We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:

X

RESEARCH AND BRIEFINGS

Concern About Cyber Threats Rising, Despite Decline in Confidence

 


Our 2019 Global Cyber Risk Perception Survey, conducted in partnership with Microsoft, finds that while more companies see cyber risk as a top priority, confidence in cyber resilience is declining.

Cyber Risk Concern Rises

Driven by the frequency and severity of recent high-profile incidents, cyber risks and threats increased significantly among respondent organizations’ top priorities in 2019.

Globally, 79% of respondents ranked cyber risks as a top five concern for their organization, up from 62% in 2017.
The number citing cyber risk as their #1 concern nearly quadrupled, from 6% to 22%.

In 2019, more respondents ranked cyber risk as a top concern than any other major business risk.

Economic uncertainty was second, ranked as a top 5 risk by 59% of organizations — a full 20 percentage points below cyber-attacks and cyber threats.

These results suggest a sharp rise in the prominence of cyber risk on the corporate, and correlate with other recent studies.

For example, in the World Economic Forum (WEF) 2019 Global Risks Report, business leaders ranked data theft and cyber-attacks among the top five risks most likely to occur.

Cyber Confidence Declines

This year’s survey found a notable decline in firms’ confidence in each critical area of cyber resilience:

  1. Understanding, assessing, and measuring potential cyber risks.
  2. Being able to reduce the probability of cyber-attacks from occurring, or preventing potential damage.
  3. Managing, responding to, and recovering from cyber events.

Taken together, these areas provide an overall measure of an organization’s cyber resilience — its ability to successfully navigate a cyber event; apply planning, assessment, prevention, mitigation, and response capabilities to manage it; and return to normal operations with minimal downtime or losses.

In 2019, the proportion of firms that reported feeling “high confidence” fell in each of these three areas compared to 2017.

Equally concerning is that significantly more organizations reported being “not at all confident” across all three pillars.

For example, more than 1-in-5 respondents in 2019 said they are not at all confident in their organization’s ability to manage or respond to a cyber-attack.

In 2019, just 11% of firms reported a high degree of confidence in all three aspects of cyber resilience.

Cyber Dissonance: Strategic Risk, Managed Tactically

Despite cyber risk being ranked high among organizational strategic priorities, most organizations continue to manage it tactically.

In general, they still struggle to create a strong cybersecurity culture with appropriate governance, prioritization, management focus, and resources. This places organizations at a disadvantage in building cyber resilience and in confronting the increasingly complex cyber risk landscape.

For example, for most firms, information technology and information security roles continue to be seen as the primary owners of cyber risk management.

In fact, the primacy of IT increased over the past two years, with almost 9-in-10 firms identifying IT/InfoSec as the main owner in 2019 — up from 70% in 2017. In a positive sign, 65% of firms identified executive leadership/board members as among those spearheading cyber risk management efforts, an increase over 2017.

In 2019, 49% of organizations cited risk management as a primary owner of cyber risk.

While this was a sizeable increase since 2017, there remains considerable room to increase the involvement of risk management teams to drive cyber risk agendas. 

The fact that IT is named as a primary owner nearly twice as often as risk management points to a continuing, mistaken view of cyber risk as primarily a technology issue, rather than a critical business risk that merits a strategic enterprise risk management approach.

The question of who leads cyber risk management is just one area in which there is dissonance between an organization’s perceptions and actions.

Despite the high level of strategic concern organizations say they have for cyber risks, not all internal “risk governors” give the issue the attention it deserves.

Only 17% of executive leaders/board members say they spent more than a few days over the past year focusing on cyber risk issues.

Even among IT respondents, 30% said they spent only a few days or less. This low allocation of time is concerning given that these two constituencies are ranked among the top three organizational owners of cyber risk management.

The importance of senior leadership driving the cyber risk agenda is underscored by the confidence gap in overall cyber resilience as reported by those who lack such leadership.

Among organizations who cited lack of senior level mandate as a barrier to effective cyber risk management, only 19% were highly confident in any of the three areas of cyber resilience, compared to 31% of all respondents.
 

Despite wide acknowledgement of cyber risk as a top priority, too few organizations currently take actions to create a strong cybersecurity “culture” with appropriate standards for governance, prioritization, management focus, and ownership.

This places them at a disadvantage both in building cyber resilience and in confronting the increasing cyber challenges of a changing technology and supply chain environment.

Three other data findings point to the dissonance between high cyber risk concerns and tactical approach:

Investment decisions are largely not based on quantitative risk measurement, and are largely reactive:

  • Only 30% of organizations employ quantitative methods to measure and express their cyber exposures. While this is nearly double the number in 2017, it still means that 70% of organizations continue to use vague, descriptive methods to assess their cyber exposures – and 26% say they have no assessment method at all.
  • 64% of organizations said the main trigger for increases in cyber risk investments would be a cyber-attack against their organization: a reactive approach which neglects the importance of proactive assessment, planning and measurement to optimize cyber capital allocation.

The actions taken by most organizations focus on technology and prevention to the neglect of other resilience building measures.

While 83% and 78% said they have improved hardware security and data protection respectively over the past 12 to 24 months, roughly only 30% have modelled cyber loss scenarios, conducted management table top training, or assessed supply chain risk.  Less than half said they reviewed or updated their cyber response plan.

While the range and type of actions necessary for effective cyber risk management varies by company, the best practice for all organizations, regardless of industry or size, is to apply a rigorous risk management framework to cyber risk as they do for other strategic risks.

A comprehensive approach that incorporates planning, training, risk transfer, and response rehearsal as well as prevention is the best roadmap to building cyber resilience.