Global Cyber Risk Perception Survey Report 2019
Our 2019 Global Cyber Risk Perception Survey, conducted in partnership with Microsoft investigates the state of cyber risk perceptions and risk management at organisations worldwide, especially in the context of a rapidly evolving business environment.
Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence and the Internet of Things (IoT) to data availability and blockchain.
The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster.
Cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector.
The hard truth organisations must face is that cyber risk can be mitigated, managed, and recovered from, but it cannot be eliminated.
The 2019 Global Cyber Risk Perception Survey reveals several encouraging signs of improvement in the way that organisations view and manage cyber risk. Cyber risk is now clearly and firmly at the top of corporate risk agendas, and we see a positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas.
However, many organisations still struggle with how best to articulate, approach, and act upon cyber risk within their overall enterprise risk framework — even as the tide of technological change brings new and unanticipated cyber risk complexity.
Below we summarise the key highlights from the report:
While Companies See Cyber as Top Priority, Confidence in Cyber Resilience Is Declining
Cyber risk became even more firmly entrenched as an organisational priority in the past two years. Yet at the same time, organisations’ confidence in their ability to manage the risk declined.
- 79% of respondents ranked cyber risk as a top five concern for their organization, up from 62% in 2017.
- Firms’ confidence declined in each of three critical areas of cyber resilience. Those saying they had “no confidence” increased:
- From 9% to 18% for understanding and assessing cyber risks.
- From 12% to 19% for preventing cyber threats.
- From 15% to 22 for responding to and recovering from cyber events.
New Technology Brings Increased Cyber Exposure
Technology innovation is vital to most businesses, but often adds to the complexity of an organisation’s technology footprint, including its cyber risk.
- 77% of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering.
- 50% said cyber risk is almost never a barrier to the adoption of new technology, but 23% — including many smaller firms — said that for most new technologies, the risk outweighs potential business benefits.
- 74% evaluate technology risks prior to adoption, but just 5% said they evaluate risk throughout the technology lifecycle — and 11% do not perform any evaluation.
Increasing Interdependent Digital Supply Chains Brings New Cyber Risks
The increasing interdependence and digitisation of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.
- There was a discrepancy in many organisations’ view of the cyber risk they face from supply chain partners, compared to the level of risk their organisation poses to counterparties.
- 39% said the cyber risk posed by their supply chain partners and vendors to their organisation was high or somewhat high.
- But only 16% said the cyber risk they themselves pose to their supply chain was high or somewhat high.
- Respondents were more likely to set a higher bar for their own organisation’s cyber risk management actions than they do for their suppliers.
Appetite for Government Role in Managing Cyber Risks Draws Mixed Views
Organisations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk — with the notable exception of nation-state attacks.
- 28% of businesses regard government regulations or laws as being very effective in improving cybersecurity.
- 37% of businesses regard soft industry standards as being very effective in improving cybersecurity.
- A key area of difference relates to cyber-attacks by nation-state actors:
- 54% of respondents said they are highly concerned about nation-state cyber-attacks.
- 55% said government needs to do more to protect organisations against nation-state cyber-attacks.
Cyber Investments Focus on Prevention, Not Resilience
Many organisations focus on technology defences and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.
- 88% said information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/ board (65%) and risk management (49%).
- Only 17% of executives say they spent more than a few days on cyber risk over the past year.
- 64% said a cyber-attack on their organisation would be the biggest driver of increased cyber risk spending.
- 30% of organisations reported using quantitative methods to express cyber risk exposures, up from 17% in 2017.
- 83% have strengthened computer and system security over the past two years, but less than 30% have conducted management training or modelled cyber loss scenarios.
Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.
- 47% of organisations said they have cyber insurance, up from 34% in 2017.
- Larger firms were more likely to have cyber insurance 57% of those with annual revenues above $1 billion had a policy compared to 36% of those with revenue under $100 million.
- Uncertainty about whether available cyber insurance could meet their firm’s needs dropped to 31%, down from 44% in 2017.
- 89% of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.
At a practical level, this year’s survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:
- Create a strong organisational cybersecurity culture, with clear, shared standards for governance, accountability, resources, and actions.
- Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
- Evaluate the cyber risk implications of new technology as a continual and forward-looking process throughout the lifecycle of the technology.
- Manage supply chain risk as a collective issue, recognising the need for trust and shared security standards across the entire network, including the organisation’s cyber impact on its partners.
- Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.
Despite the decline in organisational confidence in the ability to manage cyber risk, we are optimistic that more organisations are now clearly recognising the critical nature of the threat, and beginning to seek out and embrace best practices.
Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal programme will depend on each company’s unique risk profile and tolerance.
Still, these recommendations address many of the common and most urgent aspects of cyber risk that organisations today are challenged with, and should be viewed as signposts along the path to building true cyber resilience.