Cyber risk: Who’s making the decisions?

Our corporate site Contact us

The accelerating threat environment has made cyber risk a C-suite and board-level priority for many companies, driving greater emphasis on enterprise-wide oversight and collaboration. Insights from the Marsh Global Cyber Buyers Study, which surveyed more than 2,200 cyber risk leaders around the world, including 200 from Australia and New Zealand, highlight how decision-making structures vary across organisations.

In this article, we explore the evolution of key decision makers and cyber risk oversight in the Pacific region, factors driving this shift and actions organisations can take to strengthen their enterprise-wide governance.

The evolution of key decision makers

The roles and responsibilities of decision makers in the evolving landscape of cybersecurity have shifted considerably since the early 2020s. Traditionally, cyber risk sat largely with the Chief Information Officer (CIO), IT operations teams, security specialists and sometimes compliance officers. The focus was primarily technical and often centred around patching, access controls and meeting regulatory checklists. While these efforts were necessary, the organisational approach to cybersecurity were often siloed and reactive. Decisions and investments were driven mostly by incident response and operational constraints rather than strategic or broader business objectives. Over time, this approach saw gaps as technologies evolved, businesses became more reliant on technology and cyber threats grew more sophisticated.

An enterprise-wide approach to cyber risk decision-making

The combination of rapid digital transformation, cloud migration, complex third‑party ecosystems, hybrid working models, enhanced regulatory oversight and more sophisticated cyber attacks has led to a more integrated approach to organisational cybersecurity.

With the damage and business impacts becoming more extensive, organisations responded by embedding cybersecurity considerations into product roadmaps, procurement policies and HR processes, and elevating cyber to board-level risk discussions. Consequently, today’s cyber decision-making has broadened significantly and become more strategic and central to executive’s priorities. HR, legal, procurement and third-party risk teams are often part of the decision-making process and work closely with Chief Information Security Officers (CISOs), enterprise risk teams, business unit leaders, developers, IT operations and cloud architects.

Responsibilities and focus have shifted from purely technical controls to setting risk appetites, vendor cyber resilience and people-focused measures such as training and insider-risk programs. This shift reflects a view that cyber is now a business risk, not just an IT problem. The result is a more distributed governance model where accountability and decisions are shared across various business functions.

Establishing oversight on decision-making

Cybersecurity leaders typically either support committees or act as the primary decision makers in shaping response and mitigation strategies. These differences in cyber risk governance highlight the importance for coordinated, enterprise-wide decision frameworks that balance risk priorities and engage a range of stakeholders.

The Cyber Buyers Study found that organisations establish oversight in several ways, depending upon the level of integration and maturity of their cyber risk initiatives. (See Figure 1.) In the Pacific region:

57% of respondents said their organisation relies on a sole or primary cybersecurity decision maker, who is often supported by cybersecurity technical experts who conduct due diligence and provide investment recommendations to leadership. The Pacific saw the highest proportion of organisations who use this oversight approach compared to other regions.
14% rely on a cybersecurity oversight team made up of risk, cybersecurity and insurance professionals.
29% have a regional or global oversight committee, with representatives from operations, risk, IT, cybersecurity, finance, legal and insurance who have strong influence in identifying and vetting investment decisions across cyber risk.

Despite the shift of cyber decision-making in recent years, the progression towards widespread adoption of an enterprise-wide approach is still maturing with increasing oversight at board level, however many Australian and New Zealand businesses are still relying on a sole or primary cybersecurity decision maker.

Today’s decision makers are addressing cyber issues by either purchasing solutions, leveraging external expertise or building in-house specialist centres of excellence. (Learn more about the different investment approaches and who’s using them in this article.)

Cyber risk oversight expanding in Australia and New Zealand

Cyber risk decision-making in the Pacific region has evolved in response to a combination of governance expectations, business impact and market forces. The shift reflects how cyber incidents now affect organisations across operational, financial, legal and reputational dimensions. This adjustment in decision-making ownership has been influenced by several factors, including:

Mandatory reporting: Mandatory breach notification requirements and ransomware payments require Australian organisations to report cyber incidents at an organisational level, reinforcing the need to elevate cyber risk decisions beyond technology teams.
Supply chain and third-party exposure: With growing awareness of cyber exposures from third parties, service providers or supply chains, decision-making can often include members from procurement, legal and risk teams.
Workforce and human-related cyber risk: Human error remains a leading concern for cyber leaders, contributing to 37% of data breaches in Australia¹. Ongoing employee training and awareness are essential to reducing cyber risk and shaping safer behaviour across the organisation. In Australia and New Zealand, this reality has brought HR and people leaders into cyber risk discussions to help support enterprise-wide resilience.
Executive and board accountability: The combination of extensive damage and increasing public and media interest following large cyber incidents have triggered questions about oversight, preparedness and decision quality at board level. Executives are more aware of potential regulatory, legal or shareholder actions following a material cyber event. Additionally, a director or officer’s personal liability has also influenced the increased scope of decision-making responsibility to include senior business stakeholders.
Insurance implications: Cyber insurers are applying more detailed assessments when evaluating governance, control effectiveness and executive ownership. Cyber maturity can potentially influence insurance cost, coverage and insurability, linking cyber investment decisions more closely to financial outcomes and organisational risk tolerance. As a result, this has extended decision-making to finance and risk leaders.

3 key steps to strengthen your enterprise-wide cyber risk governance

As decision makers face increasingly complex cyber threats, stronger governance across the whole organisation is becoming a hallmark of resilient businesses. Here are three steps organisations can implement to help further strengthen their enterprise-wide governance:

Redefine cyber risk as a shared business accountability: As cyber risk decisions now span to include one or more of the roles mentioned above, organisations need to move away from treating cyber risks as an IT owned issue and formally recognise it as an enterprise risk. Practically, this means clearly defining roles and responsibilities of those ultimately accountable when incidents occur.
Strengthen board and executive cyber governance: With increased personal and organisational accountability, boards and executives need confidence and transparency in their organisation’s cyber risks, including how the risk is identified, addressed and governed. Structured executive cyber risk management training can help leadership teams understand their obligations, benchmark cybersecurity capabilities against international standards and provide a roadmap to improve their controls and process maturity.
Align cyber decision-making with insurance strategy: As cyber insurers apply increased focus on cyber risk governance and ownership, organisations should consider how their internal decision-making structure stands up to external review. Demonstrating clear executive oversight, cross-functional involvement and mature governance processes can help influence risk posture and insurance outcomes.

Learn more

The Cyber catalyst report: Guiding priorities in cyber aims to help organisations translate the Global Cyber Buyers Study’s insights into action. By assessing your unique risk landscape, investing strategically in the right controls and capabilities, you can better take control of your cyber risk. Read the full report for other findings and deeper insights from our latest research.

¹ www.oaic.gov.au/news/blog/latest-notifiable-data-breach-statistics-for-january-to-june-2025 (Accessed: 6 February 2026).

Report

Cyber catalyst report: Guiding priorities in cyber investments

09/12/2025

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.

Page Compliance ID