motivate associates with incentives to more alert behavior and
claw-backs, or other disincentives, for leadership responsible for
maintaining that culture of security.
Lack of Strong Governance and an Organiza-
tional Risk Management Program
Boards are aware of the need to protect their intellectual property, their data, their customers’ data, and commonly ensure
they do a proper audit and compliance exercise. Having done
so, they feel they’ve done their job. In general such exercises
have little to do with whether you have a secure organization.
Audit and compliance is, at best, a baseline, not a comprehensive solution.
Practitioners of “checklist security” leave their organizations
vulnerable because they fail to align measures specifically to
their company’s business processes and objectives. Effective
measures must be tailored both to the broad characteristics of
an organization—such as doing business in geographies with
heightened cyber risk—and also particular activities as they
arise, such as new product initiatives, market expansion or the
opening of new facilities.
Insurers setting cybersecurity policy tend to focus on the
home office and its business practices while neglecting activities
on the periphery of the organization. Good governance starts
with understanding your critical assets, where they are in play,
and knowing your end points. The latter especially because
those are the most external, the most exposed, and generally the
Failure to Appropriately Fund Security Efforts
Many companies tend to invest in their first line of defense.
However, few budgets address post-penetration monitoring and
analysis. Planning drops significantly from the point of breach,
but that’s often where the real work and the real investigation
begin. If a hacker gets in, are you equipped to detect which
server was attacked and the work station where it began? Can
you detect what data was taken? Whose credentials were used?
Many systems fall short in the post-penetration phase of the
There is also a tendency to underfund training that address-es the human element of cybersecurity. Budgets are aimed—
appropriately enough—on securing the network and the
machines. However, many of the worst breaches occur at the
human link of the cybersecurity chain.
We’ve heard many stories of lost laptops replete with customer information, or transmitting sensitive data over unsecured personal channels. Training on cybersecurity protocols
in the use of mobile devices has become essential in this digital
age. But business people also need to learn about the human
element of attacks.
One of the greatest threats today is “spear-phishing” which
works not by trolling opportunistically for a mark but by active-
ly seeking out a specific individual, such as a company executive
involved in a negotiation. This cynical practice can extend to
practices such as infiltrating relatives’ social media activities to
glean useful insights. Executives—and all company associates—
need awareness training in order to reduce exposure to this type
Inherent Weakness at Estimating Risk
Insurers have better reason than most to know that analyzing
risks takes special skill. Research supports the conclusion that
most of us are bad at evaluating risk, and corporate directors are
Board members should seek expertise and educate themselves about the ever-changing nature of cyber risk. They need
access to research on the behavioral science of bad decision-making. They should also seek out specific legal expertise
and include a cybersecurity expert on their board.
What it Comes Down To
When it comes to cybersecurity risk, it’s not so much that
insurance company boards of directors are irresponsible as that
the concept of responsibility lags behind the reality of business
technology. The emergence of e-commerce has created new
kinds of exposure, and the continuing proliferation of new sales
and service channels is multiplying exposures at an exponential
In this brave new world, cybersecurity stewardship falls
within the due diligence of directors, and those who fail to tackle its challenges methodically are increasing the risk of harm to
their companies’ reputation and assets—and potentially even to
Laszlo S. Gonc is a partner and security, IT risk and
compliance practice lead at MVP Advisory Group. Donn
Vucovich is managing partner at MVP Advisory Group.
You can contact Gonc at laszlo.gonc@mvpadvisorygroup.
com or Vucovich at donn.vucovich@mvpadvisorygroup.
com for more information.
Laszlo Gonc and Donn Vucovich will be part of
a panel on cybersecurity at the ITA LIVE 2016
conference from April 20-22, at the Fort Lauderdale (Fla.) Marriott Harbor Beach Resort and Spa.
They will be joined by Marcus Curley of Mountain
West Farm Bureau Mutual Insurance, for a session
called: Top 10 Cybersecurity Risks: How to Protect
Your Company and Reputation.