We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



A Framework for Managing Cyber Risk


An effective cyber risk management program must be enterprise-wide, involving not only IT but also finance, legal, compliance, operations, and other departments.

Companies these days should be looking at cyber risk in terms of a broader cyber risk management framework. Assessment, management, response, and remediation are the critical elements of that framework.

Hackers and data breaches have gained the lion’s share of attention in relation to cyber risks over the past several years, but it’s time for companies to begin thinking more broadly about how to manage the risks. That was the message from a panel of cyber risk experts during Marsh’s April 22, 2015, The New Reality of Risk webcast.

“The main point we make these days is that even an unlimited budget for information security will not eliminate your cyber risk,” said Tom Reagan, Marsh’s Cyber Practice leader. “We all need to recognize that cyber risk cannot be eliminated. Instead, companies should develop a cyber risk management framework that reaches across the enterprise.”  

That is not to say that data breaches should be taken lightly. The reality is that hackers and attackers are becoming ever-more sophisticated, said webcast panelist Ron Bushar, global director of Security Program Services at Mandiant, a FireEye Company. Bushar discussed a number of issues likely to emerge or continue in 2015 and beyond, including:

  • More destructive attacks.
  • Improvements in counter-forensics.
  • More reliance on the cloud.
  • Continued vigilance around cyber risks by boards of directors.

On the insurance side, pricing for standalone cyber coverage generally continues to increase, said Bob Parisi, Marsh’s Cyber Products leader. “We are seeing significant price increases for large buyers with significant volumes of protected health information (PHI) and credit card data, simply as a result of the catastrophic risk they present to insurers,” he said.

Among the other key takeaways from the webcast:

  • Managing cyber risk cannot be only the responsibility of the information technology department. Finance, legal, compliance, operations, and others must also be committed to reducing the risk.
  • Regulatory oversight of companies’ cyber risk management policies is likely to increase, since cyber is one of the few areas on which both major US political parties can agree.
  • Information sharing among those who have been affected by cyber attacks can help prevent hundreds, if not thousands, of future attacks. The importance of intelligence cannot be overstated.

Listen to the replay of the webcast