Risks and Rewards in a Digital World

On top of the commercial consequences, cyber attacks damage a company’s reputation and leadership. No wonder that our clients tell us that cybersecurity is at the top of their agendas.

So how do we manage these risks to unlock the full benefits of digitization? The answer is to adopt an integrated approach for building cyber security, one in which organizations in the public, private and social sectors adopt a package of risk mitigation measures–a truly joined-up response to the growing cyber threats.

Priority Cyber Risk Check-list:

To respond to the risks inherent in our interconnected world, businesses must be both preventive and protective. Six priorities should be on every company’s integrated “cyber risk check-list”:

• Ensure enterprise-wide governance is in place. • Assume hackers are already inside. • Invest in making your whole workforce cyber-smart. • Consider technology one of several lines of defense. • Insure for cyber threats that you can’t mitigate. • Allocate enough capital to the right cyber defenses–protect your crown jewels.

Enterprise-Wide Governance:

A cyber strategy should be led from the ‘C-Suite’. It needs to be managed on a whole-enterprise basis, with collaboration across corporate functions. The senior executive who orchestrates a cyber strategy should combine commercial nous and the relevant understanding of IT, HR, legal and reputational issues.

Assume Hackers, Already Inside:

We need to assume not only those hackers are trying to get in, but they are already inside our companies’ data. Tackling the enemy within requires different measures from trying to keep them out. Organizations should initiate regular stress-testing of data to improve detection, and invest in measures to make it less financially rewarding and more time-consuming for hackers to attack in the first place.

Invest in Making the Workforce Cyber-Smart:

Investing in enterprise-wide cyber-security training is expensive, but a vigilant workforce is a vital protection. It means offering a combination of rewards and disincentives, encourages a culture supportive to cyber security. Not all training will deliver 100 Percent perfection, but it can improve prevention.

See Technology as One of Several Lines of Defense:

IT solutions are often the first port of call for organizations looking at cyber defense. It’s important to understand that technological defenses are critical, but not sufficient response on their own.

Insure for Cyber Threats We Cannot Mitigate:

While insurance is an old and experienced industry, the cyber risk market is young and because these risks are hard to quantify, insurance companies’ willingness to put capital at risk is currently constrained. No doubt the market will broaden and deepen over time, but we have to become better at understanding and quantifying cyber risk, its financial and non-financial impact.

Allocate Enough Capital to the Right Cyber Defenses:

Companies need to understand, quantify and provide for their greatest cyber exposures. This starts with identifying critical assets to create a critical digital asset register. These are assets which impact on financial stability, customer relationships, and regulatory compliance and trust. They might include infrastructure, data, applications, or services supplied by third parties. We are in the middle of a technological revolution in the way we live and do business. It’s a very young revolution, with amazing opportunities and substantial risks. Some argue that the solution lies in technology, and the others in institutions, human behavior and insurance. We think it’s all of those things coming together. By bringing together institutional responses and technological solutions, by influencing human behavior, and developing the insurance market, we can distribute cyber risk and enjoy the promise of a connected future.