Cyber Security Liability
Banks And Insurance Companies Aware Of Cyber Risks: Opportunities Remain To Become More Resilient
Cyberattacks and the damage they can cause are top of mind for the majority of business executives. Hardly a week, let alone a day, goes by without news of a breach or concerns about the risk of a cyber attack in one sector or another.
Nearly two-thirds (63%) of more than 900 C-suite executives around the world who participated in a recent Accenture Strategy study, “Business Resilience in the Face of Cyber Risk,” reported that their companies experience significant cyber attacks daily or weekly. Banking executives responded in kind with the same frequency, and 59% of insurance executives responded likewise.
The findings are consistent with the “2015 Accenture Global Risk Management Study” which found that nearly two-thirds of banking executives (65%) and 74% of insurance executives expect cyber IT risks to increase. Given that, these executives expect to hire more people who are experts in managing cyber risks. For these executives, the question is not “if” but “when” an event will occur.
If an organization is not prepared to respond, a cyber-breach can result in costly downtime and reputational damage. Digital capabilities are increasingly the glue that bonds sophisticated enterprises. Failures and hostile cyber actions can have profound impacts on a bank or insurance company’s performance – even its viability. Combined properly, the same technologies that drive digital enterprises can enable resilience at a level not previously possible. Success requires fundamentally different approaches to risk and technology portfolio management – and a more connected leadership to make it a reality.
To become more resilient, banks and insurance companies need to respond quickly to business disruption and minimize its impact on customers, operations and/or supply chains when a cyber attack occurs. Interestingly, the executives surveyed about their business resilience, for the most part, believed they have a robust cyber defense strategy that is understood and fully functional, with insurance executives (93%) most frequently reporting that to be the case.
However, as the survey dug deeper, it became evident that there are gaps which need to be closed to become more resilient. For instance, only 18% of banks and 14% of insurance companies always design resilience parameters such as diversity, redundancy and adaptability into their organization’s technology and operating models. Only 10% of banks and 5% of insurance companies proactively run inward-directed attacks and intentional failures to test their systems.
Although more work needs to be done, savvy executives know where their weak spots are, and work across the C-suite to prepare accordingly, testing systems, planning for various scenarios and producing response and continuity plans that guide quick actions when a breach occurs. Addressing and managing resilience is no small task and needs to become more formal in approach.
Although the chief information officer (CIO) is most frequently cited as being responsible for resilience management at insurance companies and banks (61% and 41%, respectively), successful enterprises recognize that responsibility for resilience and agility should not just fall to the CIO, chief risk officer or chief information security officer. On average, companies tend to have two executives in their C-suite who are responsible for continuously monitoring and improving their business resilience.
Interestingly, banks were more likely than insurance companies to have identified a dedicated resilience officer for this purpose (29% as compared to 16%), while insurance companies had a greater tendency to involve their chief financial officer (30% versus 25%) and chief operating officer (39% versus 25%). In both sectors, the chief risk officer is involved, on average, in resilience efforts at about one out of every four banks and insurance companies represented in the study.
To protect against a breach, CEOs should also work closely with their board of directors to make decisions about investments and advance their business continuity efforts. To help mitigate the damage a breach could cause and make their businesses more resilient, agile and fault-tolerant, banks and insurance companies can take the following steps:
Create a digital ecosystem that enables the bank or insurance company to team with other enterprises, augment their digital capabilities and access innovative technologies that reside outside the enterprise to strengthen their organization’s security posture and effectiveness. Manage digitally to deliver multi-speed business and support IT capabilities in real-time by simplifying the IT architecture and addressing the business’s evolving digital requirements in a dynamic environment against a mix of business priorities and increasing threats.
Institutionalize resilience by making it part of the operating model, ingrained from the outset into objectives, strategies, processes, technologies and organizational culture, including fostering open communication with boards on governance practices and enterprise risk management.
Creating business resilience to manage against cyber risk is about preparedness and enablement. By gaining a full understanding of the issues that may inevitably arise from the highly connected digital world, banks and insurance companies can plan their response and limit the impact that a breach could have on their business. With extensive scenario planning and the right capabilities in place, managing cyber risk becomes part of the rhythm of the business and essential to maintaining it.
SOURCE: Forbes Brian D. Walker, a managing director in Accenture Technology Strategy, contributed to this commentary. He is an author of the new Accenture report, Business Resilience in the Face of Cyber Risk.
For more information, visit CYBER SECURITY LIABILITY or contact a SW Risk Specialist at 1-866-924-7976 (SWRM).