Skip to main content
main content, press tab to continue
Webcast

Risk managers: Why and how you can lead the way to cyber resilience

March 5, 2025

Practical insights to identify and quantify cyber risk with confidence while closing organizational gaps and managing cyber risk more effectively.
Gestione sinistri|Corporate Risk Tools and Technology||Direct and Facultative|Enterprise Risk Management Consulting|Financial, Executive and Professional Risks (FINEX)|Risk and Analytics|Risk Management Consulting
Artificial Intelligence

Risk managers can and should participate more actively in managing cyber risks to better protect their organizations from financial damage and elevate the contribution of risk management to resilience.

That was the headline takeaway from a recent Outsmarting Uncertainty webinar led by WTW cyber risk management and risk analytics experts.

In this insight, we recap the key perspectives from the session, including:

As cyber threats become more prolific and sophisticated, especially as new technology like AI and quantum computing become available, your organization is under pressure to continuously update and strengthen its cybersecurity infrastructure.

But regardless of how threats change, risk managers can refer back to the same four-step core framework to address cyber risks.

Core steps to identify and quantify cyber risk

  1. 01

    Identify what really matters to your business

    For example, your business continuity, viability or ability to operate. Getting this business-critical view of your organization will involve connecting and collaborating with finance, operations and security leaders (we examine how risk managers can take a more active and visible cyber risk management role more closely below).

  2. 02

    Identify your priority assets

    Your priority assets are your "crown jewels". These will be specific to your industry and your organization, but could be your data or key operations or revenue streams.

  3. 03

    Assess how your business is impacted

    How are your “crown jewels” impacted by key threats? Can you connect this to your security posture and IT systems? What controls do you have in place and do these correspond with what really matters to your revenue streams? This process is also known as ‘mapping your attack surface value chain.’

  4. 04

    Continually check how effective your controls are

    You can use tools like penetration tests and tabletop exercises to assess the efficacy. Decide which cybersecurity updates or controls have the best return on investment and prioritize accordingly.

Tactics to enhance the cyber risk management role

Risk managers can take a more active role in the cyber risk management process, calling on a range of tools and tactics, including:

Identifying third-party risks

Don’t think of third-party relations as layers of separation but as a network with nodes offering potential security gaps that could act as gateways for cyberattacks.

Getting a deep understanding of the risks you’re facing by doing business with third parties can prove an invaluable contribution to organizational resilience. Can you get to get to know your vendors’ vendors, and your vendors’ vendors’ vendors? Creating a clear inventory of your third-party vendors is a crucial first step to managing the associated risks effectively.

If you don’t have a third-party cyber risk management program, then it’s time you established one. Part of this will be about evaluating the capabilities and exposures of all your vendors and their vendors to avoid sleepwalking into unknown risks.

You can also work with IT leaders to suggest best practice measures, such as implementing ‘least privilege policies,’ granting third parties only the necessary access they need to your IT systems, and for specific periods and purposes. You should also make sure there’s a process for checking if any third-party software is patched and up to date.

It’s also essential you monitor and act on cyber threat intelligence. You need both your business, your partners and your partners’ partners to have robust and continual monitoring in place; intelligence-driven security is often part of the best defense mechanisms.

Call on established risk management approaches to tackle cyber

Risk management methodologies give you systematic and likely familiar ways to enable the business to prioritize, explain and then fund the most effective and efficient investments in cyber security.

You can apply risk tolerance and enterprise risk approaches to help the business evaluate the right levels of insurance to buy and what risks to mitigate or retain. Risk analytics will help you discover and evidence a robust rationale for your ultimate recommendations.

Using analytics to tackle cyber risk

Risk managers can quantify cyber risk and find the most effective and efficient cyber risk and insurance approach using analytics. This can tell you how much your most likely cyber incidents will cost you and what you need to prepare for and reduce uncertainty.

Analytics enable risk managers to both understand and communicate cyber risk in financial terms. By reviewing the risk scenarios most relevant to your industry and your organization, generating loss forecasts, analytics lets you inform risk controls and insurance optimization. This data-led approach helps prioritize cyber defense investments at a strategic level by introducing methodologies that determine the return on investment of specific mediating actions.

The more data you can supply to analytical models, the more precise and comprehensive the approach and outputs you’ll achieve and the stronger your cyber resilience. Such data-driven and proactive stances allow risk managers to say to your CEO and CISO, ‘If we take these five steps, our risk will change by a certain magnitude and the return on investment of doing this would be a certain percentage over a given time horizon.’ And it’s this that will empower your security experts to prioritize different investment options and then secure funds with management to implement.

Analytically-enabled risk managers can be the bridge that turns technical perspectives into financial metrics, and in doing so, getting a seat at the strategic cyber risk management table and driving your organization’s continued resilience.

Cyber risk terms risk managers need to know

Features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.

the possible points of entry for a cyber attacker to access your systems and networks and target your priority assets.
Any risk of financial loss, disruption or damage to the reputation of an organization from a failure in the information systems.
The possibility of a successful cyberattack that aims to gain unauthorized access, damage or disruption.
Data that’s been stolen or moved from a device or server without authorization.
Quantum computers could break current encryption methods, which could lead to the theft and decryption of sensitive data.
Entities such as partners or suppliers to the organization. They may or may not have access to data, computer systems, processes and other privileged information.

Outsmart cyber risk uncertainty with our range of risk analytics and cyber risk expertise. Get in touch to learn more.

For more insight, watch the Outsmarting Uncertainty webinar series on-demand.

Disclaimer

Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Contacts


Senior Director
email Email

Director - Head of Cyber Risk Consulting
email Email

Senior Associate, Cyber Risk Consulting
email Email

Contact us