We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Research and Briefings

Advancing Cyber Risk Management: From Security to Resilience

Large-scale cyberattacks, growing anxieties about cyber threats, broadening attack surface areas, lengthy dwell times (especially in the Asia-Pacific region), and lagging investments all point to a critical urgency for cyber resilience in this digital age.  A strong cyber resilience culture can set an organization apart from its peers in managing risk, minimizing damage, and recovering quickly from a cyber incident.  And yet, in 2018 while the total cost of cyber crimes grew by a third compared to 2016, to US$600 billion, investment in cyber security increased only 10% over the same period.


Recent high-profile events have shown that traditional cyber defense strategies, such as antivirus software, firewalls and password protection, can be ineffective and insufficient.  While it is not practical to expect organizations to stay ahead of every threat, they must be nimble enough to keep pace with the evolving threat landscape and infiltration techniques, emerging threat vectors and the speed of digital transformation, as well as policy changes. In addition cyber laws and regulations across the globe are changing quickly, revealing additional layers of fiduciary responsibilities organizations must assume.

For organizations who want to adopt an end-to-end cyber risk management approach, this report highlights the following three “calls to action”:

  • Understand cyber risks from a business perspective and assess the nature of any potential cyber-related losses – know your threats.
  • Measure the financial impact of cyber exposures and quantify how much is acceptable across the organization – know yourself.
  • Manage the insurance and recovery process by having a clear action plan based off your capabilities and capacities – know what you can do.

Cyberattacks are inevitable but impactful data breaches and system compromises do not have to be. 

Proper preparation is essential and sets a resilient organization apart from the rest in managing cyber risks, minimizing damages, and swiftly recovering from breach incidents.