willistowerswatson.com

Cyber Risk: delivering resilience

Matt Palmer

20-21 June 2018

Life2018

© 2018 Will is Towers Watson. All rights reserved.

willistowerswatson.com

What we will cover

• The key changes in cyber threats and the impact on risk

• The current causes of security incidents

• The growing role of people and culture

• The increasing challenge of effective incident response

• How we can deliver enterprise resilience across people, capital and technology

© 2018 Will is Towers Watson. All rights reserved. 174

willistowerswatson.com

Sources: C-SPAN, Computing,Financial Times, Washington Post

Cyber Attack: Financial & Operational Impacts

© 2018 Will is Towers Watson. All rights reserved. 175

willistowerswatson.com

Willis Towers Watson and Economist Intelligence Unit Global StudyBuilding a cyber-resilient organization

A new study conducted by The Economist Intelligence Unit (EIU) and sponsored by Willis Towers Watson, aims to explore organizations’ effort to become cyber-resilient – and, in particular, how board oversight can enable this strategy. Early results include findings about:

TalentBreachesBudgets

96%

don’t think they spend enough on Cyber

of boards

1/3Approximately

have occurred …and will again

report severe breaches

report having a cyber-savvy workforce

50%Less than

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 176

willistowerswatson.com

58%23%

10%

7%2%

Percentage of claims by breach typeEmployee negligence or malfeasance - e.g., accidental disclosures, lost or stolen device,rogue employeeRansomware / Hack

Social engineering resulting in data theft or funds transfer

Denial of service

6%11%

35%

4%6%

2%

8%

5%2%

12%

8%

Education Financial Institutions HealthcareHospitality Manufacturing Media/EntertainmentOther Professional Services Real EstateRetail Technology

Types of companies

Who gets breached and how?

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 177

willistowerswatson.com

The people perspective

Source: Willis Towers Watson Cyber Risk Culture Survey; Gartner

How responses to cyber threat are changing

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 178

willistowerswatson.com

Building organisational resilience

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 179

willistowerswatson.com

Why capital mattersAre we spending enough, wisely enough?

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 180

willistowerswatson.com

Technology Resilience & Incident Response

Cyber range

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 181

willistowerswatson.com

1. Have a strategy which engages stakeholders and employees

2. Educate and develop a cyber-savvy workforce

3. Build a shared understanding between Risk, IT, IS, HR, Operations, Legal and Compliance

4. Quantify and communicate cyber risk in financial terms, not technical terms

5. Engage the board fully in incident readiness, not just through reporting

6. Assume the worst will happen, and run through all the possible scenarios to build a practical incident protocol

7. Practice what you preach, and be honest but clear when an incident occurs

8. Prepare, prepare, prepare!

Top tips for building enterprise cyber resilience

© 2018 Will is Towers Watson. All rights reserved. Proprietary and Confidential. For Willis Towers Watson and Willis Towers Watson client use only. 182