12:19 PM
Torsten George, Agiliance
Torsten George, Agiliance

Why the Target Breach Matters to Insurers

Three things insurers can do to shore up their cyber risk.

Thus far, Target has reported $61 million in expenses related to its data breach. $44 million of which was offset by an insurance payment. While the financial impact of data breaches on insurers is significant, these incidents serve as a reminder of the cyber threats which put them at risk as well. With their growing reliance on third-party software and cloud-based services, insurers are at risk from the same type of supply chain attacks that led to the Target breach. Dynamic changes in the risk ecosystem are eroding the effectiveness of current approaches to security risk management and regulatory compliance for preventing data breaches. So what best practices can insurance providers implement to fortify their IT defenses?

According to Verizon 2014 Data Breach Investigations Report, 1,367 confirmed data breaches were reported in 2013, which continues the trend of year-over-year increase in cyber-attacks. One noticeable change is that as companies have improved their defenses against direct network attacks, hackers are shifting their focus to the weakest link by exploiting a company's supply chain to gain "backdoor" access to its IT systems. As a result, insurance companies need to monitor and manage IT security risks downstream. Assessing only their top 25 critical vendors is no longer sufficient.

Torsten George, Agiliance
Torsten George, Agiliance

To put this risk into perspective, consider the number of suppliers the average organization uses to run their business operations. Even small companies easily exceed 100 third-party vendors, including technology vendors, electricity, hosting, facilities, payment, and collection services providers. As a result, it is not surprising that when it comes to third-party risk assessments, most organizations focus only on a small subset, typically based on contract size.

[Employees slack on mobile device safety]

This practice is clearly outdated, since cyber criminals are actively targeting IT supply chain vulnerabilities to breach large, well-protected organizations they wouldn't otherwise be able to compromise. So what can insurers do to respond? Here are three fundamental steps that can reduce supply chain risks:

1. Apply a Standardized Vendor Risk Management Process

Conduct regular risk assessments to include all suppliers, and – if possible – even supplier's suppliers. Performing a standardized vendor risk management process as part of normal business operations is an important step in securing the supply chain. Often organizations are turning to vendor risk management software to help automate the data gathering process and calculation of risks scores.

2. Conduct Risk Assessments During the Onboarding Process

Why wait for months or even years before conducting a first vendor risk assessment? The vendor onboarding process should trigger an immediate risk assessment so that the organization has a good understanding about the risks of doing business with a particular supplier.

3. Mandate Suppliers to Use Independent Verification Services

Require technology vendors – especially independent software vendors – to use independent verification services to test software applications prior to procurement and deployment. This is a departure from the traditional approach of conducting penetration tests using internal security operations teams to assess potential vulnerabilities months or even years after deploying the technology. By augmenting vendor risk assessments via questionnaires with vendor application security testing programs, organizations are moving to close the gap between third-party technology vendors and the application security standards to which they hold their internal teams.

It's unlikely we've seen the last major data breach that exploits supply chain vulnerabilities. It's also unlikely that organizations will continue to manage their supply chain risks the same way they have in the past.

About the Author: Torsten George is Vice President of Worldwide Marketing and Products at big data risk management software vendor Agiliance. He has more than 20 years of global information security experience.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
Nathan Golia,
User Rank: Author
5/14/2014 | 7:44:55 PM
re: Why the Target Breach Matters to Insurers
Thanks Torsten. With the amount of vendor relationships enterprises are taking on, vigilance is required in order to prevent embarrassing data breaches.
User Rank: Author
5/14/2014 | 7:35:24 PM
re: Why the Target Breach Matters to Insurers
Yes the breach has caused ripple effects throughout the tech world making technology and business executives more aware of the threats here. More of these kind of breaches are likely, so everybody has to be on guard.
User Rank: Author
5/14/2014 | 7:18:56 PM
re: Why the Target Breach Matters to Insurers
As cyberattacks grow in number and complexity, it's crucial for insurers (and all businesses) to boost their security initiatives. These are all steps that they should consider to better protect their data.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.