Cyber has emerged as one of the most salient risks for businesses today, given the world economy’s ever-growing reliance on digital technology. However, many businesses end up committing errors when managing this critical risk because of a misguided approach, according to a regional cyber and risk management leader.
Jessica Wright (pictured), cyber leader for Asia, corporate risk & broking, at Willis Towers Watson, said that many businesses, especially in Asia, continue to see cybersecurity as an IT issue, managed solely through technological defences such as virus protection and firewalls.
But the data says otherwise. According to Wright, 61% of all Willis Towers Watson’s cyber insurance claims arose as a result of human error or malicious activity. This means that even companies with the best IT security could find themselves financially exposed to cyber incidents.
“Many organizations miss the mark on assessing their security posture because they do not consider the full spectrum of their company’s cybersecurity outside of technology,” Wright told Corporate Risk and Insurance. “Human resources, operations, finance, and IT should all be involved in the mitigation of cyber risk, and it is the responsibility of the board to ensure that this exposure is being looked at holistically. The directors and officers of a company may otherwise find themselves exposed to personal liability if there is a privacy or security breach, with general oversight of risk management clearly falling within their fiduciary duties.”
She added that in the event of a cyber incident, the board must be able to demonstrate to regulators, customers, and shareholders that the company has adequately addressed cyber risk and that its people, processes, and technologies are of a reasonable standard.
A survey conducted by The Economist Intelligence Unit and sponsored by Willis Towers Watson, revealed that companies in Asia had the lowest percentage globally of board expertise on cyber, with only 17% of companies having a high-level of cyber-expertise and only 9% of companies feeling it was critical enough to be a board-level issue.
“We are encouraging all companies to take a more holistic view of cyber resilience, and to put cyber on the board agenda before it becomes the agenda,” Wright said.
The consequences of cyber incidents
According to Wright, the costs associated with a cyber incident can be catastrophic, regardless of the size of the organization. Incident response expenses such as legal, IT & forensics, and public relations can have a tremendous impact on a company’s balance sheet. According to Willis Towers Watson’s claims data, such expenses account for approximately 61% of the insurance coverages implicated in a cyber incident.
Furthermore, the reputational damage suffered by a company is harder to measure, but can have longer lasting effects on profitability. A 2018 global study by Frost and Sullivan for CA Technologies found that 48% of consumers stopped trusting and using a company’s services due to a data breach. Chinese consumers were the most unforgiving, with almost eight in 10 respondents saying that they stopped using a company’s services after learning that it was hit by a data breach.
“This brings us back to being cyber resilient across people, processes, and technology, and ensuring your company is prepared in the event of a cyber incident,” she said. “Aiming to only prevent and detect cyberattacks will not guard companies against cyber security threats, and so ensuring consistent and tested incident response and business continuity plans are in place will ensure your organisation can sufficiently respond when an event occurs.
“No company can say they are completely immune to cyber incidents, and effective crisis management will ensure that customers feel confident that the organisation is competent in reducing the impact accordingly.”
The role of regulators
On the other hand, addressing cyber risk is also the responsibility of regulators, due to the interconnectedness of the digital economy.
Wright noted that market regulators in Asia have taken differing approaches to cyber regulation.
“Vietnam and China have used the global increase in cyber and privacy concerns to allow further political oversight, while regulations in other regions such as Singapore, Hong Kong and Indonesia are more focused on protecting the privacy of their citizens and the security of critical infrastructure,” she said.
“To date, the enforcement of such regulation continues to be low in most regions due to the apparent lack of a fully-resourced regulator, but we are seeing some changes in more mature areas such as Hong Kong and Singapore,” she said.
Singapore is expected to introduce mandatory notification requirements in late 2019 or early 2020 and the Cybersecurity Act will govern increased compliance requirements for critical infrastructure companies in Singapore. These legislative changes, along with various high-profile events, have stirred an increased interest in insurance from clients, with the insurability of fines and penalties usually being front of mind.
“While there is nothing in the legislation which expressly prevents fines from being insured, Willis Towers Watson has been trying to move the focus towards the importance of being prepared for cyber incidents via people, processes, and technology, along with the costs associated with actually responding to a regulatory investigation,” Wright said.