Willis Tower Watson’s president and deputy CEO Dominic Casserley has called for a multi-strike approach to tackle cyber risks.
In a speech at the Commonwealth Club of California in San Francisco, Casserley set out an integrated plan for building cyber security, urging organisations in the public, private and social sectors to adopt this proposal as a package, rather than relying on a sub-set of actions in response to growing cyber threats.
Casserley said: "We are in the middle of an extraordinary technological revolution in the way we live and do business. Alongside the amazing cyber opportunity, there are substantial risks. By bringing together technological solutions, by influencing human behaviour, and by developing the insurance market, we can distribute cyber risk in order to enjoy the potential of a connected future."
Casserley’s integrated plan for "protection and prevention" addressed governance, technology, people challenges and capital allocation.
On governance, Casserley called for oversight of cyber security at the most senior executive levels of organisations, and (where applicable) the board’s risk committee.
On technology, he noted that we should assume that hackers already have access to our data on the inside of our organisations.
The average time between a breach and its owner noticing is more than 200 days, so cyber professionals should perform regular checks on the integrity of information inside systems, he said.
Casserley also encouraged institutions to see technology as a very necessary, but not sufficient line of defence against cyber-threats.
On workforce strategy, Casserley called on organisations to invest in making their employees "cyber-smart", noting that two-thirds of data loss incidents are caused by people within or close to the company.
He also observed the link between workforce morale and cyber breaches, where companies with higher morale record fewer breaches – accidental or deliberate. Human capital experts can develop programmes that incentivise employees to be vigilant in the protection of a company’s digital assets.
Casserley also highlighted the role of cyber insurance to cover potential losses, noting that available capital for cyber risk is currently constrained as the markets continue to find it hard to quantify the risks.
Current estimates put cyber insurance capacity at between $500m and $2bn per risk. But Casserley noted that the insurance market will deepen when all the stakeholders are engaged in finding solutions to manage cyber risk.