assaults. “We look at where the attacks
are coming from our log data, and they
are from all over the globe,” Herath says.
“Some are from the U.S., but a lot are
from Eastern Europe, Asia, and Brazil,
feeling us out and trying to determine if
we are ripe for the picking.”
Starting with Strategy
Insurers need a defense-in-depth
strategy that includes technology,
processes, and people. Technological
defenses remain the strongest—or at
least the most controllable—link in the
chain. NG (next-generation) firewalls,
intrusion detection, and data loss
prevention are essential safeguards for
any insurer. However, with the variety
of tools available, companies need to
know which solution best fits their risk
management strategy.
“Having an overall strategy is the
biggest thing missing at some companies
because they look at the tools first,” says
Tow. “The good news, however, is that
board-level staff and senior management
understand the need to improve pro-
grams. They are asking for cyber security
updates and are willing to allocate the
budget and resources to security.”
Dunbar reports that his department
has solid backing from upper manage-
ment. “I report to XL’s chief enterprise
risk officer and I have his support, as well
as internal audit support and the support
of the CEO,” he says.
As part of its defense-in-depth
security strategy, XL has focused on the
risks of mobile technologies. All mobile
devices, including company-issued
phones and USB drives, are encrypted.
XL’s portal infrastructure also incorporates controls that restrict the download
of data to only approved and encrypted
devices, and data loss prevention (DLP)
software monitors all data that moves
outside the organization.
A growing risk for insurers in the
world of mobile is the increased demand
for bring-your-own-device (BYOD)
from users. XL uses mobile device man-
agement software to provide container-
ization of potentially sensitive data on
user-owned endpoints.
“A big risk with mobile devices is
that users can move data insecurely on
the device once they’ve received it. We
require users to install mobile device
management software on their device if
they want to receive XL email or other
information,” Dunbar says.
In addition to providing proactive
control through containerization, the
software also allows XL to wipe data
from a device if it’s lost. “It puts more
restrictions on the individual regard-
ing how they can use their device,
but we feel it is an essential control,”
Dunbar says.
People and Processes
Technology may be the strongest link in
the cyber security chain, but it is only
effective if it’s used consistently and correctly. Bad practices at the organizational
level can thwart the best technology
controls.
“Companies fail at the basics,” says
Greisiger. “Whether it’s a large company
or small, the amount of private informa-
The Shame of It All
Cyber insurance is a booming business for insurers. According to the
2013 Betterley Report, the cyber/privacy insurance market is a $1.3
billion business—up from $1 billion the year prior. In Zurich’s 2013 Cyber
Liability Risk Management Survey, more than half of the respondents
reported purchasing cyber liability insurance—the first time in the history
of the survey this has surpassed the 50 percent mark.
With all that activity, the question arises of whether insurers with experience from underwriting the coverage are leveraging that experience in
their own risk management efforts around cyber security.
“The answer to that is it’s inconsistent,” says Ash Raghavan, principal
in Deloitte’s enterprise risk services. “Some organizations do have
that line of sharing, others are working through it, and some are just
getting started.”
“The insurers that write [cyber] are not nearly as well protected as many
of their clients,” observes Stephen Applebaum, senior analyst cover-ing P&C insurance at Aite Group. “There is this irony that underwriting
doesn’t talk to claims and claims doesn’t talk to underwriting, so the
area of ‘cross pollination’ appears from my exposure to be fairly limited.”
XL Group’s Thomas Dunbar, senior vice president and chief information risk officer, says that his department does work with underwriting
around cyber risk.
“As underwriters have put together questionnaires for companies in
order to gain an understanding of what their security programs look
like, we’ve helped them with the question set. We help them know what
basic questions to ask and, based on the answers, what questions to ask
after that,” he says.
“Likewise, we’ve taken what underwriting has learned and strengthened
our own security team. We supported each other,” he adds.
Physician, Heal Thyself