We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

3 Steps To Ensure a Balanced Cybersecurity Plan

Posted by Matt McCabe December 17, 2015

Risk professionals have grown more aware of the impact that the disclosure of personal data — whether through an employee error or a cyber-attack — can do to their businesses. But cyber risk is broad, and many companies may not be preparing for non-privacy cyber incidents — which could be the biggest threats to their organizations.

On a recent New Reality of Risk® webcast, we asked participants: Has your organization completed a scenario analysis for cyber-related events other than the loss of personal information? More than 100 risk professionals responded:

  • 37% said their organizations had completed such an analysis.
  • 21% said they had not.
  • 42% said they were not sure.

With nearly two-thirds of risk professionals saying they either have not completed scenario analyses that go beyond privacy exposures or are not aware if they have, many businesses could be under-prepared for some of their most severe cyber risks.


Historically, businesses have considered network security breaches and loss of personal information to be synonymous with the term “cyber risk.”  That’s largely because of the significant media attention given to data breaches, primarily in the US where breach notification laws are rigorous.

For some businesses — for example, retailers, health care organizations, and higher education — privacy risk may well be the biggest concern. But for others — including manufacturers, energy companies, and other industrial organizations — disruption is a significant risk.

For example, Marsh’s European 2015 Cyber Risk Survey found that EU companies consider cyber-related businesses interruption to be nearly as big a threat to them as data breaches. Respondents also cited cyber-crime and data or software damage as top cyber threats. But unfortunately, many of these risks remain unaddressed.


Understanding your organization’s cybersecurity profile is critical to managing risk effectively. To manage the cyber risk that can undermine your core operations, your organization should take the following three steps:

  1. Perform an enterprise-wide cyber risk assessment that defines the assets you have at risk.
  2. Develop a strategy for preventing the potential compromise of those assets.
  3. Build a plan to respond to an attack on those assets.

Completing these actions can help you build a framework for understanding your unique cyber risks and the ways you can respond to them. That will likely include purchasing insurance coverage. The good news for businesses is that insurance — particularly cyber insurance coverage — is designed to respond to a variety of threats, including data breaches, cyber-related business interruption, cyber-crime, and data or software damage.

Related to:  Cyber Risk , Cyber Risk

Matt McCabe