A new cyber­space risk cul­ture

Strong commitment at the top executive level and clear structures are needed to embed a cybersecurity culture within an organisation. Who is responsible for protecting company data? What data are stored and where? Who has access to the data and when? Are employees allowed to use the company internet in a private capacity or to use their home computer in a professional capacity? If there is no clear policy regulating such issues, people will just do what they think is right, with all the risks involved.

The nature of the threats in cyberspace is in constant flux. Hackers are growing ever more sophisticated and every new technology brings new security flaws. Companies must therefore employ state-of-the-art technology, raise awareness about the dangers and conduct regular staff training to resist these cyberattacks.

Only very few companies can bring their IT systems back online on the same day they fall victim to a cyberattack. In most instances, companies have not defined the commensurate processes, relying instead on an ad-hoc response. Good preparation and clear instructions keep losses to a minimum.

Cyber insurance can protect companies from the financial consequences of a cyberattack. Not only does it cover the cost of data theft and business interruption but also IT forensics and crisis communication. At the same time, insurers normally make cover contingent on the company fulfilling certain criteria that reduce the probability of a successful attack, thus keeping any fallout within manageable proportions.

The cyber risks facing connected devices must be effectively restricted. That requires all manufacturers to, among other things, automatically load security updates onto devices for a specified period and to clearly record the expiry of the support period on the hardware. Webcams and other add-ons used in the private sphere of the consumer need special protection. Cybersecurity only works if connected devices have binding security standards.

As the guardian of sensitive customer data, the insurance sector itself is a popular target for hackers and must be equipped to deal with these attacks. That involves informing external experts and authorities in the event of an attack and closing any security gaps. Ten years ago, the insurance sector created the “LKRZV Krisenreaktionszentrum” (crisis response centre) as a central reporting platform to notify all insurers and/or the responsible authorities immediately in the event of a crisis. The GDV has also elaborated a crisis reaction plan for major cyber incidents in collaboration with public prosecutors and regional Ministries of Justice (Landes-Justizministerien). GDV member companies have committed to respond even quicker if they incur a cyberattack and to ensure the security of the insurance industry as critical infrastructure.

Secure transmission channels are crucial to digital data security. Insurers have already developed their own Cloud, the Trusted German Insurance Cloud (TGIC), for secure, web-based communication. By achieving certification for the TGIC, the sector and the Federal Office for Information Security (BSI) have contributed to establishing a security standard for Cloud solutions. There should be minimum standards for all sectors to protect electronic business processes.