Expert Commentary

Assessing Risk and Cyber-Security

Regardless of the goals of your company or organization, being successful depends on keeping assets secure. As a cyber-security expert, I make sure that digital assets are being kept safe from cyber-security threats and that this risk is managed in a cost-effective and efficient way. 

Cyber and Privacy Risk and Insurance
September 2016

Even though organizations often employ information technology (IT) specialists to help facilitate these kinds of procedures, security is often neglected in favor of convenience. And as I always say, when convenience is held as a priority, security diminishes. In this article, I will present a number of potential security vulnerabilities and attacks that companies might face in addition to providing advice on how to address these threats. Insurance providers are particularly impacted by these risks since, as the digital store of confidential information grows, companies are held more and more liable when breaches occur.

Assessing Risk

Along with attacks on servers and your company's network, it should be recognized that a large part of vulnerability is entirely human. That is, instead of targeting technology directly, a hacker or cyber-criminal will develop a strategy that seeks to compromise human weaknesses and points of access. This is commonly referred to in the digital forensic community as a spear phishing attack or, more specifically, chief executive officer (CEO) fraud. Insurance companies themselves are at great risk for this kind of attack given the amount of proprietary information they store about their clients.

Having gathered a store of private, or semi-private, information, a threat actor composes an email. This email strongly resembles a company-issued communication with a similar design and heading. The sender will appear to be the company's CEO or another individual in charge of financial decisions. However, the email will typically make a very particular request; namely, that an employee initiates a wire transfer, sending a large sum of money. Without wanting to appear incompetent or confused by the request, many employees fulfill the request without double-checking in-person or even calling to verify. These kinds of attacks can cost companies millions of dollars since many attackers target the same business once an initial request proves to be successful.

When making these assessments, it is important to consider an organization's digital scope. This includes online presence, the amount of digitally stored information, the sensitivity of this information, the size of the organization, and any indications of a particular organization's commitment to security best practices. In accord with the last mentioned factor, it is also critical to look at the quality of a company or organization's IT staff. Frequently, IT members compromise safety and security for the sake of convenience. Though this approach may be beneficial in the short term, it can cause long-term problems and incur significant losses to an organization. It is important that organizations and companies make security and the safekeeping of data the priority, rather than a secondary consideration.

Extensive costs, reputational damage, and lost business hours accompany large-scale data breaches. With the increasing amount of digital data comes the reality that losses are greater, and the consequences can be fatal, especially since secure-keeping of data is largely considered a basic necessity. 


Insurance providers should recognize the scope of information that is now digitally stored. Health information, financial data, Social Security numbers, and other identifying info is all contained on our digital devices. Client data is valuable for a number of reasons, and for attackers, this value can potentially translate into millions of dollars if an attack is executed properly. As previously demonstrated, attacks can result from a number of various vulnerabilities, both technological and human. A company with the best security infrastructure can still be compromised if their employees are not educated and a “culture of security” is not established. Many organizations fail to recognize this critical element of a strong security posture and end up suffering losses. Insurance providers should take this into account when assessing client risk and constructing policies.

It is important to recognize that unlike other kinds of risk, cyber-threats are even more difficult to quantify. For example, as previously stated, a company may still be greatly at risk even if a strong technological infrastructure is in place. It is critical to analyze every point of potential vulnerability to assess overall security posture and risk of cyber-attack. And this can be quite a large task given the craftiness of the modern hacker.

To start, look at the written cyber-security practices of an organization. Having an established set of guidelines in managing cyber-risk is an important foundational step, and it bodes well for an organization's security stance if a set protocol is in place. Then, try to determine how closely these rules are abided by within the organization. It's one thing to have a set of rules and regulations and a completely different thing to actually incorporate that into daily operations. Look at employees to see what, if any, security measures are undertaken. A preliminary question that should be answered is what are the practices surrounding the use of private devices to store company information? Are passwords strong and regularly updated? Are employees able to recognize email phishing attacks? These kinds of questions can help begin a cyber-security risk assessment.

Having looked to the written guidelines and how they are incorporated into the company's culture, the technological infrastructure and its degree of security should be examined. Updated software and hardware is essential in maintaining acceptable levels of risk. But recognize that even the best systems can be compromised, and there is no such thing as perfect security.  


It should be recommended to all businesses and organizations with any degree of digital usage to train employees in cyber-security and best practices. It is also important that digital liability is recognized and proper protocols are taken to protect against breaches. Having conducted a number of cyber-security assessments and tests, I know that sometimes all it takes is one overlooked point of access for a hacker to attack. Insurance professionals should recognize this alarming fact when assessing the cyber-security risks of an organization. Consulting with digital security firms is also beneficial, as security postures are multifaceted and complex.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More