Mitigating Company Harm from Cyber Exposure - Unravelling the Threads

Many industries have been forced to embrace the technological revolution, as big data, digital automation, and artificial intelligence become key drivers for improving efficiencies and creating market advantages.

Digital velocity has dominated most business sectors, but with such advancements occurring at an extremely rapid pace, a key business challenge is how to manage the need for innovation, and yet manage data assets in a way that avoids cyber security taking a back seat.

For many institutions, particularly small-to-medium enterprises, digital transformation is still in its early stages. Most companies will be managing several legacy systems (most likely antiquated) that still connect to their operational environment, creating complex IT conditions and a wide attack surface. Even where legacy system risk is limited, recent cyber breaches demonstrate that even state-of-the-art IT security management leaves avenues for accidental or malicious cyber incidents to occur. It is generally accepted that firms must use flexible and adaptive approaches to manage cyber risk, focused around developing resilience and improving incident response.

Globally, Willis Towers Watson has analysed its deep claims data which showed that 61percent of cyber claims in our portfolio arose due to malicious or accidental acts by employees. This could include social engineering losses, accidental disclosure, rogue employees, stolen and lost devices, or ransomware.

Preventing these types of breach requires improving employee behaviour and risk mitigation strategies that are implanted across the whole organisation.

While Human Resources, Operations, Finance, and IT should all be involved in mitigating cyber risk, regulators have identified boards of directors and senior management as critical gatekeepers, and the most effective channel to ensure data security risk is holistically overseen. Boards can best manage these obligations by driving a cyber-resilient culture through being appropriately educated on key exposures. Further, they should and demand effective reporting across their business on data security processes, areas of vulnerability, incident response and best practices data. Specialised expertise is also needed, as well as improving the education of generalist employees across the business.

A recent global survey of 452 companies, conducted by the Economist Intelligence Unit (EIU) and Willis Towers Watson, found that leading companies were simultaneously educating generalists and developing strong working relationships with specialised committees. These committees can help ensure the Chief Information Security Officer (CISO) effectively communicates cyber security issues to the Board in a way they understand – essentially, through the dollars at risk.