At a glance
- A cyber risk stress test can identify weak points in business continuity and incident response plans
- Along with protecting data, bold scenario planning allows the test to consider the impacts of a potential system blackout cyber event
- Learn why a cyber risk stress test benefits organisations and how they can conduct an effective test by reading this article
This article counts towards accumulating your annual CII CPD structured learning hours for Cyber and Data Security.
By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Summarise how the insurance industry is responding to cyber risk.
Visit the CPD Hub to log in and begin accumulating CPD hours.
Given that cyber exposures are now seen as inevitable, it’s more important than ever for organisations to invest in resilience.
The two fundamentals of resilience are to protect profitability through business continuity and incident response planning; allowing organisations to identify how quickly and effectively they can react to any given scenario. That’s what cyber risk stress tests are all about.
What is a cyber risk stress test?
The idea behind a stress test is to determine the critical systems, people and locations needed to continue to serve customers and how best to protect and recover them.
Four reasons why organisations should conduct cyber risk stress tests
- The actual cost of recovering from significant organisational disruptions, particularly in supplier networks, can be significantly higher. Increased dependence on cyber functions could mean even greater costs as a result.
- Cyber attacks are considered a risk of high concern to doing business in several major economies, including economic heavyweights such as Germany, Japan, the U.S. and the U.K., according to the World Economic Forum’s Global Risk Report 2019. If organisations do business internationally they will benefit.
- Cyber risks are interconnected. Whilst businesses can conduct internal strategies, suppliers can expose fresh risks.
- Organisations have valuable data to protect, even if they don’t realise it.
Top tips for conducting a cyber risk stress test – Organisations should:
- Identify a C-Suite sponsor, ensuring that all of the necessary resources are acquired. Organisations will benefit when the sponsor shares test results at the highest levels, including the board.
- Make time for testing and validation. They will have systems that they are using day to day, but don’t necessarily understand their vulnerabilities.
- Know their goal and ensure they identify the key people and functions that are critical to their business, prioritising the order in which they are addressed during incident response.
- Make sure they have engaged with the right people. The main players in a cyber stress test are employees, who have oversight of critical operations and who can affect change.
- Include some of their major suppliers in a stress test. This can help deepen the customers’ relationships with them and allow them both to gain insights into business continuity plans, and verify how they can work together.
- Invest time in the testing. A full day or even two days is time well spent creating resilience across their business.
- Be imaginative when developing scenarios for the test. The scenarios could cover a hacker gaining access to financial functions, human internal error that disrupts delivery of quality services or a systems crash at a primary supplier that halts production due to vital parts not being delivered to the organisation.
- Ensure that employees know how they will contribute to keeping the organisation running, or getting it back to expected productivity levels using a business continuity plan.
Organisations should expect to find room for improvements in their business continuity and incident response plans as a result of conducting the stress test. The value of the test is what they do with what they’ve learned, strengthening weak points in the plans and improving the ability of employees to execute them. In the end, that is how they proactively increase resilience to cyber risks.
If you have any questions about risk management, please contact your Zurich Account Executive.