No room for complacency | KPMG | BE
No room for complacency: The need for better cyber security

No room for complacency

No room for complacency

Insurers need to create a smart balance between corporate opportunity and cyber security risks.

More than three quarters of insurance CEOs see cyber security as more of an opportunity than a threat. The obvious opportunity, cyber insurance, is becoming a booming business for many insurers with steadily climbing revenues. Similarly, insurers are exploring how they can extend their capabilities into emerging areas such as protecting the connected home, automated vehicles and personal information.

Besides creating new revenue streams, cyber security is critical to remaining existing ones. Indeed, many insurers are digitizing their enterprise and creating new front-end platforms to get closer to their customers - that requires a keen focus on delivering really strong cyber security. If you can't offer your customer a secure digital experience, you probably won't keep your customers.

Are insurers ready yet?

It is somewhat worrying that, according to KPMG's recent survey of insurance CEOs, 57 percent of insurers are only `somewhat' prepared for a cyber event. Only 26 percent said cyber security is one of their `top of mind' risks, and just 28 percent will `significantly increase' investment into cyber security in the next three years.

Yet based on my conversations with leading insurance CEOs, many has already had an unexpected wakeup call - some have suffered their own breaches, some have learned from the negative experience of others and want to avoid a similar fate. Most recognize that, if they don't improve on their own, the regulators will do it for them.

Not an easy task for insurers

There is no denying that many traditional insurers that come from a classic paper-based business model face an uphill battle when it comes to cyber security. They are working in difficult IT environment, often with legacy mainframe and systems. Nonetheless, they know it will take significant work to remediate their past issues, and even more work to create the right long-term programs to properly protect their business from the ever-evolving and growth risk. Many are now starting to make significant progress on their journey to cyber readiness.

Time for action for insurers

My work with leading insurance organizations suggests that there are a number of actions that insurers should be taking if they hope to survive and thrive in the new environment:

  1. Improve the understanding and awareness of cyber risk at the executive and board level.
    This requires boards and executives to work closely with their 'three lines of defense' to improve awareness and understanding, and it also requires them to have regular discussions and debates on the topic rather than simply waiting until an issue arises or a regulator asks questions.
  2. Prepare for the likely eventuality that they will suffer a debilitating attack.
    Boards and executive teams should be running regular 'desktop' exercises that simulate a cyber-attack and think carefully about how they will react and respond. Conducting these exercises in a safe and controlled environment will allow decision-makers to move quickly and decisively when an attack does occur.
  3. Work closely with the business to identify and assess the risks, goals and solutions for cyber security.
    Those responsible for cyber security within the organization need to help the business identify which programs and platforms are critical to business operations and understand the vulnerabilities of each. They need to have conversations around what needs to be done, at what cost, to secure those systems without reducing business flexibility.

To the secure goes the spoils

There are no quick fixes or silver bullets to becoming cyber defensible. The journey will take time, resources and patience, and it will require boards and executives to have awareness to be able to challenge the decisions made by the business, and it will require the business to be in the 'lead'.

We must also remember that the opportunities created through a strong cyber position and robust controls are massive and vital to future growth.

I believe that the most successful organizations going forward will be the ones that are able to create a smart balance between corporate opportunity and operational risk; to protect their reputations and grow their business and to build trust with clients and regulators - they will be the ones that are best positioned to seize new market opportunities.

Feel free to contact your local advisor if you want to discuss how we can help assess your approach to cyber security and find the right balance for your organization moving forward.

This article is part of the Insurance Newsletter March 2018

Go back to the overview page

Connect with us