Low Appetite for Cyber Regulation Except Against Nation-State Attacks
Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk, according to the Marsh Microsoft 2019 Global Cyber Risk Perception Survey.
The notable exception was when asked about nation-state attacks; organizations are clearly concerned and want government help in combatting them.
Growth of Cyber Regulation
In recent years, regulators globally have enacted numerous measures to hold corporations and executives more directly accountable for ensuring effective cybersecurity and customer data protections.
The growth in such laws and regulations complement a body of well-established cyber and information security standards from industry authorities, such as the NIST and the International Organization for Standardization (ISO).
Mixed Views on Value of Regulation
Most 2019 survey respondents said government laws and regulations are less effective in helping them improve their cybersecurity posture than “soft” — voluntary — industry standards and guidance.
Even then, well less than half of respondents believe that either regulations or industry guidance are “very effective” in helping to improve their organization’s cybersecurity posture.
Barely a quarter of all respondents viewed government regulations and laws as being very effective in improving cybersecurity. This held across all major regions, despite considerable variance in local laws and regulation.
However, highly regulated industries, such as aviation, financial institutions, and communications, were more likely to see value in government regulation of cyber risk.
Industry guidance and standards, such as NIST and ISO, appear to be best appreciated by the largest companies. Few smaller organizations view industry standards as being very effective, compared to nearly half of large companies who find industry standards very effective.
Appetite for Government Help Against Nation-State Attacks
The major area of difference in attitudes toward cyber regulation related to cyber-attacks by nation-state actors. A majority of respondents said they are highly concerned about the impact of nation-state cyber-attacks.
This percentage rises to 60% to 70% for the largest organizations and for those engaged in critical national infrastructure, such as energy, power, communications, and technology firms.
Consistent with that view, 55% of organizations said there is a need for governments to do more to protect private enterprise from nation-state cyber-attacks.
This call-for-action resounds consistently across regions, with the highest positive response among financial institutions and professional services organizations.
Such calls for government assistance were most often voiced by executive leadership – C-suites and boards.
These results show that while firms generally prefer a non-prescriptive approach to managing their cyber security and cyber risk affairs, nation-state activity is a clear exception.
Read the full 2019 Global Cyber Risk Perception Survey produced by Marsh in partnership with Microsoft.