The path to cyber resilience for insurers

Insurance companies are uniquely at risk because they process significant amounts of personal information and sensitive insured information in their daily business. It is crucial for businesses in the insurance sector to be up to date and well-informed of the data protection and cybersecurity landscape across the jurisdictions in which they conduct business.

Regulators around the world are increasingly focused on cyber resilience. To stay in compliance and help avoid cybersecurity threats, companies in the insurance sector need to implement a multi-faceted strategy: 

• Cybersecurity is an enterprise risk that requires effective communication of risks and cybersecurity education at the executive and board levels.  Be thoughtful and purposeful when presenting on cybersecurity and resiliency to the executive team and board, such as developing an education curriculum for the entire year that maps to the company-specific risk topics covered at each presentation and ensuring that meaningful metrics are used to convey company performance and risk.  
• Build systems that are resilient from a technical perspective, which involves being kept fully up to date to prevent unauthorized access. This requires a process where system patches are identified and applied comprehensively and monitored for issues. 
• Prepare a coordinated cross-border response strategy, including communication with regulators and customers so that specific local requirements are accounted for and staff around the globe are aware of their roles. This is essential for global companies.
• Establish an effective risk-management framework for assessing and monitoring third-party vendors, particularly those that have access to the company’s data and network. Conduct a regulatory readiness assessment to become better prepared to respond to regulatory information and document requests when an incident occurs.  Understanding what information and documents regulators are likely going to request helps companies identify current gaps in their programs, identify relevant stakeholders who are able to provide requested information quickly when the request comes, and develop a process for quickly responding to regulatory requests.  
• Develop a crisis communications plan in advance. Going into a "lockdown mode" where information is not shared with all affected parties is often counterproductive. Considering and keeping up to date all impacted jurisdictions allow the company to deal with the implications in an efficient and effective manner.