We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



Low Appetite for Cyber Regulation Except Against Nation-State Attacks


Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk, according to the Marsh Microsoft 2019 Global Cyber Risk Perception Survey.

The notable exception was when asked about nation-state attacks; organizations are clearly concerned and want government help in combatting them.

Growth of Cyber Regulation

In recent years, regulators globally have enacted numerous measures to hold corporations and executives more directly accountable for ensuring effective cybersecurity and customer data protections.    

The growth in such laws and regulations complement a body of well-established cyber and information security standards from industry authorities, such as the NIST and the International Organization for Standardization (ISO).

Mixed Views on Value of Regulation

Most 2019 survey respondents said government laws and regulations are less effective in helping them improve their cybersecurity posture than “soft” — voluntary — industry standards and guidance. 

Even then, well less than half of respondents believe that either regulations or industry guidance are “very effective” in helping to improve their organization’s cybersecurity posture. 

Barely a quarter of all respondents viewed government regulations and laws as being very effective in improving cybersecurity. This held across all major regions, despite considerable variance in local laws and regulation. 

Image on left shows 37% of business surveyed responded “soft industry standards and guidance such as NIST and ISO, are very effective in helping us improve our cybersecurity posture.” Of these respondents 29% were over 100 million dollars in revenue; 48% with 5 billion dollars plus revenue; 56% financial institutions. Image on right shows – 28% of business surveyed responded “government regulation and laws are very effective in helping us improve our cybersecurity posture.” Of these respondents 39% communications & technology; 44% financial institutions; 44% aviation.


However, highly regulated industries, such as aviation, financial institutions, and communications, were more likely to see value in government regulation of cyber risk.

Industry guidance and standards, such as NIST and ISO, appear to be best appreciated by the largest companies.  Few smaller organizations view industry standards as being very effective, compared to nearly half of large companies who find industry standards very effective.

Appetite for Government Help Against Nation-State Attacks

The major area of difference in attitudes toward cyber regulation related to cyber-attacks by nation-state actors. A majority of respondents said they are highly concerned about the impact of nation-state cyber-attacks.

This percentage rises to 60% to 70% for the largest organizations and for those engaged in critical national infrastructure, such as energy, power, communications, and technology firms.

Consistent with that view, 55% of organizations said there is a need for governments to do more to protect private enterprise from nation-state cyber-attacks. 

Image on left shows - 54% of business surveyed responded "we are highly concerned about the potential harm that nation-state cyber-attacks could have on our organization." Of these responses 60% were energy and power; 69% $5 billion plus revenue; 71% communication and technology. Image on right shows - 55% of business surveyed responded “governments need to do more to help protect private enterprise from a nation-state cyber-attacks.” 61% board & C-suite; 66% financial institutions; 69% professional services.

This call-for-action resounds consistently across regions, with the highest positive response among financial institutions and professional services organizations.

Such calls for government assistance were most often voiced by executive leadership – C-suites and boards.

These results show that while firms generally prefer a non-prescriptive approach to managing their cyber security and cyber risk affairs, nation-state activity is a clear exception.

Read the full 2019 Global Cyber Risk Perception Survey  produced by Marsh in partnership with Microsoft.