Thus far, Target has reported $61 million in expenses related to its data breach. $44 million of which was offset by an insurance payment. While the financial impact of data breaches on insurers is significant, these incidents serve as a reminder of the cyber threats which put them at risk as well. With their growing reliance on third-party software and cloud-based services, insurers are at risk from the same type of supply chain attacks that led to the Target breach. Dynamic changes in the risk ecosystem are eroding the effectiveness of current approaches to security risk management and regulatory compliance for preventing data breaches. So what best practices can insurance providers implement to fortify their IT defenses?
According to Verizon 2014 Data Breach Investigations Report, 1,367 confirmed data breaches were reported in 2013, which continues the trend of year-over-year increase in cyber-attacks. One noticeable change is that as companies have improved their defenses against direct network attacks, hackers are shifting their focus to the weakest link by exploiting a company's supply chain to gain "backdoor" access to its IT systems. As a result, insurance companies need to monitor and manage IT security risks downstream. Assessing only their top 25 critical vendors is no longer sufficient.
To put this risk into perspective, consider the number of suppliers the average organization uses to run their business operations. Even small companies easily exceed 100 third-party vendors, including technology vendors, electricity, hosting, facilities, payment, and collection services providers. As a result, it is not surprising that when it comes to third-party risk assessments, most organizations focus only on a small subset, typically based on contract size.
This practice is clearly outdated, since cyber criminals are actively targeting IT supply chain vulnerabilities to breach large, well-protected organizations they wouldn't otherwise be able to compromise. So what can insurers do to respond? Here are three fundamental steps that can reduce supply chain risks:
1. Apply a Standardized Vendor Risk Management Process
Conduct regular risk assessments to include all suppliers, and – if possible – even supplier's suppliers. Performing a standardized vendor risk management process as part of normal business operations is an important step in securing the supply chain. Often organizations are turning to vendor risk management software to help automate the data gathering process and calculation of risks scores.
2. Conduct Risk Assessments During the Onboarding Process
Why wait for months or even years before conducting a first vendor risk assessment? The vendor onboarding process should trigger an immediate risk assessment so that the organization has a good understanding about the risks of doing business with a particular supplier.
3. Mandate Suppliers to Use Independent Verification Services
Require technology vendors – especially independent software vendors – to use independent verification services to test software applications prior to procurement and deployment. This is a departure from the traditional approach of conducting penetration tests using internal security operations teams to assess potential vulnerabilities months or even years after deploying the technology. By augmenting vendor risk assessments via questionnaires with vendor application security testing programs, organizations are moving to close the gap between third-party technology vendors and the application security standards to which they hold their internal teams.
It's unlikely we've seen the last major data breach that exploits supply chain vulnerabilities. It's also unlikely that organizations will continue to manage their supply chain risks the same way they have in the past.
About the Author: Torsten George is Vice President of Worldwide Marketing and Products at big data risk management software vendor Agiliance. He has more than 20 years of global information security experience.