To effectively address cybersecurity issues and the myriad regulatory requirements taking shape, insurers should consider taking several steps.
Executive SummaryFTI Consulting Managing Director Scott Corzine sets forth seven recommendations for insurers to consider as financial regulators at the federal and state levels step up their games in examining carriers' cyber risk preparedness and as the carriers themselves seek greater resilience in the event of a cyber attack. This article is part of a three-part series. Part 1, "Regulatory and Market Imperatives Place Cybersecurity High on Carrier Agendas," provides some background about regulations taking shape to respond to cybersecurity issues in the insurance industry. In Part 3, Corzine drills down on one of his seven recommendations, explaining the basics of "Preparing a Cyber Incident Response Plan."
The seven steps set forth below are designed to move the organization forward toward a more robust and mature cybersecurity capability.
1. View cybersecurity as an organizational issue, not simply as a technical issue.
The pervasive nature of the impacts from recent data breaches suggests that everyone in the affected companies as well as other stakeholders had a vested interest in risk management. This means that everyone in the organization should be security-aware and play a role in security measures, thus helping to create a culture of risk awareness, avoidance, mitigation and recovery.
To foster broader understanding and involvement, we have found it beneficial to build on existing risk management infrastructure and programs. Insurers, as well as many of their customers, typically have multiple risk management programs underway, such as enterprise risk management, ORSA, Sarbanes-Oxley and Dodd-Frank.Correlating the risk management components within these programs creates a unified organizational focus that enables effective execution of the remaining six risk management requirements and moves the organization on a path toward a high level of cybersecurity maturity.