A commercial insurance underwriter and administration services company with a complex organizational structure was at a crossroads. The company was integrating several acquired businesses with very different cultures when its Chief Information Security Officer (CISO) resigned. At the same time, the company had implemented various budget cuts and an enterprise-wide workforce reduction to include IT staff.
The company faced additional cyber-specific challenges in its service model, where specialty insurance programs were primarily distributed through a network of independent third parties. Security functions were managed and divided among IT, security and multiple third parties. Kroll’s virtual CISO (vCISO) was engaged by the company’s general counsel to help lead executives and technical teams in rethinking and advancing a mature cyber security strategy.
Understanding the Current State of the Organization’s Strengths and Vulnerabilities
Initial steps taken by Kroll’s vCISO team:
- Assessed the organization’s current cyber security posture from multiple angles, including technology assets, staff expertise, policies and procedures, as well as an examination of its culture and willingness to implement change.
- Baselined the company’s security culture, i.e., the awareness, acceptance and compliance among various stakeholders with cyber security best practices.
Issues discovered in this phase included:
- A prevailing belief that the company was not at risk of being targeted by cyber criminals;
- Resistance to cyber security measures, such as two-factor authentication, when people felt they were burdensome in conducting everyday business, particularly when traveling;
- Some industries served by the company had controversial aspects that could provoke philosophy-driven cyber attacks (cyber activism);
- Inconsistent application of cyber security measures across the company; and
- Uneven participation by various company functional areas in cyber security decision-making.
Executive Leadership to Help the Company Undertake Pragmatic Cyber Security Measures
Technical and strategic actions led by Kroll’s vCISO crossed departments and seniority levels to achieve wider adoption:
- Moved CISO position and cyber security function under the general counsel to reflect risk management role and balance business operations.
- Reformed a Security Committee with representatives across the enterprise to connect the organization in decision making.
- Shared insights from Kroll’s global fieldwork to underscore why and how the organization was at real risk for cyber attacks.
- Demonstrated how to translate best practices into effective policies and procedures; revamped information security policies.
- Led an incident response tabletop exercise with the Security Committee and the technical IT and security teams; the simulations produced eye-opening realizations of the complexity involved in the response.
- Outlined a strategy to move forward, prioritizing threat detection and response.
- Addressed security issues related to potentially controversial policyholders.
- Put in place a third-party cyber risk management plan to gauge and mitigate risk posed by vendor and comply with regulations; risk-ranked parties according to best practice criteria (CIS Controls™), and set up initial questionnaires and ongoing monitoring accordingly.