5 Ways Insurers’ Boards of Directors Expose Them to Cyber Risk
Yes, cybersecurity is the responsibility of the board. Here are ways they may be failing in that duty, and what to do about it.
When it comes to cyber security, due diligence is a moving target, and many insurance carriers’ boards of directors are likely to miss it. Boards can exercise exemplary responsibility in many of their duties, and even take specific measures with regard to information security and still fail their companies. They can appoint a chief information security officer (CISO), hire IT security consultants, put a cyber security plan in place—and still end up presiding over a breach that lowers stock price, harms the company’s reputation, costs millions in mitigation efforts and may even result in personal lawsuits by investors.
It may sound far-fetched, but it has happened repeatedly to companies of all sizes. At the highest level of analysis, the reason is that e-commerce has evolved faster than enterprises have been able to adapt—business has gone from physical transactions and records to electronically executed transactions, virtual communications and digital records that are accessible electronically in perpetuity. This creates vulnerabilities that remain poorly understood by insurers’ senior management, resulting in inadequate defenses.
Here we drill down into five ways that this poor understanding leads boards of directors to expose their companies to cyber-attacks and their consequences.