The Marsh Global Cyber Buyers Study revealed senior cyber risk buyers and decision-makers’ top concerns, which ranged from being ready for specific cyber threats to balancing strategic investments and keeping up with the pace of evolving cyber trends. The 2025 study surveyed more than 2,200 cyber risk leaders around the world, with over 200 respondents from Australia and New Zealand.
Let’s take a look at the different ways organisations are measuring cyber risk and what companies are prioritising in their cyber investments.
Globally, regardless of role or industry, companies are ramping up investments in cyber risk management, with over a quarter planning to increase spending by more than 25%. In the Pacific region, the average increase in cyber investments by Australian and New Zealand companies was slightly below (3%) the global average. (See figure 1.)
Interestingly, when comparing spending intentions and confidence levels by region, those who were least confident tended to also be the least likely to plan to increase spending. This is a somewhat concerning trend as those not confident in their organisation’s cybersecurity measures should, in fact, be investing more to bolster their knowledge, capabilities, controls and strategies to improve their organisational cyber resilience. In the Pacific region, we have seen a positive move towards stronger cybersecurity controls over the last few years, reflected in the general trends and results we are seeing across the Marsh Cyber Self-Assessments being completed by organisations. However, cyber risk is not stagnant. It evolves and so too should an organisation’s approach to cybersecurity investment.
What to invest in will vary depending on companies’ unique situations and goals. The Pacific findings from the Marsh Global Cyber Buyers Study point to a strong emphasis on being ready to respond when incidents occur, improving day-to-day operational capability and gaining clearer insight into where cyber risks sit across the organisation. Together, this reflects a practical approach to cyber investment that balances prevention with preparedness, response and managing exposure across a wider risk ecosystem.
Over the next 12 months, the top five areas in which Pacific survey respondents said they would increase investments were:
Incident preparedness is the top cyber investment priority in the Pacific, reflecting increased focus on how organisations respond when incidents occur. While response plans are typically in place, rehearsal and coordination are often narrower in scope, with tabletop exercises still concentrated on technical teams. Expanding participation to include executives, legal, risk and communications can help improve decision-making under pressure.
Increased investment in SOC capabilities reflects the need for continuous visibility and faster detection across complex environments. In the Pacific, this may be delivered through managed or co-sourced SOC models rather than fully in-house teams. This approach helps address certain restraints, including regional skills shortages and challenges maintaining 24/7 coverage needs.
Cyber risk assessments are being prioritised to improve understanding of how cyber risk may translate into practical business impact. There is an opportunity for assessments to become more business-aligned, helping inform investment decisions and insurance placements.
Recent global events, including large-scale supplier outages such as CrowdStrike, have highlighted how third-party dependencies can create widespread disruption. As a result, organisations are placing greater emphasis on understanding vendor concentration risk, access pathways and operational resilience across their supplier ecosystem.
Technology investment remains a key component of an organisation’s cyber strategy in the Pacific. Its positioning alongside planning, monitoring and risk assessment reflects an understanding that tools are most effective when supported by strong governance, visibility and response capabilities.
The “right” areas in which to increase investment will vary depending on factors such as an organisation’s size, industry, existing capabilities and unique situation. To set an effective and fit-for-purpose investment strategy, it’s essential for organisations to measure and understand these circumstances.
The good news is that the measurement of cyber exposure has notably increased in companies of all sizes and industries since 2021, when nearly 20% of organisations said they had no method to measure cyber risk. In 2025, only 1% said so.
When it comes to investing in cyber resilience, there is no single right path. Organisations typically weigh up whether to buy, borrow, or build capabilities based on their size, maturity, risk profile, investment and operating model.
Below, we explore how each approach is applied and what organisations they are most relevant for.
Among the three methods, the build method was most preferred by Pacific respondents (78%), particularly by larger organisations, although buying was a close second (72%). Many organisations said they use a combination of approaches.
With almost 98% of businesses in Australia1 and New Zealand2 being small and medium enterprises, a combined approach reflects the unique risk profiles of businesses who may have existing resources to build capabilities, but in many cases will need to rely on external sources to bolster their ability to manage cyber risk.
While many large organisations remain focused on building internal cybersecurity capability, developing in-house teams can be complex and time intensive. In the Pacific, this challenge is amplified by skill shortages and the need to uplift capability at both the technical and executive level. As organisations work through what should be built internally and what may not realistically be delivered at the required pace, external cybersecurity consultants and advisors continue to play a role in supplementing this capability.
The survey results reflect this reality. More than half of Pacific respondents (52%) said they are likely to “borrow” capabilities in the next 12 months. However, the desire to work with a third-party adviser was amplified further (to 93%) when positioned specifically as “an adviser capable of assessing cyber risk and recommending strategies, actions and specialists to address organisational needs”.
The Cyber catalyst report: Guiding priorities in cyber aims to help organisations translate the Global Cyber Buyers Study’s insights into action. By assessing your unique risk landscape and investing strategically in the right controls and capabilities, you can better take control of your cyber risk. Read the full report for other findings and deeper insights from our latest research.
If you would like to discuss your cyber risk exposures or have questions about any of the above, please reach out to your Marsh representative. Let our team of cyber risk experts help you navigate the complexity of the cyber risk landscape with clarity and confidence.
1 Based on June 2025 data from www.asbfeo.gov.au/small-business-data-portal/number-small-businesses-australia (Accessed 21 January 2026)
2 www.mfat.govt.nz/en/trade/free-trade-agreements/free-trade-agreements-in-force/cptpp/supporting-smes (Accessed 21 January 2026)
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Any modelling, analytics, or projections are subject to inherent uncertainty, and any analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change.
Page Compliance ID
