Research by Accenture on the extent of cyber risk suggests how carriers can steel themselves against threats to their IT and cyber security.
Knowing your exposure is always critical. But the Accenture survey, Business Resilience in the Face of Cyber Risk, found just 5% of carriers run simulated attacks and system failures to test their systems’ resilience. Just more than half—52%—of insurance executives surveyed reported that their organizations have produced threat models for existing and planned business operations. Less than half of the executives—47%—map and prioritize security, operational and failure scenarios. And only 14% said they consistently design resilience parameters into the operational models and technology architectures.
The survey also found that just a little more than one-third—38%—of executives “strongly agreed” that their organizations balance spending on iron-clad security measures and growth and innovation strategies. Some 49% “merely agreed,” indicating there is room for improvement in this critical area.
Accenture’s 2015 Global Risk Management Study: North American Insurance Report provides more insight on how insurers can better prevent IT failures and cyber security breaches. For example:
- 50% of respondents “strongly agreed” and 36% more “slightly agreed” that digital presents an opportunity to present the risk function as a business partner.
- 44% of North American respondents say that their risk management functions, to a great extent, have the necessary skills to understand cyber risk. While that level of confidence was nine points higher than among insurers elsewhere in the world, it demonstrates that the risk functions at more than half of North American insurers either do not have this expertise or have not demonstrated it.
We also suggest insurers consider:
- Embracing the digital ecosystem—Take advantage of digital capabilities and technologies outside of the enterprise to strengthen strategic decision-making.
- Managing digitally— Develop the ability to orchestrate, in real time, the myriad internal and external services required for a multi-speed business and IT.
- Institutionalizing resilience, because it is not a point-in-time initiative—Resilience must be part of the fundamental operating model, engrained into objectives, strategies, processes, technologies and the culture.
To learn more about the study, download Business Resilience in the Face of Cyber Risk (PDF).