Sign up and be the first to know

About Hugh Terry & The Digital Insurer

Hugh Terry & The Digital Insurer Video

Contact Us

1 Scotts Road
#24-10 Shaw Centre
Singapore 228208

Write an article

Get in touch with the editor Martin Kornacki

email your ideas at martin.kornacki@the-digital-insurer.com

Pre Registration Popup

itcasia2020 Registration Popup

Share Popup

Prime Member: Find out more

Access a unique programme!
  • 56 pre recorded lesson of online content from industry experts over 7 courses
  • The best in digital insurance for practitioners and by practtioners
  • Online MCQ after each lesson
  • Join the discussion forum and make new friends
  • Certificate upon completion to show your expertise and comitment
  • 3 months to complete
  • Normal price US$1,400 Your Prime member price is US$999
  • Access to future versions included in your Prime membership!
Become a member

Prime Member: Contact Us

REach out to us. Please fill up the form below
  • Let us know how we can help. You can expect a response within 24 hours

Fortifying Insurers Defences in Era of Cyberrisk – BCG Whitepaper

[ff_author_box_style2]

Article Synopsis :

Managing cyberrisk is crucial for all large corporations worldwide, particularly so for insurers.  Insurers must treat cyberrisk in much the same way that they treat traditional insurance risks: by defining the level of exposure they are comfortable with and prioritizing investments accordingly

 The Digital Insurer reviews BCG’s Report on Fortifying Insurer’s Defences in an Era of Cyberrisk

In the digital age, cybersecurity is, or should be, a board-level activity 

To this end, “Fortifying Insurer’s Defences in an Era of Cyberrisk” from BCG offers an in-depth view of current market practices and emerging trends in cyberrisk management in large insurance companies. The report is organized in four parts:

(1) Governance and Organization – including the roles, responsibilities, and organizational structures of the Three Lines of Defense model as it applies to cyberrisk:

  1. The first line of defense: Sits within the business or wherever the day-to-day risk occurs.
  2. The second line of defense: Sits within the risk management and compliance functions, monitoring the first-line control efforts and efficacies.
  3. The third line of defense: Sits within the internal audit function and is responsible for ensuring the efficacy of the overall risk management framework.

This model is supported by two evolving roles: Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). The three-lines model is practical and effective if there is clear segregation and accountability of the CISO and CRO roles across all lines of defense.

(2) Industry best practices for developing cybersecurity management strategy:

Underpinning the strategy should be a specific risk appetite framework proposed by the CRO and approved by the board of directors. Cybersecurity strategy should comprise the following three elements:

  1. A qualitative and quantitative synthetic measure of cyber risk tolerance to gauge the organization’s cybersecurity performance.
  2. A set of operational key security indicators and key risk indicators which grow out of the cyberrisk tolerance level defined by the board. This could entail, for example, the percentage of successful attacks leading to data breaches.
  3. A sound escalation process.

The board and top management must monitor all measures to define security strategy through a risk-based approach.

(3) Best practices used for traditional risk processes—including risk identification, measurement, management, and reporting—can be applied to cyberrisk.

Day-to-day cyberrisk should be managed through four processes, with the CISO and CRO involved to varying degrees. These processes include:

  1. Risk Identification: Early identification of new and evolving cybersecurity threats classifies by standard risk-event types.
  2. Risk Measurement: Quantification of actual and forward-looking cyberrisk exposures for each of the identified risk events.
  3. Risk Management: Active management of controls addressing detection, protection, and response/recovery timings.
  4. Risk Monitoring and Reporting: Full awareness of cyberrisk exposures at top management and board levels with sound escalation procedures.

(4) Human capital and operating model considerations for setting up an effective cybersecurity system:

Cybersecurity programs typically require highly-skilled employees with enhanced and often specialized Information and Communications Technology (ICT) skill sets. The numbers vary depending upon cybersecurity program specifics and the extent to which external providers are used.

Link to Full Article:: click here

Digital Insurer's Comments

Digital transformation and cybersecurity are two sides of the same coin. The more insurers venture into distributed technologies such as sensor-based IoT the more exposed they become to hacking events, both internal and external.

Traditionally the domain of the Chief Information Officer (CIO), the increasing use of cloud and distributed technologies at the line-of-business level (often outside the purview of the CIO) requires an executive dedicated to the cybersecurity effort. With board-level visibility and full organizational authority the CISO and/or CRO can 1) ensure compliance with all data and security regulations, and 2) build competitive advantage by enabling a more aggressive deployment of digital risk-measurement technologies.

Link to Source:: click here

Comments

';

Livefest 2019 Register Popup Event

Livefest 2019 Already Registered Popup Event

Livefest 2019 Join Live Logged-in Not Registered

Livefest 2019 Join Live Not Logged-in