No company is too small and no data too insignificant to be hacked. Besides, the point is not what hackers do with a company’s data, but what the company can do without it – not a whole lot.
Insurers inform their clients about cyberspace threats and how to prevent attacks
© GDV / Malte Knaack
Broad sections of the German Mittelstand underestimate the risks lurking in cyberspace. Some companies consider themselves too small, unimportant or uninteresting to register on cybercriminals’ radar. That is a fallacy: no company is too small and no data too insignificant to be hacked. Besides, the point is not what hackers do with a company’s data, but what the company can do without it – not a whole lot. What business can function without IT, data, e-mails or internet access? These things are indispensable in the modern economy. Failing to take the cyberspace threat seriously by not being adequately protected can be an existential threat to any business. That is why German insurers are investing considerable effort in fighting cybercrime and providing protection against it. We inform our customers of the dangers they face and how they can avoid them; we review their cybersecurity processes, point out security gaps and – where necessary – request technical and organisational changes in companies’ cybersecurity practices. Insurers are thus helping to strengthen small and medium-sized companies and contributing to the security and prosperity of Germany.
7 theories on digitalisation
-
Theory 1: Cybersecurity is a management issue
Strong commitment at the top executive level and clear structures are needed to embed a cybersecurity culture within an organisation. Who is responsible for protecting company data? What data are stored and where? Who has access to the data and when? Are employees allowed to use the company internet in a private capacity or to use their home computer in a professional capacity? If there is no clear policy regulating such issues, people will just do what they think is right, with all the risks involved.
-
Theory 2: Cybersecurity is not a status but a process
The nature of the threats in cyberspace is in constant flux. Hackers are growing ever more sophisticated and every new technology brings new security flaws. Companies must therefore employ state-of-the-art technology, raise awareness about the dangers and conduct regular staff training to resist these cyberattacks.
-
Theory 3: Cybersecurity can also help following a hacking attack
Only very few companies can bring their IT systems back online on the same day they fall victim to a cyberattack. In most instances, companies have not defined the commensurate processes, relying instead on an ad-hoc response. Good preparation and clear instructions keep losses to a minimum.
-
Theory 4: Cybersecurity and insurance protection are complementary
Cyber insurance can protect companies from the financial consequences of a cyberattack. Not only does it cover the cost of data theft and business interruption but also IT forensics and crisis communication. At the same time, insurers normally make cover contingent on the company fulfilling certain criteria that reduce the probability of a successful attack, thus keeping any fallout within manageable proportions.
-
Theory 5: Cybersecurity requires mandatory standards for connected devices
The cyber risks facing connected devices must be effectively restricted. That requires all manufacturers to, among other things, automatically load security updates onto devices for a specified period and to clearly record the expiry of the support period on the hardware. Webcams and other add-ons used in the private sphere of the consumer need special protection. Cybersecurity only works if connected devices have binding security standards.
-
Theory 6: Cybersecurity is also fundamental to insurers
As the guardian of sensitive customer data, the insurance sector itself is a popular target for hackers and must be equipped to deal with these attacks. That involves informing external experts and authorities in the event of an attack and closing any security gaps. Ten years ago, the insurance sector created the “LKRZV Krisenreaktionszentrum” (crisis response centre) as a central reporting platform to notify all insurers and/or the responsible authorities immediately in the event of a crisis. The GDV has also elaborated a crisis reaction plan for major cyber incidents in collaboration with public prosecutors and regional Ministries of Justice (Landes-Justizministerien). GDV member companies have committed to respond even quicker if they incur a cyberattack and to ensure the security of the insurance industry as critical infrastructure.
-
Theory 7: Cybersecurity must be ensured for all transmission channels
Secure transmission channels are crucial to digital data security. Insurers have already developed their own Cloud, the Trusted German Insurance Cloud (TGIC), for secure, web-based communication. By achieving certification for the TGIC, the sector and the Federal Office for Information Security (BSI) have contributed to establishing a security standard for Cloud solutions. There should be minimum standards for all sectors to protect electronic business processes.
The Positions of German Insurers in 2020
7 Topics in 7 Theories for download
- Demographic change
- Regulation
- Sustainability
- Mobility
- Digitalisation
- Consumer protection
- Career opportunities in insurance
Back to hompage