Security Testing in the Insurance Industry Post NISD
With a reputation as a major competitive differentiator, companies in the banking and financial services (FS) sectors have historically kept internal cyber-security breaches and external attacks close to their chests. The (currently draft) European Network and Infrastructure Directive (NISD) is set to change all that.
The NIS Directive
With a reputation as a major competitive differentiator, companies in the banking and financial services (FS) sectors have historically kept internal cyber-security breaches and external attacks close to their chests. The (currently draft) European Network and Infrastructure Directive (NISD) is set to change all that with its requirement that “operators of essential services” including businesses in the energy, telecoms, banking, health, transport and financial services sectors, “take appropriate security measures” to prevent these incidents and when they occur, and report them to designated Computer Security Incident Response Teams (CSIRTs) across Europe.
Once the European Parliament has approved the Directive, countries in the European Union will have 21 months to pass their own laws to implement it. Member States will need to establish a national Network Information Security (NIS) strategy; regulatory measures to ensure network security; create a competent authority to monitor NISD; and create a Computer Emergency Response Team (CERT) that handles incidents and risks. NISD requires collaboration and information sharing and when an incident occurs in more than one EU state, the relevant CSIRTs will inform the other affected Member States and come together to create a solution.
So, just how will NISID affect the Insurance industry? And how can we redesign our test strategies to avoid cyber-security disasters and ensure compliance with the new legislation?
It’s difficult to judge the impact at this stage as the Directive is still in draft form, but it seems unlikely that cyber-security breaches will be made public knowledge, which is good news as publicity of a breach would erode customer trust and loyalty. Some firms who operate on an international level may not find the requirements arduous at all, as they will already be subject to similar legal requirements in countries such as Singapore. The Telecoms sector will also be less impacted as Telco companies are already subject to incident reporting requirements under the EU Framework Directive.
For other Insurance companies however, these involuntary requirements are newer territory and they need to prepare in advance and ensure that they have a clear cyber-security prevention, detection, response and reporting strategy and additional resources in place to implement it.
The Directive is also likely to be a catalyst for growth in the cyber-insurance industry, with PwC predicting the global market could grow to $5bn in annual premiums by 2018 and at least $7.5bn by the end of the decade. As insurers create more stringent rules to determine which businesses are an insurable risk, organisations in other sectors will be pushed to improve their own cyber-security and test strategies in order to get insurance coverage. There is concern in other industries that cyber-security insurance policies are becoming too onerous with tight restriction and pricing. This paves the way for a disruptive influence to swoop in and corner the market with a better offering so insurers need to take action to demonstrate their value. The key here is for insurance companies to lead by example, ensuring that their own security and security testing strategy are geared up for maximum threat detection and protection and to use new technology and the IoT to analyse the potential risks in other industries more effectively to enable better pricing models.
The Security Testing Strategy
The Financial Services industry already allocates 37% of their total IT budget to QA and Testing (World Quality Report 2015-16) and, with 88% identifying prioritising security as essential to success (WQR), it seems likely that, in light of NISD, a higher proportion of this will now be directed to improving their Security test strategies. Although the Financial Services sector have cautiously increased cloud-based testing in the last 2 years, the increasing emphasis on security brought about by NISD, is likely to cause further concerns about Cloud privacy and security giving rise to greater adoption of hybrid solutions. The vast majority of Insurance companies already undertake Penetration testing but for most this is as infrequent as once a year or quarterly with only a very small number testing regularly on a monthly basis. Insurers will need to step up their Penetration testing in order to meet the new NISD requirements and avoid a security breach or attack. We’re also likely to see the Financial Services sector being one of the first to adopt widespread Entitlement testing, a new test approach to secure data throughout the application development lifecycle. Entitlement testing enables management to determine who is accessing data and for what reason and to restrict the ability to access and manipulate data only to those who genuinely require it.
So, from a testing perspective, NSID is likely to bring greater maturity to insurance companies more quickly and even bring them to the forefront of pioneering new testing methods in a bid to win the war on cyber-security.
- Sogeti UKMake an enquiry
0330 588 8200
Sogeti UKMake an enquiry
0330 588 8200