Risks and Rewards in a Digital World

Dominic Casserley, President and Deputy CEO, Willis Towers Watson

Coordinated Response to Combat Digital Threats:

A coordinated response is necessary to combat threats arising from the digital revolution. This year is the 350th anniversary of the Great Fire of London, one of the largest urban fires in history. Caused by a flying spark in a bakery, the fire destroyed a third of the city, and made 100,000 people homeless.

Increased risk of fire was one of the significant negative consequences of urbanization, arriving alongside, a set of new economic and social opportunities enabled by the growth of cities.The risks that came with urban expansion were serious, but did not dissuade people from city living. Instead, society captured the massive benefits through risk mitigation, including insurance.

When it came to urban fire, our response was multi-faceted. Every intervention we made was necessary, and none was sufficient on its own. For example, governments required building in brick and stone, not wood, with other building codes following. Local authorities established fire brigades. People stopped heating with open fires in their homes. We developed fire insurance.

Deployed in combination, these moves allowed cities to thrive, while fire risk declined dramatically. Indeed, our joined-up response to urban fire offers a parallel solution for how we might address one of today’s most pressing issues: the cyber opportunities and threats arising from the digital revolution.

By 2026, five billion people will be connected through four billion smartphones and 50 billion connected devices. Our connectivity has created an explosion in digital data–2.5 quintillion bytes every day, on social media, email, online purchasing, browsing, and by machines talking to machines in the Internet of Things. Connectivity is driving social progress. Businesses are mining new seams of innovation. The possibilities seem limitless. But with transformation, new opportunities are balanced by new risks.

A cyber strategy should be led from the ‘C-Suite’. It needs to be managed on a whole-enterprise basis, with collaboration across corporate functions

Governments and cities fear cyber attacks could disable critical infrastructure, imperil national security and threaten the economy. Intangible digital assets are at risk from economic espionage, while privacy breaches, cost money and loss of business. On top of the commercial consequences, cyber attacks damage a company’s reputation and leadership. No wonder that our clients tell us that cybersecurity is at the top of their agendas.

So how do we manage these risks to unlock the full benefits of digitization? The answer is to adopt an integrated approach for building cyber security, one in which organizations in the public, private and social sectors adopt a package of risk mitigation measures–a truly joined-up response to the growing cyber threats.

Priority Cyber Risk Check-list:

To respond to the risks inherent in our interconnected world, businesses must be both preventive and protective. Six priorities should be on every company’s integrated “cyber risk check-list”:

• Ensure enterprise-wide governance is in place.

• Assume hackers are already inside.

• Invest in making your whole workforce cyber-smart.

• Consider technology one of several lines of defense.

• Insure for cyber threats that you can’t mitigate.

• Allocate enough capital to the right cyber defenses–protect your crown jewels.

Enterprise-Wide Governance:

A cyber strategy should be led from the ‘C-Suite’. It needs to be managed on a whole-enterprise basis, with collaboration across corporate functions. The senior executive who orchestrates a cyber strategy should combine commercial nous and the relevant understanding of IT, HR, legal and reputational issues.

Assume Hackers, Already Inside:

We need to assume not only those hackers are trying to get in, but they are already inside our companies’ data. Tackling the enemy within requires different measures from trying to keep them out. Organizations should initiate regular stress-testing of data to improve detection, and invest in measures to make it less financially rewarding and more time-consuming for hackers to attack in the first place.

Invest in Making the Workforce Cyber-Smart:

Investing in enterprise-wide cyber-security training is expensive, but a vigilant workforce is a vital protection. It means offering a combination of rewards and disincentives, encourages a culture supportive to cyber security. Not all training will deliver 100 Percent perfection, but it can improve prevention.

See Technology as One of Several Lines of Defense:

IT solutions are often the first port of call for organizations looking at cyber defense. It’s important to understand that technological defenses are critical, but not sufficient response on their own.

Insure for Cyber Threats We Cannot Mitigate:

While insurance is an old and experienced industry, the cyber risk market is young and because these risks are hard to quantify, insurance companies’ willingness to put capital at risk is currently constrained. No doubt the market will broaden and deepen over time, but we have to become better at understanding and quantifying cyber risk, its financial and non-financial impact.

Allocate Enough Capital to the Right Cyber Defenses:

Companies need to understand, quantify and provide for their greatest cyber exposures. This starts with identifying critical assets to create a critical digital asset register. These are assets which impact on financial stability, customer relationships, and regulatory compliance and trust. They might include infrastructure, data, applications, or services supplied by third parties. We are in the middle of a technological revolution in the way we live and do business. It’s a very young revolution, with amazing opportunities and substantial risks. Some argue that the solution lies in technology, and the others in institutions, human behavior and insurance. We think it’s all of those things coming together. By bringing together institutional responses and technological solutions, by influencing human behavior, and developing the insurance market, we can distribute cyber risk and enjoy the promise of a connected future.