company’s overall risk program, but it’s
tough to calculate. There’s not a specific
technology or tool out there that will
solve reputational risk.”
“Reputational risk is the multiplier of
multipliers,” Herath says. “Reputation-
al risk is very real, and it also tends to
excite the fear centers of our brains. That
fear is the reason why most of us actually
spend the money we do [on security].”
“The challenge with reputational risk
for insurers is the unknown,” says indus-
try analyst Jamie Bisker. “Customers may
say, ‘yes, this company gave me a good
insurance deal, but they notified me of
a breach and I had to monitor my credit
for weeks afterward.’ It makes them very
nervous.”
Defense in Depth
“We’re not different from other com-
panies in that we consider a number
of different scenarios in cyber risk,”
Nationwide’s Herath says. “That can in-
clude both external and internal threats
as well as risks generated through
partner and vendor relationships. It can
range from individual associates and
agents up to entire companies that we
do business with.”
“All firms are at risk,” says Mike
Money, director of information security
and privacy at global security consult-
ing firm Protiviti. “There are threats
through email phishing attacks, mal-
ware, advanced persistent threats, social
engineering, viruses, keystroke loggers,
Although P&C insurers may not deal
with the amount of customer medical
information or financial data as do their
counterparts in life and health insurance
or banking, the risks companies face
regarding loss of private information
are just as real. Regulations continue to
broaden the scope of what constitutes
personally identifiable information (PII)
that companies are bound to protect.
Insurers also contend with state regulations that levy penalties and fines even
if no loss has occurred, such as through
wrongful data collection.
“Some states have very active AGs
[attorneys general]. I feel many fund
their departments solely through fines
and penalties,” says Mark Greisiger,
president of NetDiligence, which
provides cyber risk assessment services.
“They come after you for the smallest of
Ash Raghavan, principal in De-
loitte’s enterprise risk services focusing
on cyber risk in the financial services
sector, sees the risk for insurers grow-
ing in a “post-digital” world defined by
wide-scale adoption of cloud computing,
mobile technologies, social media, and
big data.
“Insurers are collecting more
information on customers,” Raghavan
says. “Some are using telematics to get
information about driver patterns and
driver behavior. Many are making their
distribution channels more effective by
providing deeper customer analytics.
They are capturing other information
potentially construed as sensitive by
customers or regulators. They need to
understand all these customer interac-
tions, what data is being shared, where it
Cloud technologies present new
security exposures, contractual agree-
ments that favor cloud providers if a
breach does occur, and risks associated
with data aggregation of many insurers
using the same cloud provider. Mo-
bile technologies create new endpoint
control challenges. At the same time,
the sophistication of attackers continues
to grow.
“The attackers aren’t necessarily
persons or even groups of persons.
They are machines,” says Bryant G. Tow,
partner, Vaco Risk Solutions. “The time
it takes to compromise an unprotected
computer on the Internet is 60 seconds
because it involves machines hacking
on machines.”
Attacks aren’t just automated; they’re
increasingly organized by criminal
groups and geo-political forces bent on
cyber terrorism. “Our biggest con-
cern right now is what you would call
nation-state hacktivists,” Herath says.
“Just the asymmetry of a potential
attack compared to available defenses is
overwhelming. An organization with na-
tion-state level spending can attack with
far greater strength than any individual
private actor has the capability of de-
fending. They can simply throw so much
at you that they are likely to win.”
Nationwide would know. On Octo-
ber 3, 2012, a portion of the computer
network that is used by Nationwide and
Allied Insurance was breached by an un-
identified criminal perpetrator. Over one
million individuals’ names and Social
Security numbers, driver’s license num-
bers, dates of birth, employer informa-
tion, and other identifying information
was compromised.
Herath couldn’t comment on facts of
the case with litigation surrounding the
breach still in progress, but stressed that
no evidence has come forward that any
information stolen in the attack has been
misused. Nationwide offered individuals
a free credit-monitoring and identity-
theft protection product for one year as
part of its response to the incident.
Nationwide, like most insurers,
continues to fend off organized cyber
The Shame of It All
“The perimeter is no longer the firewall.
The perimeter is the person.”
Bryant G. Tow, Vaco Risk Solutions.