Article

The human element remains a leading cause of cyber risk

Decode Cyber Brief – Winter 2019 Edition

January 18, 2019

We are excited to present the Decode Cyber Brief for winter 2019, following on our last edition, which included a unique analysis of the General Data Protection Regulation (GDPR), blockchain, and essentials for effective security awareness. As we begin the New Year, we are pleased to present the Willis Towers Watson 2017-18 Reported Cyber Claims Index, consisting of 288 cyber claims specially selected to represent different industries, incidents, severity and loss amounts that we reported to insurers on behalf of our clients.

As shown in the chart below, the human element remains a leading cause of cyber risk, associated with 61% of the claims. The increase of social engineering claims from last year (up to 17% from 10%) is attributable to its low-cost and high-return nature. Social engineering relies on the weakest link in cybersecurity: human behavior. As a result, bad actors appear to be devoting more resources to creating new, more sophisticated methods of social engineering. Organizations must allocate sufficient capital for cybersecurity training and education to combat the threat.

Type of loss

Pie chart depicting types of loss

We also recently released a comprehensive study about organizations’ cybersecurity performance conducted by leading research firm, ESI ThoughtLab, together with a cross-industry coalition of organizations, including Willis Towers Watson and WSJ Pro Cybersecurity. For the study, ESI ThoughtLab surveyed 1,300 organizations with revenue ranging from under $1 billion to over $50 billion, across multiple industries spanning Asia, Europe, North America and South America.

In this edition, Donna Wilson and Brandon Reilly of Mannatt, Phelps & Phillips, LLP alongside Linda Kornfeld of Blank Rome and Willis Towers Watson’s Ashley Hart take an in-depth look at the changing exposures and risks posed by the California Consumer Privacy Act. Dan Twersky spotlights the proliferation of cryptojacking, the unauthorized use of a computer to mine cryptocurrency, and suggests strategies to help organizations prevent the risk to their networks. Andrew Hill, a product innovation leader, examines comments made by the Court of Appeal in its recent decision in Various Claimants v Wm Morrison Supermarkets Limited [2018] EWCA Civ 2339. Willis Towers Watson’s Neeraj Sahni and Ankur Shetha, a cybersecurity expert at Ankura Consulting, examine the operational risks of Microsoft Office 365 and provide guidelines for optimal security. Finally, Rob Barberi spotlights the unique cyber risks the health care industry faces, and offers steps to efficiently manage them.

We hope you find this edition both useful and insightful. As always, we welcome your feedback.