Risk managers can and should participate more actively in managing cyber risks to better protect their organizations from financial damage and elevate the contribution of risk management to resilience.
That was the headline takeaway from a recent Outsmarting Uncertainty webinar led by WTW cyber risk management and risk analytics experts.
In this insight, we recap the key perspectives from the session, including:
As cyber threats become more prolific and sophisticated, especially as new technology like AI and quantum computing become available, your organization is under pressure to continuously update and strengthen its cybersecurity infrastructure.
But regardless of how threats change, risk managers can refer back to the same four-step core framework to address cyber risks.
01
For example, your business continuity, viability or ability to operate. Getting this business-critical view of your organization will involve connecting and collaborating with finance, operations and security leaders (we examine how risk managers can take a more active and visible cyber risk management role more closely below).
02
Your priority assets are your "crown jewels". These will be specific to your industry and your organization, but could be your data or key operations or revenue streams.
03
How are your “crown jewels” impacted by key threats? Can you connect this to your security posture and IT systems? What controls do you have in place and do these correspond with what really matters to your revenue streams? This process is also known as ‘mapping your attack surface value chain.’
04
You can use tools like penetration tests and tabletop exercises to assess the efficacy. Decide which cybersecurity updates or controls have the best return on investment and prioritize accordingly.
Risk managers can take a more active role in the cyber risk management process, calling on a range of tools and tactics, including:
Don’t think of third-party relations as layers of separation but as a network with nodes offering potential security gaps that could act as gateways for cyberattacks.
Getting a deep understanding of the risks you’re facing by doing business with third parties can prove an invaluable contribution to organizational resilience. Can you get to get to know your vendors’ vendors, and your vendors’ vendors’ vendors? Creating a clear inventory of your third-party vendors is a crucial first step to managing the associated risks effectively.
If you don’t have a third-party cyber risk management program, then it’s time you established one. Part of this will be about evaluating the capabilities and exposures of all your vendors and their vendors to avoid sleepwalking into unknown risks.
You can also work with IT leaders to suggest best practice measures, such as implementing ‘least privilege policies,’ granting third parties only the necessary access they need to your IT systems, and for specific periods and purposes. You should also make sure there’s a process for checking if any third-party software is patched and up to date.
It’s also essential you monitor and act on cyber threat intelligence. You need both your business, your partners and your partners’ partners to have robust and continual monitoring in place; intelligence-driven security is often part of the best defense mechanisms.
Risk management methodologies give you systematic and likely familiar ways to enable the business to prioritize, explain and then fund the most effective and efficient investments in cyber security.
You can apply risk tolerance and enterprise risk approaches to help the business evaluate the right levels of insurance to buy and what risks to mitigate or retain. Risk analytics will help you discover and evidence a robust rationale for your ultimate recommendations.
Risk managers can quantify cyber risk and find the most effective and efficient cyber risk and insurance approach using analytics. This can tell you how much your most likely cyber incidents will cost you and what you need to prepare for and reduce uncertainty.
Analytics enable risk managers to both understand and communicate cyber risk in financial terms. By reviewing the risk scenarios most relevant to your industry and your organization, generating loss forecasts, analytics lets you inform risk controls and insurance optimization. This data-led approach helps prioritize cyber defense investments at a strategic level by introducing methodologies that determine the return on investment of specific mediating actions.
The more data you can supply to analytical models, the more precise and comprehensive the approach and outputs you’ll achieve and the stronger your cyber resilience. Such data-driven and proactive stances allow risk managers to say to your CEO and CISO, ‘If we take these five steps, our risk will change by a certain magnitude and the return on investment of doing this would be a certain percentage over a given time horizon.’ And it’s this that will empower your security experts to prioritize different investment options and then secure funds with management to implement.
Analytically-enabled risk managers can be the bridge that turns technical perspectives into financial metrics, and in doing so, getting a seat at the strategic cyber risk management table and driving your organization’s continued resilience.
Features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification.
Outsmart cyber risk uncertainty with our range of risk analytics and cyber risk expertise. Get in touch to learn more.
For more insight, watch the Outsmarting Uncertainty webinar series on-demand.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
