This excellent article from “Insurance and Technology” magazine, highlights the need for organizations to take security protection seriously by performing a risk assessment, developing an incident response plan in advance, and exercising the principle of continuous improvement in both technology and human behavioral controls … Just as one does not wait until it starts raining to patch the roof, each organization must also prepare in advance and in a comprehensive manner

http://www.insurancetech.com/security/changing-the-security-mindset/a/d-id/1317045

QUOTE: As cyber attacks evolve in number and complexity, financial services organizations must embrace proactive security strategies. Cyber security is rapidly evolving as an area of concern for insurers, with data breaches occurring more often than ever. Recent data from the Ponemon Institute reveals that 43 percent of businesses have experienced an attack in the past 12 months, and the changing motivation behind them is posing an even greater threat to the industry.

“Today, the main driver in hacking is financial,” says Jerry Irvine, CIO of Prescient Solutions and member of the National Cyber Security Task Force. “Criminal, governmental, and third-party organizations are all financially driven.”

Modern-day criminals want to be more than nuisances or political rebels, says Irvine, and today’s technology isn’t complex enough to block their attacks. Modern solutions are designed to protect environments with physical perimeters, but the growth of cloud technologies and evolution of hackers’ abilities are rendering these ineffective. Hackers don’t have new tools, but more of them are discovering and exploiting the flaws within existing systems.

He recommends that insurers begin by conducting a risk assessment, a process significantly more complex for organizations than for consumers. In addition to defining regulatory and compliance requirements, insurers must detail and inventory everything that relates to their data. This involves determining which apps access each set of data, as well as categorizing information as critically confidential.

To minimize damage in the event of a data breach, carriers should have an incident response plan, says Kirstin Simonson, underwriting director for Travelers Global Technologies. Many businesses lack a responsive strategy, she says, or a team in place to mitigate the effects of a cyber attack.