and strategy for any negotiation. 
 
2. How can security and compliance work more closely together? 
Security and compliance ultimately serve the same purpose: to protect the enterprise. The difference is simply in why insurers need these functions. Compliance is something you are required to do. Security is something you need to do.

   Concerns over customer privacy, however, are underscoring the need for both. While many countries in Asia have historically lagged behind Europe in privacy rights, new rules from the European Union (EU) going into effect in May 2018 are expected to have sweeping effects throughout the world. The EU’s General Data Protection Regulation (GDPR) ensures customers’ rights to control who accesses their data and shopping profiles, how long data can be stored, when it needs to be erased, and who’s notified in case of a breach. 

   GDPR is similar to Japan’s opt-in privacy laws that went into effect in 2017. However, Japanese consumers are still sceptical about privacy. A 2017 online poll by Rakuten AIP found that fewer than one-fifth (18%) of consumers are confident their information held by companies will not be stolen.

   On the brighter side, improving consumer confidence presents an opportunity for companies to build trust online and drive demand for cyber insurance.

   Regardless of new regulations, customer privacy should be a board-level conversation. Instead of viewing data protection as just another mandated compliance activity, insurers should view it as a way to gain trust with policyholders, improve the overall management of data and eliminate storage duplication. 

   In fact, a recent DXC Technology study found that up to 40% of an enterprise’s data is duplicated or unnecessary. A comprehensive approach to data and security will help eliminate data silos across the enterprise, ensure standard policies and drive better outcomes through accurate analytics. 
 
3. How can we manage risks as we adopt more digital business models such as cloud, mobility, the internet of things (IoT) and analytics?
Many insurance companies in 2017 find that their complexity and scale are increasing and their digital transformation demands are growing, while their security design remains stuck in the old model of primarily perimeter-based prevention. 

   Companies are now using cloud environments for multiple business solutions, ranging from cloud storage to specialised software-as-a-service tools for analytics, claims assessment and even HR and accounting. Technologies such as mobile applications and IoT-enabled devices are adding new layers of functionality but also increasing the number of threat surfaces to protect.

   These environments need added systems management and security monitoring to prevent key data from leaking outside the organisation. There are multiple solutions to address identity, data loss prevention and compliance reporting, but many companies do not have the in-house experience to address these needs.

   As an organisation extends beyond its existing capabilities, it makes sense to partner with outside experts for global threat intelligence and 24x7 monitoring and incident response capabilities. 

   By partnering with a team that is designed to act quickly, your company will be prepared to deal with many of the common challenges associated with a cyber security incident, such as a sudden need to contain the malware and then remediate or execute a forensic analysis of how the malware was introduced into the environment. This is also an opportunity to move your security costs to an on-demand, as-a-service model.
 
4. How does the cyber risk team work with the organisation’s broader enterprise risk function?
Many insurance organisations have still not taken the step of elevating security to the C-suite. In fact, in March 2017, regulators in India required all insurers (except those founded in the past three years) to appoint a Chief Information Security Officer (CISO) responsible for articulating and enforcing the policies to protect information assets. Duties include data, applications, operating systems, network layers, security audits and legal requirements for cyber security.

   A growing responsibility of the CISO is communication within the organisation, between partners and supply chains, and with industry organisations. This has become more important as cyber criminals continue to extend their reach and capabilities. 

   Within your organisation, the enterprise risk, cyber risk and compliance functions must be connected and speak the same language. This helps create a clearer picture of business context and how cyber risk translates into business impact. More importantly, it ensures these functions are not all competing with one another for attention and investment money.
Next steps
By answering these questions, an insurance company can begin a dialogue to launch security improvements and increase focus on disciplined and planned risk management. However, to ingrain more stringent cyber security practices into the organisation’s culture, insurers need their IT security executives to deliver answers in common business language – not security technobabble. 

   Clear progress reports should be agreed upon by all stakeholders and communicated throughout the organisation. Employees and applications continue to be the No. 1 entry point for cyber attacks. The best way to combat this is to keep cyber security top of mind, clearly understood by all and debated in the normal course of business. A 
 
Mr Chris Moyer is Chief Technology Officer for Security at DXC Technology, one of the world’s leading providers of security advisory and managed security services. He helps customers in multiple industries increase their cyber resilience. He has spent more than 25 years building business and technology solutions for clients across the globe. Mr Moyer is a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter and LinkedIn.
 
CAPTCHA image
Enter the code shown above in the box below.

Note that your comment may be edited or removed in the future, and that your comment may appear alongside the original article on websites other than this one.

 

Recent Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.