Investments to fight cyber breaches must include technology, people and risk transfer: WTW cyber head

By Jason Contant | April 24, 2017 | Last updated on October 30, 2024
4 min read
|
|Anthony Dagostino, Global Head of cyber risk for Willis Towers Watson

PHILADELPHIA – Considering human risk is essential when determining how best to combat data breaches and associated costs, but the human element is routinely overshadowed by technology in organizational efforts to bolster cyber security, says Anthony Dagostino, global head of cyber risk for Willis Towers Watson (WTW).

“Companies tend to place a heavy emphasis on investing in technology to improve cyber defences, which is crucial, however, often at the expense of human risk,” suggests Dagostino, who will be part of a private panel discussion, hosted by WTW, during the RIMS 2017 Annual Conference and Exhibition Apr. 23-26 in Philadelphia.

WTW data indicates that human risk “represents the largest source of data breach claims,” Dagostino told Canadian Underwriter in advance of the conference.

“This creates a compelling argument for organizations to take a more strategic approach to how they allocate their capital across the three main buckets: technology, people and risk transfer,” he suggests.

“Companies need to understand, quantify and provide sufficient capital for their greatest exposures,” Dagostino emphasizes.

Related: Almost 40% of industrial computers worldwide faced a cyberattack in the second half of 2016: Kaspersky

“The strategic allocation of capital is crucial because costs associated with cyber breaches can be both hard and soft,” he explains. As an example, he points out “a consequence of a data breach is that it can result in a hit to an organization’s reputation or a decline in shareholder value.”

But are there hurdles that need to be cleared around the importance of human risk?

“It really starts with an enterprise-wide approach to combating cyber risk, which includes employee training, an effective talent and rewards strategy, and an efficiently designed information technology and information security program,” Dagostino says.

Recent WTW claims data shows that employee negligence or malicious acts account for 66% of cyber breaches, while only 18% were directly driven by an external threat and cyber extortion accounted for just 2%.

Related: Need for cultural shift to improve cyber security awareness: Wombat Security

“Our data further shows that approximately 90% of all cyber claims are the result of some type of human error or behaviour,” Dagostino reports. “The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack.”

Anthony Dagostino, Global Head of cyber risk for Willis Towers Watson

Using analytical tools can help with quantifying the potential impact of a cyber breach, Dagostino (pictured left) maintains. However, again, this needs to take into account vulnerabilities from a workplace culture perspective.

“Ultimately, sophisticated assessments will bring more clarity to the risk management process, provide guidance on capital allocation, and to the extent these investments help avert a cyber breach, result in considerable cost savings in the long term,” Dagostino told CU.

WTW has “found strong correlations between workforce culture and cyber risk – both in terms of employee behaviour and employee perception,” he says.

“Today, organizations need to better understand how the various elements of their culture – from training to talent and rewards, and even corporate values and customer focus, shape their employees’ behaviours and, ultimately, either reduce or increase their exposure to cyber risk,” Dagostino suggests.

He expects that direct costs associated with certain areas of cyber risk management and breach response will continue to rise. “As part of response costs, forensic investigations and law firm services costs continue to increase based on demand, driven by the evolving regulatory landscape and increasingly sophisticated use of technology,” he points out.

“Costs associated with minimizing cyber risk and boosting cyber defences will also continue to rise as technology evolves and becomes more sophisticated,” he adds.

Related: Determining consequential damages from data breach ‘difficult to apply in practice:’ Willis Towers Watson

Dagostino notes the cyber insurance market is currently “quite robust and we continue to see capacity come into the marketplace, which is good news for buyers.”

A stand-alone cyber policy “provides the best approach for affirmative coverage in addressing various risks, especially when designed in conjunction with other lines of insurance and tailored within an organizations’ overall insurance program,” he explains, but further advises “there are some elements of exposure that are not currently covered in the cyber marketplace.”

Examples of these include the value of an insured’s own intellectual property, broad reputational harm or impact, he reports.

Related: Organizations considering standalone cyber coverage should evaluate risk profile to see if traditional policies are adequate: RIMS

With a view to enhancing awareness and improving prevention, Dagostino recommends that organizations do the following:

  • build a “cyber-smart” workforce through comprehensive training and a combination of rewards and disincentives to encourage a culture supportive of cyber security;
  • consider technology as one of several lines of defence, not the only defence; and
  • take an enterprise-wide approach to setting cyber strategy, with collaboration across corporate functions.

“Cyber risk is, in many ways, a team sport requiring effective working relationships at the corporate level,” he told CU.

More coverage of RIMS 2017 Annual Conference and Exhibition

Damage to reputation/brand gets social, cyber jumps higher on risk list: Aon survey

RIMS supports charity in its fight against childhood cancer

Jason Contant