Case Study

‘Countering cyber risk presents a significant strategic challenge to leaders across industries and sectors but one that they must surmount in order to take advantage of the opportunities presented by the vast technological advances in networked technology that are currently in their early stages. Over the past decade, we have significantly expanded our understanding of how to build secure and resilient digital networks and connected devices. However, board-level capabilities for strategic thinking and governance in this area have failed to keep pace with both the technological risks and the solutions that new innovations provide.

Boards have a vital governance function, determining overall company behaviour and setting a company’s risk appetite. For boards, action means effectively exercising oversight by asking managers the right questions to ensure that the boards’ strategic
objectives are met. This function is no different in the area of cyber resilience. By offering the following principles and tools, the Forum hopes to facilitate useful dialogue between boards and the managers they entrust with the operation of the companies to which they owe their fiduciary obligations.’

Cyber-attacks are reported to be increasing in the insurance sectors as the companies are undergoing digital transformation to secure customers, new product offering and portfolio expansion strategies. Such a migration is characterised by huge investments in IS/IT systems for the integration of different platforms within the insurance claim process. Though this capability improves the competitive advantage as a strategic initiative, it is also prone to cyber risks impacting consumer information. Apart from determining innovative approaches to handle data analytics, insurance companies have to devise measures to secure their data from cyber threats.

With huge networks and concepts like the Internet of Things (IoT) becoming a major part of the digital and business landscape, all companies have to gear up by having well-controlled cyber resilience policies. This is necessary for both improvement, to build trust and for survival. CGU Insurance Limited, a front runner in the Australian Insurance industry in one such company with efficient corporate governance in this regard. The company follows multifactor identification, enhanced security and encryption, safe password and protection policies, protection software and updates and regular backup of all confidential data. Best practices and recommendation, including educating employee about best practices, creating ownership structure and mechanism for recovery, have been suggested for a strong cyber resilience policy.

Introduction 

The world of business changes and evolves rapidly. Be it in terms of innovations in product or changes in market dynamics; there are new developments every day (OECD 2010). With technology and every aspect of business becoming more technology-driven, the changes are becoming quicker. There are rapid technological innovations, especially when it comes to cyberspace. Many companies store and manage huge chunks of data over computer networks – these networks could be within the company, over a public network or a third party network. There is reduced data redundancy, swifter access to data, reduction in mismanagement, cost reduction and various other benefits offered by cyber networks. But all this means that there is more possibility of security issues and attacks (Razzaq, Ali Hur & Masood 2013). Companies have to be able to be resilient; they should be able to tie up their business, security and resilience together (Valli, Martinus & Johnstone 2014). With such a framework, companies can combat cyber threats effectively.

Cyber Security at CGU Insurance 

CGU Insurance Limited is an Australian company publicly listed in the ASX. It is an intermediary-based insurance company which is one among IAG – Insurance Australia Group (IAG 2014). The company has offices throughout the country and interacts via various networks with customers, business partners, representative offices and branches. According to the IAIS, which is the International Association of Insurance Supervisors says that Insurance companies are one of the most vulnerable when it comes to cyberattacks (IAIS 2016). This is because almost all their activities are on networks that include raising capital, issuing debt to parties, communicating with various financial institutions for investment and managing customer financial information (Insurance Business 2016)(Insurance Business, 2016).

(Some parts of the solution has been blurred due to privacy protection policy)