LähiTapiola is a life insurance company that offers services to different customer groups, and its most important values are courage, goodwill and passion. LähiTapiola operates in Finland and its service selection covers all the insurance products that are available on the Finnish market. The corporate group also offers financial products and investment services. In health insurance matters, it operates through partners.
Most recently, Insta implemented a cybersecurity exercise for LähiTapiola’s senior management, in which
- cyber resilience was developed though a realistic and immersive exercise scenario
- the management of a crisis situation and the management of situation awareness in a virtual environment was exercised
- the good collaboration, which has continued for the past five years, was further deepened
- a continuum for similar exercises in the future was created
Exercise in a regulated and chancing environment is important
As a company that is critical in terms security of supply, LähiTapiola must ensure the functionality and accessibility of customer services in all circumstances. It is, of course, important to serve customers as well as possible and respond to customer needs during the digital era. The operating environment has moved from traditional office dealings to digital tools, and also as a result of the coronavirus period, more and more customer contacts are handled remotely.
Operations in the financial sector are strictly regulated, and for decades, it has been based on the fulfilment of certain requirements. - There are many different regulations and requirements in the sector that need to be observed, applied and interpreted. Recently, particularly the EU Commission’s draft bills concerning cybersecurity have brought out the need for exercise, explains Leo Niemelä, Security Director at LähiTapiola.
Long-term development of preparedness
The collaboration between Insta and LähiTapiola stated with the need to concretise continuity and preparedness plans, which LähiTapiola is legally obliged to prepare. The plan documents support operations in crisis situations, but practice exercises were needed to test the plans. To begin with, the company created its own situation cards on the basis of various crises, but exercise operations were soon also initiated with Insta, and LähiTapiola acquired a personal license to use Insta’s exercise platform, Trasim.
- At the beginning, the main issue was that a need was observed for a general operating model concerning the actions to be taken in crisis situations. The guidelines were developed in such a way that the roles and responsibilities of different operators in crisis situations were defined, and they described how to organise, and what the concrete measures are in particular situations. Already the first exercises gave us insight into how we should operate, explains Kimmo Niskala, who operates at the manager responsible for operational risks in LähiTapiola Group’s risk management services.
- Each year, these operating models are further deepened. When the organisation changes, the roles of different operations must always be clarified - and this is what our last exercise mainly tested. Step by step, we have developed operations, guidelines and the role of operators, and the exercise operations have been a good impulse to support this, Niskala continues.
Improving the cyber reliance of management - remotely
The objective of the most recent exercise was to develop the cyber reliance of senior management. The hacks that have been strongly brought out in public debate were a wake-up to take action in improving cybersecurity’s resilience. There was also found to be a need to genuinely experience, how the formation and management of situation awareness are handled in a crisis situation. The coronavirus situation emphasised the significance of the exercise, because there had been no prior experience of exercise in a fully virtual environment.
Various decision-making groups took part in the exercise, and the cooperation between the different roles was an essential part of the exercise. - The key question was, how the ICT world, business processes and management combine as a single entity, and how this leads to the need for finding a common language and method to form situation awareness even in case of challenging issues - and communicate it between different roles and different groups. The spoken situation awareness is emphasised in such exercises, Niskala analyses.
- The exercise also allowed the needs of situation management infrastructure to be perceived: how the situation image is conveyed in real time and in the correct format to different groups, Niskala adds.
Exercise makes its mark and creates an engram
- Management wanted to experience how they would have to stare at the hacker or criminal almost eye-to-eye and make decisions in the said situation - because that’s what reality is, Niemelä shares about the initial situation. - In my opinion, this wish was fulfilled well, and the exercise was at a good pace to continue, he praises.
- One teaching or success from all the exercises that have been held is the strong engram that is left with all participants. You will remember what the exercised situation is and how much you will feel the pressure since there is a lot of incorrect information, when the situation awareness evolves and you don’t really know what you are up against. Such a strong engram provides the readiness to take action in a real crisis, and helps to focus on clarifying the situation as well as differentiate between true and untrue. Everyone in our organisation, who participated in the exercise operations, still remember years later, what happened in the exercise operations, says Niskala as he describes the successes of the intense and immersive exercises.
It is important to exercise operating in a virtual environment
An entirely virtual implementation increases the reality of exercise because a real crisis will also occur unexpectedly.
- Nowadays, we rarely even reach a situation where there would be a conference room or crisis centre where everyone is convened. People work in such a decentralised manner, so online operations would have to be hacked in any case, and this will probably only increase in the future, Niskala considers.
- In this exercise, it was very essential that information exchange and reporting was carried out between the practicing groups. A good subject of exercise was how to operate in exercise in the digital world when you cannot walk into the next room to provide a situational report but instead you have to leave one meeting and continue to another in the Teams world, he continues.
- Now, for the first time, we have exercised how a crisis can be virtually managed, says Niemelä. - This allows us to organise and seek the relevant roles with more ease. I was personally surprised to find out the extent of communications’ role. Overall, this is a good point to continue from. The exercise operations raised positive opinions in management on the fact that these operations are good to be carried out. Exercise is not quantum physics, and it does not discredit anyone. I personally appreciate that no-one considers to have to make decisions alone, but instead the practicing group worked peacefully and decisions were made jointly.
The remote era further emphasises the importance to develop preparedness although remote exercises require more in-depth preparations.
- It can often be considered that the implementation of the exercise in the current situation would cause an extreme amount of work and planning but our perspective is that the world can change in a direction in which you have to know how to operate in a virtual environment, Niemelä considers.
- We must have a method to control a situation in all circumstances, says Niskala as he summarises the importance of exercise during the coronavirus period.
Good partnership enhances exercise operations
Exercise operations have been actively developed in the LähiTapiola Group for several years. The regularity and continuity of exercise operations is useful in improving resilience and developing operating models. At its best, a good partner increases the effectiveness of exercise.
- Insta is a flexible, expert partner, which is why we have chosen Insta. We can only praise the expertise in support of the exercise operations, Niskala says.
- Insta has been a reliable partner to us, and they have offered their expertise for carrying out the exercise: what sort of process is used to plan the exercise and how it is implemented. Insta also offers a technical tool, i.e. the Trasim exercise platform, for carrying out the exercise, and this strongly supports the operations. Without such a tool, exercise would be mainly desktop testing. The exercise platform provides action and a flow of events, and it makes practicing more lively, Niskala continues.
- The implementation of exercises is also strongly affected by the fact that we have cooperated for the past five years. We know the people who work at Insta, and they know us. They know what happens at insurance companies, and they know what processes and disturbances can occur. Scenarios are easier to plan compared to starting off for the first time because the operating environment is already familiar. The planning and implementation of exercises, therefore, becomes more dynamic each time, Niskala continues to consider.
- The cybersecurity exercise for management was extremely cost-effective in terms of the benefits it provided. Our wishes were heard and the exercise was excellently proportioned for the target group. The success of the exercise is indicated by the fact that already the day after the exercise, a similar exercise was agreed for the following year, Niemelä praises.
Exercise is a learning process
In the future, the plan is to carry out exercises with new scenarios and target groups. The management’s cybersecurity exercises shall be continued on a regular basis, and the participation of partners shall be considered. In addition to this, the exercise of the corporate group shall be developed as widely as possible, for example, with a exercise library.
- Exercise is a learning process, in which the abilities to encounter difficult crisis situations and perceive the diversity of situational awareness improve. Exercise allows us to learn to consider the situation from different perspectives: how it is perceived by customers, staff or the media. Everything culminates to the development of this skill, explains Niskala as he sums up the benefits of exercise.