Mitigating Company Harm from Cyber Exposure - Unravelling the Threads

Ben Di Marco, Cyber Specialist - Australia and New Zealand and Jessica Wright, Regional Associate Director - Cyber, Asia, Willis Towers Watson

Ben Di Marco, Cyber Specialist - Australia and New Zealand

Many industries have been forced to embrace the technological revolution, as big data, digital automation, and artificial intelligence become key drivers for improving efficiencies and creating market advantages.

Digital velocity has dominated most business sectors, but with such advancements occurring at an extremely rapid pace, a key business challenge is how to manage the need for innovation, and yet manage data assets in a way that avoids cyber security taking a back seat.

For many institutions, particularly small-to-medium enterprises, digital transformation is still in its early stages. Most companies will be managing several legacy systems (most likely antiquated) that still connect to their operational environment, creating complex IT conditions and a wide attack surface. Even where legacy system risk is limited, recent cyber breaches demonstrate that even state-of-the-art IT security management leaves avenues for accidental or malicious cyber incidents to occur. It is generally accepted that firms must use flexible and adaptive approaches to manage cyber risk, focused around developing resilience and improving incident response.

Globally, Willis Towers Watson has analysed its deep claims data which showed that 61percent of cyber claims in our portfolio arose due to malicious or accidental acts by employees. This could include social engineering losses, accidental disclosure, rogue employees, stolen and lost devices, or ransomware.

Preventing these types of breach requires improving employee behaviour and risk mitigation strategies that are implanted across the whole organisation.

While Human Resources, Operations, Finance, and IT should all be involved in mitigating cyber risk, regulators have identified boards of directors and senior management as critical gatekeepers, and the most effective channel to ensure data security risk is holistically overseen. Boards can best manage these obligations by driving a cyber-resilient culture through being appropriately educated on key exposures. Further, they should and demand effective reporting across their business on data security processes, areas of vulnerability, incident response and best practices data. Specialised expertise is also needed, as well as improving the education of generalist employees across the business.

A recent global survey of 452 companies, conducted by the Economist Intelligence Unit (EIU) and Willis Towers Watson, found that leading companies were simultaneously educating generalists and developing strong working relationships with specialised committees. These committees can help ensure the Chief Information Security Officer (CISO) effectively communicates cyber security issues to the Board in a way they understand – essentially, through the dollars at risk.

Companies looking to demonstrate a proactive framework should develop and test business continuity and incident response plans to ensure that the financial and reputational effects of a breach are mitigated as much as possible

Effective communication improves how the board perceives the spend on these costs and branches conversations to critical underlying issues around the return on investment needed for information security practices, as well as the board’s true risk tolerance for cyber security.

Risk tolerance is also increasingly influenced by constant media attention given to directors and officers and their potential liability for data breaches. The pervasive nature of data and security breaches cause business interruption and often result in financial loss to a business and its shareholders. These are ripe grounds for alleging a breach of a director’s duty of care and statutory obligations.

Jessica Wright, Regional Associate Director - Cyber, Asia, Willis Towers Watson

The recent Australian LandMark White (LMW) breach demonstrates these concerns. On May 6 this year, LMW announced a December 2018 data breach had caused business interruption and a loss of revenue of approximately a $7 million. The company also saw a 50% decline in its share price immediately after it publicly disclosed the breach.

In high profile incidents, the Board’s oversight of data security risk will be of keen interest to regulators and shareholders. A Board and company’s best defence in these situations is to demonstrate a proactive approach to cyber risk management covering people, processes and technologies.

Companies looking to demonstrate a proactive framework should develop and test business continuity and incident response plans to ensure that the financial and reputational effects of a breach are mitigated as much as possible. Mitigation tools such as cyber insurance are also of key benefit and provide access to a practiced breach response manager coordinating the various third-party experts who might be needed to support the organisation such as forensics, IT, public relations, legal advisors, credit monitoring and identity theft experts. The costs of these experts are covered as part of standard cyber insurance coverage.

Many organisations miss the mark on assessing their security posture because they do not consider the full spectrum of their company’s cybersecurity outside of technology. The NIST (National Institute of Standards and Technology) Cybersecurity Framework has five categories: identify, protect, detect, respond, and recover. Companies spend on average 1.7 percent of annual revenue on cyber-resilience, with the majority of this spending being allocated to technology which mostly falls in the “protect” category. Giving attention to talent investment, development of business continuity and incident response plans, employee training, and insurance, can ensure that all five categories under NIST are being addressed.

Given the current risk landscape, cyber security will remain a key business concern for years to come. The extent of technical, people and process challenges influencing the risk can at times be overwhelming, however even single steps taken will improve resilience. Most importantly where companies focus on holistic concepts they will provide the best protection possible to both the balance sheet and their senior management.