The TMT Risk Index analyses the severity of impact and ease of management of the top 50 risks facing the TMT industry. Grouped into five megatrends, we examine how these are impacting the sector currently and how this will change in the future.

The research is based on quantitative and qualitative interviews with some of the world’s leading TMT companies around the world, revealing the short and long term risks that will shape the industry over the next ten years. The research also dives deeper into each individual sector (Technology, Media and Telecommunications) and further into sub-sector analysis, and drills down to a regional level, examining 11 geographies individually.

Click here for the full article and research

The human element as a risk factor in data security breaches is as enduring as it is troubling. Compromised laptops and phishing email scams continue to appeal to hackers as avenues to damage corporate servers and the confidential, sensitive information they maintain. Effective risk management strategy must therefore acknowledge and respond to this source of widespread vulnerability.

Several cybersecurity studies have cited statistics noting that:

• Approximately 60% of incidents are non-hacking related and attributable to employee errors that fall within several categories, including lost laptops, rogue employees and software errors.
• The remaining 40% of incidents are hacking related and the result of social engineering or inadequate network security practices.

Until now, none of those studies have answered this question: how can organizations track the extent of risk inherent in their people’s behaviors and determine how to mitigate this factor?

The answer(s) to this critical question is not only relevant to human resources professionals charged with addressing employee behavioral issues but is also pertinent to corporate leaders, network security professionals, corporate risk managers and insurance underwriters — all of whom are links in the chain of cyber risk management and mitigation.

Workforce culture shapes everyday behavior

A significant part of the answer to the above question lies in understanding the workforce culture that shapes everyday behavior. An organization, and in particular its leaders, create and reinforce a culture that influences every employee. This culture holds the shared values, norms, beliefs and assumptions that ultimately drive employees’ actions. The emphases within the culture can support or inhibit behaviors that mitigate risk. For example, a culture with a strong customer focus will create norms for prioritizing customer needs above other demands, encouraging extra effort when interacting with customers and handling their information internally. Over time, through thousands of individual employee decisions, behaviors that help prevent data breaches will occur with more frequency than behaviors that create significant vulnerabilities.

A new analysis of employee survey results sourced from organizations that have experienced significant data breaches — including the loss of business-critical, employee and consumer data — further reinforces this position. The survey results tap into the factors most often emphasized inside a company, gathering views of culture as experienced by the ultimate insiders — the employees themselves. By examining the cultural landscape in organizations experiencing data breaches, the critical human element comes into sharp focus.

Employee opinions in organizations that have experienced cyber breaches

Willis Towers Watson analyzed employee survey results from 12 organizations, examining employee engagement attitudes and opinions from more than 450,000 employees corresponding to a period in which significant data breaches were identified within the firms. The organizations represent major business sectors, including technology, telecommunications, consumer products, manufacturing and utilities, with headquarters in North America, Europe and Asia Pacific.

In order to benchmark employee opinions from these 12 companies and uncover critical understandings, Willis Towers Watson applied information from its world-leading database of employee surveys, drawing on responses from over four million employees and 400 organizations annually across all business sectors and regions. More specifically, to identify vulnerable aspects of culture in companies experiencing data breaches, opinion scores in the 12 data breach companies were compared with two sets of benchmarks from this database:

Global high-performance companies. These 28 organizations are financial leaders in their industries, with above-average top- and bottom-line performance versus sector-specific scores over a 36-month period. This benchmark includes organizations with the highest levels of favorable opinion in the database.

Global information technology (IT) staff. This benchmark is pulled from IT staff across organizations globally, representing over 400 companies and more than 150,000 IT workers. Opinion scores from IT functions in the 12 data breach companies are contrasted with this benchmark.

Survey content across organizations covers a wide range of issues from local work experiences (opinions of training, immediate supervision and individual involvement) to views of organizational systems and programs (perceptions of senior leadership, pay and rewards, customer focus and company image). Results from these two comparisons are displayed in the following figures, which show gaps in favorable opinion scores between employees in data breach companies versus each benchmark group.

Compared against the high performance group

In the comparison with high-performance companies, opinions from employees in the data breach organizations are consistently below the favorable scoring levels of employees in the high performance group, as expected. Scores are lowest for three aspects of culture:

• Training: Questions in this topic include employees’ opinions about whether they have received adequate training for the work they do and have access to training to improve their skills and learn new skills to advance in their roles.
• Company Image: Questions in this area focus on corporate social responsibility, environmental responsibility, regard from customers, and integrity when dealing with external stakeholders.
• Customer Focus: These questions tap into employees’ overall sense of emphasis on the customer, responsiveness to customer needs, and proactive efforts to gather and act on customer feedback.

In short, these results versus the high-performance group indicate that organizations experiencing data breaches in the study period are judged by their employees as lacking a learning culture that flourishes with high integrity and puts the customer at the center of business activity.

Compared against the IT employee group

IT workers in organizations with data breaches are aligned with relatively similar functions globally. That said, workers inthe data breach companies report less favorable views of training and perceived pay-for-performance in their role. In the training area, IT staffers in data breach companies score especially low on perceived training of new employees, suggesting a vulnerability among workers as they are recruited and onboarded. Related to pay, scores in data breach companies are especially low on matching pay to performance, indicating that incentives should be better aligned with employee efforts to more clearly show the connection between behaviors and consequent rewards.

Gaps: Breach Companies Below Global High Performance

Gaps: IT employees in breach companies below global IT functions on training

Common themes emerge

Results across comparisons with both high-performance organizations and IT staff converge on a common theme related to training. Among IT staff, the analysis points to the induction of new staff as a blind spot — potentially a serious source of risk if new IT staff is not effectively trained in processes and procedures to manage cyber risk. Across the full enterprise, this inability to create an ongoing learning environment may reflect a lack of emphasis on staying current with emerging business needs and trends, potentially including knowledge of how to circumvent attempts to acquire confidential and sensitive data by determined hackers.

Also among IT staff, a pay-for-performance challenge emerges from the analysis. This finding indicates that front-line IT staff in data breach companies may perceive a misalignment between their efforts and associated rewards potentially undermining their motivation to give the extra effort in roles needed to effectively identify cyber risk concerns and take corrective action.

More generally, the finding that perceived customer focus is lacking in data breach organizations is significant from a risk mitigation perspective. Customer service is a foundational company value for many organizations and is essential to business success in service industries. A lack of emphasis on the customer as central to organizational performance likely sets the stage for poor decision making related to business risks and may undermine the vigilance needed to successfully counteract attempts to steal online customer information.

Mitigating cyber risk

Addressing fundamental emphasis in workplace culture is a first step to creating an environment that supports a holistic, integrated risk mitigation strategy. In addition to emphasizing a customer-centric workplace culture, and developing and implementing employee incentive and training programs designed to foster cybersecurity, organizations should consider the following cyber risk mitigation approach:

• Ensure enterprise-wide governance is in place
• Assume hackers are already inside
• Consider technology one of several lines of defense
• Insure for cyber threats that cannot be mitigated
• Allocate enough capital to the right cyber defenses — protect the organization’s crown jewels!

Click here for the original article.

A complex commercial insurance market is slowing the pricing declines most buyers have enjoyed for several renewal cycles and raising the likelihood that companies will experience some price increases in various commercial lines of insurance, according to Willis Towers Watson’s 2016 Marketplace Realities Spring Update report. The report, a line-by-line review of major and specialty insurance markets, serves as a guide for North American insurance buyers preparing for upcoming insurance program renewals.

Overall, ample capacity in the global insurance marketplace continues to buoy market conditions. However, increased underwriting scrutiny combined with potential challenges stemming from the changing carrier landscape is driving movement in some lines of business.

Matt Keeping, Head of Broking for North America, Willis Towers Watson said, “At the macro level, the market remains stable and pricing is still considered soft, but we may be starting to see the bottom end of that softening. In property, for example, there’s only so much the marketplace can give back. And while we remain in a period thankfully free of huge mega-disasters, losses line by line have taken their toll on marketplace competition. Plus, with interest rates low, insurance companies remain under revenue pressure.”

Click here for the original article and to download the report.

Many of the emerging risks our bloggers are keeping an eye on this year involve just these kinds of tech-enabled innovations. But while technology may engender these risks, it is also the solution to mitigating them. Big data and predictive analytics will be instrumental to businesses seeking to capitalize on these trends and anticipate their risks.

Which of these do you think will most affect your business in the year ahead? Take our poll at the end and let us know.

Casualty – The Sharing Economy Moving into the B2B Space by Eric Silverstein 

The evolving risks associated with the so-called “sharing economy” raises the big question of liability, but additional complexities, such as regulatory issues will create new legal challenges. This sector and its risks are certainly on the insurance industry’s radar, but so far the response has not been uniform. Now, new exposures are on the horizon as these models move from the consumer space into the B2B space. New applications are being targeted to the businesses class and business professionals, and these new offerings are likely to establish more formal relationships between organizations and service providers– thereby increasing the threat. For example, an organization may be considering partnering with a rideshare program for business to save costs normally associated with car service and transportation. Or employees may be interested in using a home share service while traveling on business, rather than a company-approved hotel. While the appeal seems obvious, these types of scenarios can raise the threat level for organizations today. Regardless of convenience or demand, organizations’ primary concern should be for the safety of their employees. (Update: Read my follow-up article for guidance for companies considering these offerings.)

Workers’ Compensation – Disruptive Technology by Sam Dutcher

The Workers’ Compensation industry is on the threshold of revolutionary changes in loss control. For example, automatic braking and lane-change technology added to vehicles can dramatically decrease vehicle accidents and injuries, and therefore loss costs. The hardware for wearable technology exists today and is economical to buy. This technology (think FitBit on steroids) can allow sensors to determine if an employee is likely to develop stress injuries or become a cumulative trauma claim sometime in the future. This enables employers to modify job duties to prevent claims, or even prescribe pre-habilitation treatment before the injury takes place. The next few years will see a revolution in the application of these loss-control capabilities. Companies that are late adaptors, or are markets of last resort, will be subject to adverse risk and/ or pricing selection. Think of the advantage Progressive Insurance gained when they implemented credit report scores as an underwriting and pricing tool for auto policies. Workers’ Compensation insurers who proactively engage their policy holders in the adoption of these advance loss control capabilities will benefit from reduced loss costs – and better priced reinsurance – long before the experience mods catch up with the loss cost improvements.

D&O — Responsibility for Cyber Exposures by Francis Kean 

The buck stops with the board – or, to put this into legalese: directors of companies cannot delegate their supervisory functions. But what if the landscape in which the company is operating is changing so radically and quickly that meaningful supervision becomes almost impossible? Cyber exposures in 2016 are throwing up just this challenge for just about every company and therefore for all directors, and it’s only going to get worse. The real point to get your head around as a director is that this is a multi-faceted problem. It’s rarely good enough simply to seek assurance from the head of IT or equivalent that adequate protection exists from cyber-attack. Instead the challenge is to really understand the specific cyber vulnerabilities facing each company. To make matters worse (and as an indication of how seriously the issue is now taken by legislators) the E.U. has just introduced probably the most significant overhaul of data laws and regulation ever with stringent new penalties for breach.

Financial Institutions — Unethical Use of Data by Mary O’Connor 

There is a real risk that the increasing availability and sophisticated use of personal data could result in certain sectors of society being disadvantaged. Although the use of personal data is not entirely negative—having been successfully used by some peer-to-peer lenders to provide credit to those previously rejected by traditional financial institutions—many customers are not even aware that their personal information might be used to determine their level of risk. According to recent press reports, personal data has been gathered and used by banks, mortgage lenders and some government departments. It is time for an open debate about the ethical use of personalised data to ensure its use does not have a detrimental impact upon less social-media-conscious customers who may not appreciate the potential impact the release of seemingly innocuous information might have on their lives or financial status. The rules and boundaries around when data is “personal,” and how it can be used, need clarification. (Update: I discuss this in further detail in my follow-up article.)

Financial Institutions — Blindsided by FinTech by Richard Magrann-Wells 

It’s hard enough preparing for competition when you can see it coming. The risk facing traditional financial institutions is that financial technologies (FinTech) is changing the very nature of the competition. Unburdened by the daunting red tape facing traditional financial institutions, new entrants like peer-to-peer lenders and so-called robo-investment advisors are a different type of competitor. Many of these new FinTech firms are specialized and offer a single service. Wire transfers or credit card processing are good examples – these services were consistent fee earners for larger institutions and part of a large firm’s strategy of “cross-selling” in an effort to consolidate a business relationship with a customer. With start-ups offering newer technology and often offering lower fees, traditional financial institutions are being forced to decide whether to accept lower revenue from these segments, abandon the product, or purchase one of the start-ups to remain competitive. In business jargon – the “barrier to entry” for financial services has dropped and start-up FinTech firms are able to compete with the largest of firms. Large firms that aren’t prepared will find themselves vulnerable.

Human Capital — The Drones in Your Human Capital Strategy by Brian Donnelly and Sara Ritter

Dire predictions that humans will be replaced by machines in the workplace continue to make headlines. Drones are delivering packages to your doorstep. The manufacturing, automotive and healthcare industries are already highly automated in many countries, and technology companies are racing to create the next “new and improved” version of artificial intelligence (AI). In fact, a much-cited Oxford study that looked at 702 occupations in the U.S. concluded that 47% of U.S. employment is at risk of being lost to computerization.

U.S. employee anxiety notwithstanding, this begs the question: What has your company done in the wake of such news? Most of us will answer that we are always looking for ways to gain efficiency, but with the frantic pace of change in technology, agile companies must systematically evaluate the benefits and risks of large-scale occupational adjustment such as this. (We’ll discuss this in more depth later this week.)

Casualty – Active Shooters by Wendy Kalman

According to the U.S. Department of Homeland Security, “An Active Shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area [and]…there is no pattern or method to their selection of victims.” While such violence cannot be entirely predicted, it can be planned for, just like any other risk. The FBI believes that successful prevention requires that public and private entities work together. Containing the risk is necessary; more and more institutions, organizations and municipalities beginning to offer “active shooter training” or create checklists and plans for their stakeholders. Will this impact insurance and reinsurance? We’ll have to see.

Capital Markets — Rising Interest Rates by Bill Dubinsky

While bond yields remain modest in much of the developed world, the U.S. Federal Reserve changed the tone in the U.S. with its 25-basis-point rate hike in December. Increasing bond yields in the next few years could impair the fair value of bond portfolios. Couple this with inflation and you have a recipe for insolvencies. Countering this, many but by no means all companies have thoughtfully matched their assets and liabilities. Those ceding companies who have narrowed their reinsurance panels in recent years may have inadvertently enhanced their exposure to this market security threat. In contrast, some insurers have diversified their reinsurance panels and market security risk by:

1. first, including collateralized capacity (cat bonds and collateralized re), essentially immune from market security risk
2. second, accessing a broader range of traditional reinsurers

Perhaps even more will take similar action in 2016 to thwart this emerging market security threat.

Security — At-Risk Travel by Kevin Wilkes

With the rise of business travel throughout the global marketplace, we have also recently seen an increase of travel risks that can impact the health and safety of our traveling workforce. Within the last six months we have witnessed terrorist attacks in Paris, Jakarta and Istanbul—targeting populated areas from restaurants, to concert halls, hotels and coffee shops. While such violence certainly provides more than enough to fear for employees who may find themselves in harm’s way, travel risks associated with sudden civil disturbances, extreme weather, or illness—such as last year’s Ebola scare or the recent CDC warning of the Zika virus in Latin America and the Caribbean—also cause concern. Think of this for a moment: There are roughly 237 million business trips taken domestically and internationally each year by U.S. workers alone. According to the U.S. State Department, there are currently 45 countries and regions around the globe that are thought of as “at-risk” areas for travel. That’s a lot of real estate in which you may find yourselves or your employees traveling in harm’s way. So it becomes increasingly important for businesses to understand, track and plan for the host of travel-related risks that can jeopardize the safety of their traveling workforce. Failure to do so can place both employer and employee at risk. Especially in the world of today.

U.S. Employee Benefits — Health Care Costs by Jay Kirschbaum 

Even with the delay of the Cadillac tax (signed by the President on Dec 18) employer plans are not out of the woods. Increased deductibles, while coupled with HSAs and HRAs for the time being, are still the order of the day. That means, potentially, less access to care for employees, lower utilization, increased health risks and increased absenteeism to go along with all of that. An equally important risk issue is the increased scrutiny to come from the federal agencies – on PPACA, HIPAA, etc. These agencies are gearing up and looking at plans to see that they are in compliance with the rules.

Financial Institutions — Growth v. Compliance by Michael O’Connell 

The risk that many senior leaders see looming in the coming year is how to stay ahead of the competition and keep regulators happy. Many firms are realigning their strategies, using technology to interact with customers and boost profits, and relying on outsourcing to remain competitive. Banks in the U.S. are often said to be the most regulated industry in the world. In the last 20 years the number of U.S. banks has fallen by half as a result of consolidation and failures. It’s not just the sheer volume of regulations, it’s the number of regulators – since the financial crisis a bank may have to deal with the SEC, FDIC, OCC, Federal Reserve, CFPB, FinCen, state authorities and others. For smaller banks the weight is almost crushing, but for all institutions it has created a dilemma: Can they meet the demand for compliance and continue to compete against less-regulated competitors?

Casualty — Hoverboards by Wendy Kalman

Insurers and reinsurers, like parents and doctors, should take note: One of this year’s most popular Christmas gifts is also proving to be one of the most dangerous. Risks include catching fire while charging or while in use, exploding and, of course, injuries from falling. It doesn’t seem to matter which manufacturer produces the hoverboards—although ion lithium batteries seem to be one culprit. The U.S. Consumer Product Safety Commission is investigating, but that hasn’t slowed down emergency room visits or the number of personal injury lawyers preparing to take on clients. At the same time, New York and Britain have banned them from roads and pavements, Scotland requires third-party insurance, and airlines won’t transport them. But even more telling, perhaps, is that Amazon in the U.S. has stopped selling all but seven models (it’s being reported that they told vendors they must prove their boards meet specific safety standards) and its U.K. counterpart has stopped altogether. At least one class action suit has already been filed; how many will follow?

To take the poll and view the original article click here.

Hoteliers have long been major hacking targets – a trend that is likely to continue given the volume of credit and debit card transactions the industry processes.

While all business should assess and implement comprehensive privacy and data security policies to ensure adequate protection of sensitive consumer and employee data, the hospitality industry cannot afford not to do so.

RISK OVERVIEW

Hotels transact business through credit and debit cards, which can be kept on file and accessed multiple times during a guest’s stay. In just one night, payment cards can be used in the restaurant, spa, bar and other guest services. In addition, hotels and restaurants are public environments with little control over their patrons, and employees generally have access to credit cards, guest rooms and other confidential guest information. Moreover, public Wi-Fi service often provided by hotels can inadvertently provide hackers access to unsecured public wireless networks. These practices, coupled with the risk associated with payment card information, make hotels exceptionally vulnerable to hacking, insider threats and cyber security fraud.

Restaurants are particularly vulnerable to the above risks due to high staff turnover combined with lax hiring practices, such as failure to conduct or inadequate criminal and employment background checks. For franchises the risk is more pronounced because they tend to install the same type of POS (point-of-sale) processing system at all their locations, allowing hackers to replicate an attack on all locations once they have gained access to one.

EMV PAYMENT CARDS – THE NEW STANDARD

Nationwide EMV (i.e., Europay, MasterCard and Visa – named for the founding companies that developed the standard) Payment Cards migration is now well underway in the U.S. Major credit card brands have indicated that, as of October 1, 2015, if EMV capability has not been implemented on merchants’ POS terminals, the merchant, not the card issuer will be liable for all fraudulent transactions made on such cards. Today the EMV standard is owned and managed by the equity owners of EMVCo – American Express, JCB, Discover, MasterCard, UnionPay and Visa.

Prior to EMV, magnetic strip credit cards were the standard in the U.S. The band on the back of a payment card is the magnetic strip. The data stored on the magnetic strip is accessed when the card is swiped through a card reader. This technology is highly vulnerable to fraud because the data is static and can be easily cloned. The shift toward EMV cards is therefore intended to prevent fraudulent transactions. Unlike the magnetic strips, EMV cards are embedded with microchips, which are more difficult to replicate, as the microchip creates a unique impression every time the EMV card is used, thus providing an additional form of authentication.

While EMV payment cards are expected to significantly reduce fraudulent transactions at the physical point of sale or ‘cardpresent’ transactions, EMV technology is unlikely to impact internet transactions. Further, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope and, therefore, significant liability still exists for card-not-present (CNP) transactions.

A recent report by Javelin Strategy and Research noted that online fraud rose 79% in the U.K. during the first three years after the country adopted EMV cards, and more than doubled in Australia and Canada after those countries adopted the same technology. This is an important consideration for hoteliers that have a high percentage of online reservation transactions and hyper-connection with third-party service providers, such as booking services, tour operators, technology partners, airlines and travel agents.

According to Javelin researchers, fraud will increase by $200 million by 2018, with in-person card-present fraud at the point of sale expected to decrease by $1.5 billion by that time with EMV adoption. Based on Javelin’s projections, EMV could potentially yield a large net positive result for retailers.

However, businesses would be wise not to gain a false sense of security with EMV adoption. Fraud and credit cards breaches are just one exposure; hoteliers, like other businesses, face many exposures, including denial of service (DoS) attacks, phishing, social engineering, malware, viruses, third-party vendors and rogue employees. Verizon’s 2015 DBIR report indicated that 89% of incidents in the hospitality industry were attributed to POS intrusions and DoS attacks. The percentage of POS intrusions fell from 75% in last year’s report to 51% this year, while DoS attacks have risen sharply from 10% to 38%. DoS attacks have crippling effects by rendering key systems (e.g., websites, booking services and billing systems) unavailable.

HYPER-CONNECTIVITY

On August 7, 2015, a global travel technology company and one of the largest clearing houses for travel reservations confirmed that its systems were breached. As a result, the world’s largest airline carrier, which at one time owned the travel technology company, is reportedly investigating whether hackers moved from that company’s systems into its own computers, as the two companies reportedly share some network infrastructure. The travel technology company’s database is a highly desired target for hackers given that the company holds personal information on more than one billion travelers per year, including a software-as-a-service (SaaS) platform for the hospitality industry. In the event that the company’s platform or any other third-party system upon which a hotel is dependent becomes infected with malware, the potential for cross malware infection exists. For this reason, the hospitality industry must have in place and implement third-party vendors’ policies and procedures.

INCIDENT RESPONSE PLANNING

Unfortunately, even with the best defense mechanisms and risk management controls in place, cyber security incidents and data breaches are likely to occur. Businesses often fail to devise their incident response plan prior to an incident. Without a proper response plan in place ahead of time, it’s extremely difficult to contain or stop the incident once detected and preserve appropriate forensic evidence while working to restore operational continuity.

Incident response planning is even more important for the hospitality industry than for others. According to Verizon’s 2015 DBIR report, in 70% of cases in the hospitality sector, incidents took months or longer to discover. This is a significant contrast to the average Willis North America | September 2015 3 across all industries where 74% of incidents were discovered in hours. The major reason for this delay is that businesses in the hospitality sector are likely to be notified of a breach by an external party, such as law enforcement or a fraud alert, rather than internally. The longer an attack lasts and the longer it takes to discover, the more damaging, harmful and costly it is likely to be, as seen in breaches involving some major retailers.

LAYERING RISK MITIGATION REMEDIES

As hoteliers, retailers and other businesses aim to become more vigilant and increase their defenses, hackers and cyber criminals will innovate and adapt to meet the challenges. For example, in April 2014, hackers unable to directly breach the network of an oil company found an indirect route by reportedly infecting the online menu of a Chinese restaurant that was allegedly popular among the oil company’s employees. It was reported that the workers inadvertently downloaded the malicious code when they browsed the menu and indirectly gave the hackers access to the network.

A layered approach to security, compliance and risk management is necessary in order to mitigate direct and indirect threats and potential loss. In addition to EMV adoption, point-to-point encryption (P2PE), tokenization, third-party vendor management, together with established best practices, can help prevent data breaches, minimize financial losses and may also aide in meeting PCI Data Security Standard compliance requirements.

BEST PRACTICES

Use Strong Passwords: It is highly recommended that business owners change passwords to their POS systems on a regular basis, using unique account names, complex passwords and deploy multi-factor authentication (MFA).

Update POS Software Applications: Ensure that POS software applications are using the latest updated software applications and software application patches.

Install Firewalls: Employ firewalls on web applications to prevent unauthorized access to, or from, a private network by screening out traffic from hackers, viruses, worms, or other types of malware specifically designed to compromise a POS system.

Use and Update Antivirus Programs: Regularly update antivirus programs to maintain their effectiveness.

Restrict Access to Internet: Restrict access to POS system computers or restrict terminals to POS-related activities only to prevent users from accidentally exposing the POS system to security threats on the internet.

Disallow Remote Access: Cyber criminals can exploit remote access configurations on POS systems to gain access to these networks. To prevent unauthorized access, disallow remote access to the POS network at all times.

Employee Training: Provide employees with dynamic information security and privacy awareness training, including anti-phishing and social engineering exercises. Employees are the first line of defense and should also be given the ability to quickly report potential issues, activities, circumstances or concerns with ease, such as reporting that an extortion demand was made, without fear, reprimand or retribution.

Incident Response Planning: The primary objective of an incident response plan is to provide a framework to manage a cybersecurity incident, which limits damage, increases the confidence of external stakeholders, and reduces response costs and recovery time. The incident response team (IRT) should practice the plan regularly with table top exercises based on different scenarios.

CYBER AND PRIVACY LIABILITY INSURANCE

Cyber and Privacy Liability Insurance, designed to address many of the cyber risks discussed above, is also a best practice and an important risk transfer vehicle. However, there is no ‘one-size fits all’ product and there is presently no industry standard; each insurer has its proprietary policy form, making Cyber and Privacy Liability insurance a complex specialty product that requires expertise. As such, it is important to select an insurance broker and insurer that concentrates on cyber and privacy risks with dynamic claim management and risk management service offerings.

HOW WILLIS CAN HELP

Our FINEX Cyber broking team is composed of more than 20 professionals with specialized knowledge of the cybersecurity risks and exposures facing companies today. Cyber exposures and the cyber insurance market are dynamic. As a result of our large cyber client base, we are up to the minute with changing exposures and have amassed a body of price, limit, vendor and claim data that supports our clients’ evaluation and decision making as respects cyber risk financial management. Since cyber risks overlap with E&O, media or professional services, our team’s diverse background in these areas provides the insight necessary to address the range of risks often encountered when cyber risk is present. Our cyber experts are recognized in the hospitality industry and are often sought after for thought leadership and new product ideas. Given our expertise and knowledge of the sector, we are able to design innovative programs that specifically reflect the needs of our hospitality industry clients.

Also at the core of our cyber service platform is our proprietary and recently redesigned analytics tool, PRISM IISM, which models the frequency and severity of clients’ privacy loss exposures, and RAPIDSM (Risk Assessment Probability and Impact Diagnostic), which helps clients identify cyber risks within their organizations. The quantitative measurement delivered by PRISM II overlays various risk financing structures to measure the value derived from each structure using our proprietary Comprehensive Cost of Risk tool (CCoRSM). PRISM II is thus designed specifically to help clients make rational, objective decisions regarding privacy breach risk financing issues by using return on capital metrics. Further, with the output generated by PRISM II and RAPID our cyber specialists are able to help clients identify the optimal insurance program structure, as well as analyze and stress test such programs to ensure clients are meeting regulatory and rating agency risk quantification requirements. Further, our robust and proprietary cyber benchmarking database consists of pricing and retention data from cyber clients of every size and industry so that, if desired, our clients can benchmark their purchasing options against those of their peers.

For more information on Cyber and Privacy Liability Insurance, please contact your Willis Client Advocate® or Jamie Sharpe.

View the original article here.