April 24, 2017 by Angela Stelmakowich
PHILADELPHIA – Considering human risk is essential when determining how best to combat data breaches and associated costs, but the human element is routinely overshadowed by technology in organizational efforts to bolster cyber security, says Anthony Dagostino, global head of cyber risk for Willis Towers Watson (WTW).
“Companies tend to place a heavy emphasis on investing in technology to improve cyber defences, which is crucial, however, often at the expense of human risk,” suggests Dagostino, who will be part of a private panel discussion, hosted by WTW, during the RIMS 2017 Annual Conference and Exhibition Apr. 23-26 in Philadelphia.
WTW data indicates that human risk “represents the largest source of data breach claims,” Dagostino told Canadian Underwriter in advance of the conference.
“This creates a compelling argument for organizations to take a more strategic approach to how they allocate their capital across the three main buckets: technology, people and risk transfer,” he suggests.
“Companies need to understand, quantify and provide sufficient capital for their greatest exposures,” Dagostino emphasizes.
“The strategic allocation of capital is crucial because costs associated with cyber breaches can be both hard and soft,” he explains. As an example, he points out “a consequence of a data breach is that it can result in a hit to an organization’s reputation or a decline in shareholder value.”
But are there hurdles that need to be cleared around the importance of human risk?
“It really starts with an enterprise-wide approach to combating cyber risk, which includes employee training, an effective talent and rewards strategy, and an efficiently designed information technology and information security program,” Dagostino says.
Recent WTW claims data shows that employee negligence or malicious acts account for 66% of cyber breaches, while only 18% were directly driven by an external threat and cyber extortion accounted for just 2%.
“Our data further shows that approximately 90% of all cyber claims are the result of some type of human error or behaviour,” Dagostino reports. “The simple truth is that a data compromise is more likely to come from an employee leaving a laptop on the train than from a malicious criminal hack.”
Using analytical tools can help with quantifying the potential impact of a cyber breach, Dagostino (pictured left) maintains. However, again, this needs to take into account vulnerabilities from a workplace culture perspective.
“Ultimately, sophisticated assessments will bring more clarity to the risk management process, provide guidance on capital allocation, and to the extent these investments help avert a cyber breach, result in considerable cost savings in the long term,” Dagostino told CU.
WTW has “found strong correlations between workforce culture and cyber risk – both in terms of employee behaviour and employee perception,” he says.
“Today, organizations need to better understand how the various elements of their culture – from training to talent and rewards, and even corporate values and customer focus, shape their employees’ behaviours and, ultimately, either reduce or increase their exposure to cyber risk,” Dagostino suggests.
He expects that direct costs associated with certain areas of cyber risk management and breach response will continue to rise. “As part of response costs, forensic investigations and law firm services costs continue to increase based on demand, driven by the evolving regulatory landscape and increasingly sophisticated use of technology,” he points out.
“Costs associated with minimizing cyber risk and boosting cyber defences will also continue to rise as technology evolves and becomes more sophisticated,” he adds.
Dagostino notes the cyber insurance market is currently “quite robust and we continue to see capacity come into the marketplace, which is good news for buyers.”
A stand-alone cyber policy “provides the best approach for affirmative coverage in addressing various risks, especially when designed in conjunction with other lines of insurance and tailored within an organizations’ overall insurance program,” he explains, but further advises “there are some elements of exposure that are not currently covered in the cyber marketplace.”
Examples of these include the value of an insured’s own intellectual property, broad reputational harm or impact, he reports.
With a view to enhancing awareness and improving prevention, Dagostino recommends that organizations do the following:
“Cyber risk is, in many ways, a team sport requiring effective working relationships at the corporate level,” he told CU.
More coverage of RIMS 2017 Annual Conference and Exhibition