Security

11:30 AM
Kelly Sheridan
Kelly Sheridan
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Changing the Security Mindset

As cyber attacks evolve in number and complexity, financial services organizations must embrace proactive security strategies.

Cyber security is rapidly evolving as an area of concern for insurers, with data breaches occurring more often than ever. Recent data from the Ponemon Institute reveals that 43 percent of businesses have experienced an attack in the past 12 months, and the changing motivation behind them is posing an even greater threat to the industry.

“Today, the main driver in hacking is financial,” says Jerry Irvine, CIO of Prescient Solutions and member of the National Cyber Security Task Force. “Criminal, governmental, and third-party organizations are all financially driven.”

Modern-day criminals want to be more than nuisances or political rebels, says Irvine, and today’s technology isn’t complex enough to block their attacks. Modern solutions are designed to protect environments with physical perimeters, but the growth of cloud technologies and evolution of hackers’ abilities are rendering these ineffective. Hackers don’t have new tools, but more of them are discovering and exploiting the flaws within existing systems. 

Hackers have an advantage over businesses because they collaborate and share effective criminal procedures and malware systems. Organizations don’t share their information as openly as hackers do, says Irving, which places them at a great disadvantage in terms of cyber security, and increases their risk of lawsuits.

[MiddleOak Policy Admin Revamp Kick-Starts the Business]

It’s no longer enough for insurers to strengthen the outside barriers to their organizations. They must also secure exactly what they need to protect: their data. Now is the time for organizations to forego a reactive approach to security in favor of more proactive strategies.

“We have to understand that there is going to be a breach,” Irving emphasizes. “Because of the lack of perimeters and accessibility of data, there have to be larger constraints around the data itself.” 

He recommends that insurers begin by conducting a risk assessment, a process significantly more complex for organizations than for consumers. In addition to defining regulatory and compliance requirements, insurers must detail and inventory everything that relates to their data. This involves determining which apps access each set of data, as well as categorizing information as critically confidential.

To minimize damage in the event of a data breach, carriers should have an incident response plan, says Kirstin Simonson, underwriting director for Travelers Global Technologies. Many businesses lack a responsive strategy, she says, or a team in place to mitigate the effects of a cyber attack.

“That’s really a discussion that needs to cross multiple disciplines within the organization,” Simonson says of developing a response plan. Information and security experts, general counsel, and board-level executives should collaborate to identify business objectives, which entities are at risk, and how to best respond to a breach.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KBurger
50%
50%
KBurger,
User Rank: Author
10/30/2014 | 1:20:21 PM
Re: Need for collaboration
Per Greg's comments, it's definitely time to bring "innovation thinking" into the security realm -- innovation and collaboration should not be just for channels and marketing and product development. I certainly understand the legal and fiduciary challenges around information sharing when it comes to fraud and security, but it seems obvious that the traditional ways of dealing with these problems are not going to be enough to  fight today's/tomorrow's criminals.
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
10/30/2014 | 1:11:58 PM
Re: Need for collaboration
That's because it's probably good business for the next bank when the first one gets hacked. Unfortunately, short term thinking like this is endemic in business. Everyone has vulnerabilities that will be exposed sooner or later.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
10/30/2014 | 8:53:40 AM
Re: Need for collaboration
financial services still has an old school mindset when it comes to working together. EVERYTHING is proprietary, no matter how mundane.

Meanwhile, hackers and the high tech industry (especially on the West Coast), share everything. BNY Mellon has established an innovation center on the west coast and they are amazed at how willing people are to share ideas, code and technology.

Back on the east coast, meanwhile, banks still share little, even when it could benefit everyone. It will have to change if banks want to stay on the cutting edge of technology and a step ahead of hackers.
KBurger
50%
50%
KBurger,
User Rank: Author
10/29/2014 | 4:48:32 PM
Re: Need for collaboration
With any regulation it probably will be "requires" more than "allows" which means that the industry probably won't be happy with it. But something like that probably is needed.
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/29/2014 | 4:42:09 PM
Re: Need for collaboration
That point really struck me as well. I hadn't thought about it much before, but hackers' sharing of information definitely makes them a bigger threat. Irving mentioned an industry-wide need to develop some kind of regulation that allows insurers to share information with the government, and their peers, so they can stay ahead of the criminals. 
KBurger
50%
50%
KBurger,
User Rank: Author
10/29/2014 | 4:37:14 PM
Need for collaboration
Irving's observation that "organizations don't share their information as openly as hackers do" is really telling, I think. Financial institutions traditionally have played it close to the vest regarding breaches and fraud, for understandable reasons (legal, brand reputation, privacy, etc.) but as we are seeing from the attacks on JPMorgan communication and info sharing among FIs is really essential if they want to have a chance to stay ahead of the fraudsters. There are some industry groups, such as BITS, geared toward facilitating this but it sounds like it's still not happening to the extent it should.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.
Slideshows
Video