Jon Brooks

Jon Brooks

From complacency to a lack of ownership, Jonathan Brooks, Willis’s cyber expert, reviews the top reasons why boards are not in control of cyber risks

Jon Brooks

It is no longer a case of if a firm will experience a cyber incident, but when. That was the conclusion from cyber security experts, regulators and risk and insurance leaders who attended the Cyber Risk Insights Conference in the Willis Building in London earlier this month.

The discussions looked in detail at risks linked to cyber attacks, with many delegates highlighting a shift from the idea that a cyber attack “could be an issue” to it “will be an issue”. The need to address the threat has never been so pertinent.

High-profile cyber attacks continue to dominate the news and businesses now operate in an environment where boards must take responsibility for the risk.

The speed, scale and consequences of an attack are far greater than traditional risks, but many board members are failing to take responsibility for the cyber threat. This begs the question as to whether their complacency is leading to apathy. 

Business investigation

Business interruption following a cyber incident is also on the increase. Almost all businesses have grown to rely on IT and the internet – be it for website marketing or point of sale technology such as online tills, scanners, credit or debit card processing, etc. Companies may also be exposed to risks of third-party suppliers. A failure at any of these points could give rise to significant business delays, resulting in financial loss, reputational damage or regulatory penalties.

Worryingly, most firms will not know they have experienced a cyber breach until an external source notifies them. Breaches reportedly take on average 240 days to detect. This makes for uneasy reading when compared to the speed at which hackers operate.

Why are boards failing to manage cyber risks?

Boards are not in control of their cyber risk for three main reasons:

  • technical language used to describe cyber exposure makes it difficult for boards to fully understand the risk;
  • boards are often of the view that the IT department is solely responsible for managing cyber risk; and
  • when the disclosure of a cyber breach is optional, there is less pressure on companies to address cyber risk, but regulation such as data breach and notification laws place a greater onus on businesses to tackle the problem

Top three steps in the fight against cyber crime

  1. Having internal education is fundamental to bolstering a firm’s cyber defence. An estimated 80% of cyber breaches are down to employee negligence, whether deliberate or accidental. Therefore, training and communication are absolutely vital.
  2. Businesses must identify the information assets that really matter to them and regularly assess and evaluate the systems and processes that defend and protect these.
  3. Preparation is crucial. Businesses nowadays are likely to fall victim to a cyber breach. Firms should develop a comprehensive incident response plan and ensure that it is communicated and understood by everyone

Jonathan Brooks, cyber practice leader in Willis’s financial and executive risks practice