Taking a multi-dimensional approach as opposed to relying on a sub-set of actions is needed to tackle the growing cyber security risk, Dominic Casserley, president and deputy chief executive officer of Willis Towers Watson, suggested in a recent speech at the Commonwealth Club of California in San Francisco.
Casserley urged organizations in the public, private and social sectors to adopt an integrated plan for building cyber security as a package, rather than relying on a sub-set of actions in response to growing cyber threats, notes a statement issued Thursday by global advisory, broking and solutions company Willis Towers Watson.
Like the integrated response to fire that emerged following rapid urbanization and the development of cities – measures included creating fire brigades, new building materials and codes and fire prevention education, as well as moving away from open fires for heating – he argued that no single element on its own would have been sufficient to reduce fire exposures. A similarly integrated response is needed for cyber risk, he suggested.
“Alongside the amazing cyber opportunity, there are substantial risks,” Casserley said during his speech. “By bringing together technological solutions, by influencing human behaviour and by developing the insurance market, we can distribute cyber risk in order to enjoy the potential of a connected future.”
Casserley’s integrated plan for “protection and prevention” addressed the following elements:
- governance – oversight of cyber security should be at the most senior executive level and, where applicable, at the board’s risk committee;
- technology – it should be assumed hackers already have access to data on the inside of organizations and institutions should regard technology as a necessary, but not sufficient, line of defence against cyber threats;
- people challenges – with two-thirds of data loss incidents caused by people within or close to the company, organizations should invest in making employees “cyber-smart,” and know that human capital experts can develop programs that incentivize employees to be vigilant; and
- capital allocation – available capital for cyber risk is currently constrained as markets continue to find it difficult to quantify the risks.
Highlighting the role of cyber insurance to cover potential losses, Casserley reported to attendees that current estimates put cyber insurance capacity at between US$500 million and $2 billion per risk.
That said, the insurance market will deepen when all the stakeholders are engaged in finding solutions to manage cyber risk, he added.