Elements of a Cybersecurity Program
The New York Department of Financial Services (DFS) released a cybersecurity questionnaire and the resulting report issued in February 2015 provided a useful snapshot of large insurance companies’ approach to cybersecurity. As a reinsurer, Gen Re was not a respondent to the questionnaire, but we felt it had value and used it as an internal self-assessment tool. It was useful to compare our own progress and challenges to other insurers, and here I will try to summarize some of the key lessons and conclusions.
There are essentially three components to consider in developing a cybersecurity program:
- Executive Commitment
- Relevant Capabilities
- Human Behaviors
Executive Commitment is first because it enables action on the others. If the Board isn’t taking this subject seriously, and getting regular, timely updates on threats and vulnerabilities, it will be impossible to institute a robust program.
Relevant Capabilities is inevitably the component where the potential for material cost arises. Anti-virus, firewalls, encryption, multi-factor authentication, intrusion detection/prevention - represent a plethora of technologies, all likely to drive up IT spending. It is therefore useful to have a framework to assess your own areas of strength and weakness to ensure maximum “bang for the buck” on any spend.
Our program at Gen Re is aligned with the NIST1 cybersecurity framework. As an aside, it is a revealing insight into the immaturity of this subject that the New York DFS uses two words “cyber security,” while NIST (part of the U.S. Department of Commerce) uses one, “cybersecurity.” The graphic below provides a conceptual outline.
Gen Re has undertaken initiatives in all areas of Protect, Detect and Resolve.
Detection has been costly to install and to develop the necessary skills in the form of a 24x7x365 Security Operations Center (SOC). Leveraging third-party providers’ managed services is highly recommended in this area since it is expensive to develop alone and the market for these services is growing ever more competitive.
It is in the areas of Protect and Resolve that the Human Behavior aspects reside and, since it is generally accepted by authorities that no level of technical investment completely eradicates risk of breach, it is here you can move the needle most, without prohibitive investment. That doesn’t make influencing behavior in any way easy. In fact, in our experience, the most time-consuming initiatives don’t involve material technology investment; they involve people. Developing policies and standards is the critical start point for protection. Clearly, you need to take a view on what devices you issue to staff, whether they can “bring their own,” where and how you let third-parties onto your network, encryption rules, data classification and so on. It is difficult to keep the policies simple, since there is so much to cover, but it is important that it can be consumed by people with a range of technical skills (starting from none).
Another part of the policy to address is so-called “patching.” This is the process of applying updates to servers and PCs. Many companies only patch sporadically because it is annoying to the users. Well, annoy them! It is absolutely vital to ensure your patching is up to date; it costs nothing (it will be part of the license you pay to use the products) and out-of-date software is specifically targeted by hackers. Training and Awareness is the other key aspect to Protection. Simply put, staff needs to be smart enough not to click on links to emails of questionable provenance - so called “spear phishing” emails. These get more sophisticated all the time, so the training isn’t a one-time thing; it needs constant reinforcement and updating to show the latest trends and techniques.
Finally, in the Resolution area Gen Re has learned a lot through trial and error about event response once an event has occurred (as it surely will). An event doesn’t necessarily have to be a major data breach; it can be a staff member breaking a small aspect of your security policy. It is important to be calm and consistent in response, which isn’t easy when the pressure is on and you are unsure whether an incident is ongoing. A clear line of command needs to be established as to which person in which department should be involved once an event has occurred. The procedures should be written down and practiced (simulated incidents).
Overall my message is, don’t despair. Cybersecurity can be tackled in the same way as any other business challenge. Once we recognize that cybersecurity isn’t only about technology, but about proper prioritization and addressing staff awareness, the problem becomes manageable.
1. National Institute of Standards and Technology, a non-regulatory federal agency within the Department of Commerce. NIST works with the insurance industry to promote the protection of critical business infrastructure, namely cybersecurity.