Regulators are increasingly turning their minds to cyber resilience. The major breach experienced by the Reserve Bank will not only be a wake-up call for them but will serve to sharpen their attention on regulated entities.
Outsourcing trends, the transformation to work-from-home arrangements, and the explosion of interconnectedness of the cyber eco-system raises the ante for boards and management.
Only looking at cyber resilience through a security lens can miss the point. As a sector dependent on customer trust, the mindset should be on how that resilience supports us to provide better services and products. It means being ethical about the control and use of data. It is therefore a problem for the business as a whole and needs to be approached in that way rather than solely as an IT issue.
Inevitably, regulators will look for assurances from insurers about how they manage cyber resilience. There is good guidance provided by the Cyber Emergency Response Team (CERT) and the National Cyber Security Centre (NCSC).
CERT’s 10 critical controls cover practical tips from systems patching, multi-factor authentication, network segmentation and enforcing the principle of granting the minimum level of access required to do a job.
The NCSC has material pitched for boards and management. Boards need to understand the cyber threats the insurer is vulnerable to and the impact of an incident, including how it will detect, respond, and recover from an incident. This will inform how to communicate its risk tolerance to the executive.
For management, the role is effective organisation-wide risk management and awareness, so it is part of governance and business continuity planning. It includes financial, competitive, reputation and regulatory risks. Monitoring and review are built into the process.
Cyber threats seek to identify the weakest points in an organisation, so as companies strengthen their own cyber resilience their supply chain becomes a likely weaker area of defence. Increasing reliance on supplier managed cloud-based services highlights the need to understand the direct and indirect suppliers present in the chain.
The geographically dispersed and complex nature of supply chains can make this challenging. Worryingly examples exist of malicious actors targeting software developers and open-source systems. So, a key question to ask is where all key data and IT infrastructure resides. It may be offshore and needs to be part of the risk assurance process.
Apart from identifying critical assets and services, critical service providers need to be assessed.
Research by the NCSC into cyber resilience shows that only a minority of organisations had identified their critical information assets. While organisations have increasingly invested in cyber resilience tools and assessments, it has been at the cost of investing in sufficient staff with the skills to satisfy their security requirements. And only a minority had a clear separation between their IT and cyber security budgets, making them vulnerable to cyber resilience resources being taken up by non-security IT projects.
Improvements in cyber security need to be continual, systematic, and strategic. Independent reviews and assessments should be regular and ensure that policies, standards and compliance are well managed.
Evidence that the approaches in the CERT and NCSC guidance or similar have been adopted would be seen positively by regulators, but more importantly will support customer trust and reputation.