Cybersecurity is everyone’s job

Cyber risks cannot be combatted by the IT department alone, especially if they are put upon with requests outside of cyber security initiatives. Similarly, technology that serves singular purposes can create more harm than good.

Because risk management technology is committed to enterprise-wide risk, it can serve as an enterprise wide solution — even if the business challenges that need to be solved, like those of IT, are not necessarily within the traditional realm of risk management.

Increasing cyber security concerns have IT departments working harder than ever before. For instance, ransomware — malware that scrambles data and demands a ransom to decode it — increased 6,000 percent in 2016, according to an IBM study released late last year.

Such statistics highlight a real burden for already overburdened IT departments. Not only are they busy fighting viruses, hackers, ransomware and the like, they are still charged with the everyday responsibilities that have always fallen to IT.

During the third quarter of 2017, the National Association of Insurance Commissioners adopted the Insurance Data Security Model Law. The model law, which is not legally binding like an enacted law, serves as a “framework from which insurance regulators in each state can create their own cyber security rules,” according to the Property and Casualty 360 article, “5 things you should know about the NAIC’s new data security model law.”

Property Casualty 360 says the five things everyone should know about the model law are:

  1. The cyber risk landscape is evolving.
  2. New York State’s cyber security requirements for financial companies influenced NAIC’s model law.
  3. NAIC’s model law is different from an enacted law.
  4. Insurance businesses should prescribe to specific cyber security practices.
  5. Company boards are expected to take the lead when it comes to cyber security efforts.

If you are looking for efficiencies in your own risk management or related departments, namely through investing in software or technology, you might want to consider and then convey how such an investment could help your overworked IT folks–from both a security and efficiency perspective.

In other words, help them help you.

How To Combat 3 Big IT Challenges

Considering cyber security is one of the leading risks for organizations today, integrated risk management technology is a natural tool to help combat it–even if it’s not directly aimed at IT users. Here are three IT challenges integrated risk management technology can help resolve:

1. Security

We already know that protecting organizational data has become a critical role of  IT departments. As a result, they want solutions with end-to-end security. The right risk management technology will automatically include the following controls, (just to name a few):

  • Password policies that can be defined to fit client standards including timeouts, length, and password strength
  • Client defined/assigned security roles for users–down to the field level–to prevent unauthorized access to any part of your system including objects, reports, page layouts and views, and specific fields
  • Server protection at top tier data center facilities with adequate physical access controls  
  • Firewalls with tightly controlled perimeters, intrusion detection systems and proactive log monitoring
  • Third party validation services that attest to the secure nature of the software 

2. Compliance

IT compliance is a specialized set of activities to ensure that an organization meets the requirements of contractual obligations and government-imposed IT regulations for the protection of data assets and processes. Failure to adequately perform this function can result in substantial fines and contractual penalties, as well as loss of business.

Enabling your IT department to focus on cyber security initiatives of course requires secure technology that complies with the highest standards imposed by both internal and regulatory bodies.

However, you can further aid your IT department’s critical mission to protect your organization’s digital environment by introducing it to solutions that make the department more efficient–freeing professionals up to focus more on cyber security and less on the administrative headaches associated with compliance risk management.

Some risk management technology features that IT might appreciate include: a full audit trail of all compliance activity, including attestations; an unlimited asset register with relationships used to define location, possession, configuration, software, etc.; solutions that are fully configurable to your organization’s requirements; and reports that enable quick identification of all instances of any asset type.

3. Application Overload

Just like IT departments aren’t short on challenges, they also aren’t short on technology applications that they have to maintain. In fact, they are often slowed down by the proliferation of applications that their businesses run upon today.

IT departments spend a tremendous amount of time updating or modifying their organizations’ applications in order to get them to work at all, much less work together for the maximum benefit.

That’s why investing in solutions that can actually consolidate or reduce the amount of applications being used, especially on in-house servers, can create tremendous efficiencies for the IT department–and in effect, reduce security risks.

Less time spent managing multiple applications might mean more time devoted to cyber security. Plus, fewer applications likely means less risk of one or a multitude of those applications causing a breach or falling out of compliance.

Integrated risk management technology is built to span across a variety of departments and business challenges — aiming to be a single source of truth across the enterprise.

Therefore, it is an ideal candidate to replace a whole host of applications from enterprise risk management systems and health and safety management systems, to vendor risk management systems and compliance and regulatory management systems.

Risk management technology by its very nature is built to span across a variety of departments and business challenges. Just as organizational risk is broad, so are the solutions housed within a risk management information system.

In fact, risk management technology can oftentimes replace the following solutions (and more) that are singular offerings from some vendors:

  1. Business Intelligence Analytics
  2. Enterprise Risk Management Systems
  3. Internal and Operational Audit Systems
  4. Health and Safety Management Systems
  5. Compliance and Regulatory Management Systems
  6. Vendor Risk Management Systems
  7. Business Continuity Systems

This of course gets to the core of helping IT to be more efficient, and in effect, more secure.  

Data breach, top risk for businesses

Equifax, a U.S. consumer credit reporting agency, announced the cybersecurity incident late last week, causing shares to tumble as much as 14 percent. Per the announcement, criminals exploited a U.S. website application vulnerability to gain access to information — including names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license and credit card numbers.

And while Equifax is unique in that its entire business model essentially runs off highly-sensitive customer data, most businesses have such data stored either on customers or employees — particularly when it comes to personal insurance and claims data, much of which mirrors the information confiscated in the Equifax breach. This means essentially no company can be too cautious.

Cybersecurity is consistently named a top risk for businesses — with cybercrime costing the global economy an estimated $445 billion annually, according to a report from the Center for Strategic and International Studies called, “Net Losses: Estimating the Global Cost of Cyber-Crime.” In this unfortunate environment where cyber attacks are seemingly “when” more than “if” events, organizations are obviously looking for ways to minimize the impact of a cybersecurity breach on their businesses.

Naturally, companies think of turning to insurance for help reducing potential damages, but securing cyber-liability policies is no simple task because insurers are struggling to accurately underwrite these risks, according to information from the National Association of Insurance Commissioners (NAIC). That being said, companies need standards and processes in place to reduce cyber risks and the associated damages — for both risk mitigation and cyber-liability insurance eligibility purposes.

According to NAIC, insurers will likely want access to businesses’ disaster response plans so they can evaluate their risk management of networks, websites, physical assets and intellectual property; details around how employees and others can access data systems; and information about antivirus and anti-malware software, the frequency of updates and the performance of firewalls.

4 Questions to Ask Vendors about Cyber Security

The right risk management technology can actually help with several pieces of the cyber-security puzzle facing businesses today — particularly, lessening the burden on your IT department and improving your disaster response processes.

For instance, truly integrated risk management technology can replace innumerable applications (from enterprise risk management and Sarbanes-Oxley solutions, to claims management and compliance and regulatory management solutions, to health and safety management solutions).

With fewer applications or systems to manage, and less burden on your internal server, your IT department might actually have more time to focus on broader and more impactful cyber-security efforts.

This is really just the tip of the iceberg in terms of what risk management technology can do for your IT department and cyber-security.

As for disaster recovery plans, risk management technology can automate the the entire disaster response process: Should a cyber-security breach occur, the system can automatically put the disaster response plan in motion — alerting stakeholders of the event and next steps accountable individuals need to take.

Not only will a well-oiled and timely approach likely help with reputation management in such scenarios, it could help with compliance, too, as requirements are increasing globally for how data and subsequent breaches must be handled.

Risk management technology serves to help organizations with the wide array of risks facing their businesses today, including cyber-security. Cyber-security is an issue organizations cannot afford to take lightly — either internally or with their vendors.

Cybercrime costs the global economy an estimated $445 billion annually, according to a report from the Center for Strategic and International Studies called, “Net Losses: Estimating the Global Cost of Cyber-Crime.”

No matter what type of technology you deploy at your company and its intended function — whether it’s to manage risk, content, customers, etc. — you need to ensure it is secure and that the supporting technology vendor has best-in-class cyber-security procedures in place.

Here are four questions you should ask any technology vendor providing you software-as-a-service or handling your data to ensure they are minimizing cyber-security risks to your company:

  1. Is your company data-security certified (i.e., SSAE-16 Type 1 and Type 2, SOC-2, etc.)?
  2. What is your company doing, beyond certification, to be prepared for new threats?
  3. Does your company have cyber security response teams?
  4. Does your company or your partners have your own cybersecurity insurance coverage?

These questions are certainly pertinent when engaging with risk management technology vendors since risk, insurance and claims data can be highly sensitive.

How to Choose the Right Solutions

How do you sort through the hype and invest in those solutions that will ultimately make the biggest difference across your entire organization — including risk management — so that your risk department, IT, procurement and company leadership feel like they are getting the biggest bang for their buck?

The Gartner Hype Cycle for Risk Management1 describes the related services, software platforms, applications, methods and tools that organizations can use to develop programs to withstand risk events or to take advantage of risk-related opportunities.”

Organizations can then determine if they are best suited to adopt the technology early on; take a more moderate approach; or wait until the technology is fully mature before investing.

Gartner clients can access the 2017 Gartner Hype Cycle for Risk Management here.

The most recent Gartner Hype Cycle for Risk Management highlights the maturity of solutions and applications for categories like integrated risk management, digital risk management, IT risk management, predictive analytics, end-to-end risk management, corporate compliance and oversight, and many more.

While it doesn’t delve into specific technology solutions from certain providers, it does list sample vendors (including Riskonnect) alongside the solution categories it features.  

Tools like the Gartner Hype Cycle for Risk Management can help your due diligence efforts.

Knowing the scope of what is available and whether solutions are at the point of maturation that make sense for your organization will lead to better decision making and better results.

Learn more about Riskonnect’s risk management technology solutions that align with those solutions on the Gartner Hype Cycle for Risk Management, including: integrated risk management predictive analytics, end-to-end risk management and corporate compliance and oversight. 

The right risk management technology should not only be secure, but it should be able to actually assist with how your cyber-security program functions.

For instance, truly integrated risk management technology can reprieve your IT department from managing so many applications; streamline the disaster recovery process in the event of a breach; or assist with prevention and compliance efforts by tracking cyber-security training requirements, alongside employee training completion.

Conclusion

In conclusion, while it’s important to appropriately vet your vendors’ cyber-security practices, don’t forget to ask your internal IT leadership the above-mentioned questions as well.

Ironically, organizations oftentimes realize they don’t meet the very data security requirements they are asking their vendors to meet during either the procurement or implementation processes.

Cyber risks are top of mind for businesses today as more companies find themselves falling prey to expensive and damaging data breaches.

Prepare for this risk — and so many others — with the help of risk management technology.

1 Gartner, Hype Cycle for Risk Management, 2017, July 2017

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.