Fortifying Insurers Defences in Era of Cyberrisk – BCG Whitepaper

Article Synopsis :

Managing cyberrisk is crucial for all large corporations worldwide, particularly so for insurers.  Insurers must treat cyberrisk in much the same way that they treat traditional insurance risks: by defining the level of exposure they are comfortable with and prioritizing investments accordingly

In the digital age, cybersecurity is, or should be, a board-level activity 

To this end, “Fortifying Insurer’s Defences in an Era of Cyberrisk” from BCG offers an in-depth view of current market practices and emerging trends in cyberrisk management in large insurance companies. The report is organized in four parts:

(1) Governance and Organization – including the roles, responsibilities, and organizational structures of the Three Lines of Defense model as it applies to cyberrisk:

1. The first line of defense: Sits within the business or wherever the day-to-day risk occurs.
2. The second line of defense: Sits within the risk management and compliance functions, monitoring the first-line control efforts and efficacies.
3. The third line of defense: Sits within the internal audit function and is responsible for ensuring the efficacy of the overall risk management framework.

This model is supported by two evolving roles: Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). The three-lines model is practical and effective if there is clear segregation and accountability of the CISO and CRO roles across all lines of defense.

(2) Industry best practices for developing cybersecurity management strategy:

Underpinning the strategy should be a specific risk appetite framework proposed by the CRO and approved by the board of directors. Cybersecurity strategy should comprise the following three elements:

1. A qualitative and quantitative synthetic measure of cyber risk tolerance to gauge the organization’s cybersecurity performance.
2. A set of operational key security indicators and key risk indicators which grow out of the cyberrisk tolerance level defined by the board. This could entail, for example, the percentage of successful attacks leading to data breaches.
3. A sound escalation process.

The board and top management must monitor all measures to define security strategy through a risk-based approach.

(3) Best practices used for traditional risk processes—including risk identification, measurement, management, and reporting—can be applied to cyberrisk.

Day-to-day cyberrisk should be managed through four processes, with the CISO and CRO involved to varying degrees. These processes include:

1. Risk Identification: Early identification of new and evolving cybersecurity threats classifies by standard risk-event types.
2. Risk Measurement: Quantification of actual and forward-looking cyberrisk exposures for each of the identified risk events.
3. Risk Management: Active management of controls addressing detection, protection, and response/recovery timings.
4. Risk Monitoring and Reporting: Full awareness of cyberrisk exposures at top management and board levels with sound escalation procedures.

(4) Human capital and operating model considerations for setting up an effective cybersecurity system:

Cybersecurity programs typically require highly-skilled employees with enhanced and often specialized Information and Communications Technology (ICT) skill sets. The numbers vary depending upon cybersecurity program specifics and the extent to which external providers are used.

Link to Full Article:: click here

Link to Source:: click here