A multi-dimensional approach is needed to tackle cyber security risk, according to Dominic Casserley, president and deputy CEO of Willis Towers Watson.
Casserley, in a speech at the Commonwealth Club of California in San Francisco on 19 February 2016, set out an integrated plan for building cyber security.
He urged organisations in the public, private and social sectors to adopt this proposal as a package, rather than relying on a sub-set of actions in response to growing cyber threats.
Casserley said: “We are in the middle of an extraordinary technological revolution in the way we live and do business.”
“Alongside the amazing cyber opportunity, there are substantial risks. By bringing together technological solutions, by influencing human behaviour, and by developing the insurance market, we can distribute cyber risk in order to enjoy the potential of a connected future.”
In his plan, Casserley addressed governance, technology, people challenges and capital allocation.
On governance, he called for oversight of cyber security at the most senior executive levels of organisations, and the board’s risk committee.
On technology, he said it should be assumed that hackers already have access to data on the inside of an organisation. The average time between a breach and its owner noticing is more than 200 days, so cyber professionals should perform regular checks on the integrity of information inside systems, he said.
Casserley also encouraged institutions to see technology as a very necessary but not sufficient line of defence against cyber threats.
On workforce strategy, Casserley called on organisations to invest in making their employees “cyber-smart”, noting that two-thirds of data loss incidents are caused by people within or close to the company.
He also observed the link between workforce morale and cyber breaches, where companies with higher morale record fewer accidental or deliberate breaches.
In addition, Casserley highlighted that the role of cyber insurance to cover potential losses, noting that available capital for cyber risk is currently constrained as the markets continue to find it hard to quantify the risks.
According to Casserley, the current estimates put cyber insurance capacity between $500 million and $2 billion per risk, however, he believes that the insurance market will deepen when all the stakeholders are engaged in finding solutions to manage cyber risk.
