More information is being made available to staff, intermediaries, and consumers via mobile devices. More data is being stored on remote systems in the cloud, or shared with third parties through offshoring and/or outsourcing arrangements. Yet fewer than half of global financial institutions responding to a recent Deloitte survey said they were “very confident” they were secure against an external cyber-attack.

Most insurers are taking steps to secure their digital borders. However, they must be careful not to erect a wall so high that access to legitimate users becomes overly difficult. The goal should be to lock down data while still enabling key business processes online, internally and externally.

Insurers therefore should seek a middle ground, creating a secure data environment that thwarts cyber thieves while avoiding digital traffic jams that could drive customers and intermediaries away in frustration.

Perhaps the first step is for insurers to shift from a compliance-focused mindset to a more comprehensive enterprise risk management approach. They also should not think of cyber risk as merely a technology issue when it's really another first-class business exposure that should be accounted for across the organization.

In addition, the answer is not just to buy more technology, but to have the talent — in-house, from outside experts, or more likely a combination of both — that knows how to go about securing systems without having to reinvent the wheel.

This is a cultural issue as well, emphasizing awareness and adoption of basic “cyber hygiene” among all employees. Data security ultimately starts with the people who have their hands on the keyboard. Indeed, it only takes one staff member to click on an e-mail infected with malware to throw open the barn door and let all the data horses escape.

This also isn't an exposure that insurers should try to tackle on their own. Knowledge is power, so the more perspectives and experiences are shared, the more effective a loss control program will likely be. Collaboration with peers, partners, law enforcement, regulators, and loss control specialists can save carriers a lot of unpleasant surprises.

Insurers should consider a multi-pronged approach to cyber security, emphasizing a triangle of key principles in which carriers strive to be secure, vigilant, and resilient. Being secure means having mutually reinforcing defense layers that can slow down and hopefully prevent an attack. Being vigilant means establishing a continuous monitoring system, with adaptive signaling and reporting to automate the correlation and analysis of data and threat indicators.

Last but not least, resiliency means testing the ability of security systems not just to withstand an attack, but also to deal with the consequences if a breach does occur so as to limit the damage.

In the end, those running the gauntlet to help secure an insurance company's data systems do not have an easy or glamorous job ahead of them. The aim should be to become a trusted advisor by creating an information security program that not only protects a carrier's digital borders from intruders, but also plays an active role in supporting the insurer's overall business strategy.

To learn more about how to handle this critical risk, listen to the archived version of Deloitte's recent webcast on the subject: “Insurance Cyber Risk: Impacts of a Changing Technology Environment.”

Sam J. Friedman ([email protected]) is the research team leader at Deloitte's Center for Financial Services in New York. For many years, he was the Editor in Chief of National Underwriter's P&C edition. Follow Sam on Twitter at @SamOnInsurance, as well as on LinkedIn.