Florian Widmer, Head of Information Risk and Project Risk at the Zurich Insurance Group, talks about the right way to deal with cyber threats and discusses some of the latest trends in the area of cyber security in greater detail.
There are a wide variety of important trends to consider. These include digital transformation and the introduction and implementation of multi-sourcing strategies, which are amplifying cyber threats by increasing connectivity and creating new vectors of attack. The overarching trend is that attack methods are becoming increasingly sophisticated. This is of course nothing new, it has been going on for years. In fact, cyber-attacks have become the norm. Organizations must assume that they are under constant threat of attack.
Again, there are some basic assumptions that have been valid for many years. One of them is that we need a balanced approach with regard to protection, detection and response capabilities. That's merely the basics. In my view, it is essential to look beyond technology. The major cyber security challenge for most organization lies in the way in which technology is adopted into business processes and changing human behaviours. This is reflected in numerous studies into the root causes of cyber incidents, which show that the vast majority of incidents are not caused by technology failings but rather by poor processes and human error. The starting point should be to get a clear view on what's at risk in your organisation and to develop an understanding of who might attack what for what reasons and how sophisticated their capabilities are. In other words: it all starts with the why. Factoring this in, you then need to develop a cyber-risk strategy based on the dynamics of your business and operating model, your business strategy, and your risk appetite.
Another related key point is that the IT department should not be the sole owner and driver of cyber security. It is the responsibility of the whole organisation. Of course you need specialised officers with state-of-the-art knowledge of technology and risk, but you also need professionals that know how to communicate with the business and who at least have a good understanding of what's going on in operations. That is a prerequisite for business adoption of cyber security.
There is no doubt that collaboration between organizations and institutions is important. Sharing insights across industries can only help businesses prepare for attacks and improve the collective threat intelligence, which is an important aspect of cyber resilience. Having said that, I feel that there's definitely room for improvement when it comes to sharing insights. Solutions based on trust among peers are good, but not sufficient as these are not scalable. We need anonymized ‘loss’ databases to get a comprehensive understanding of risk.
More specifically the insurance sector is piloting initiatives to exchange data on claims resulting from cyber-attacks, including data on the root causes and the financial consequences. The use of a central clearing house ensures that data remains anonymous and contributes to better insights into this relatively new area. Right now, there is a lack of sufficient data and a lack of appropriate risk models, which are critical requirements for developing insurance products in this area. The better the industry can assess risks, the better it can service customers with insurance products and also with advice on how to avoid or respond to incidents.
That's a big question. Looking at it from a distance, we can distinguish two major trends. One is that business processes are becoming more tightly coupled, primarily due to robotic process automation. The other is that we are moving from linear to complex, interconnected interactions. For example, it is estimated that a considerable volume of transactions and content authoring will be conducted by autonomous software robots within a couple of years. That means that in terms of cyber security we will have a reduced tolerance for system failure and processing errors. The effect of an incident is simply bigger. As a consequence, cyber security will be imperative to success in the fourth industrial revolution.
© 2018 KPMG Holding AG is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.