Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence (AI) and the Internet of Things (IoT) to data availability and blockchain. The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster—moving beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations—costing the economy billions of dollars and affecting companies in every sector.
The hard truth organizations must face is that cyber risk can be mitigated and managed—but it cannot be eliminated. Results from the 2019 Marsh-Microsoft Global Cyber Risk Perception survey reveal several encouraging signs of improvement in the way that organizations view and manage cyber risk. Now that cyber risk is clearly and firmly at the top of corporate risk agendas, we see a positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas. However, many organizations still struggle with how to best articulate, approach, and act upon cyber risk within their overall enterprise risk framework—even as the tide of technological change brings new and unanticipated cyber risk complexity.
Highlights from the survey
While companies see cyber events as a top priority, confidence in cyber resilience is declining. Cyber risk became even more firmly entrenched as an organizational priority in the past two years. Yet at the same time, organizations’ confidence in their ability to manage the risk declined.
- 79 percent of respondents ranked cyber risk as a top five concern for their organization, up from 62 percent in 2017.
- Confidence declined in each of three critical areas of cyber resilience. Those saying they had “no confidence” increased from:
- 9 percent to 18 percent for understanding and assessing cyber risks.
- 12 percent to 19 percent for preventing cyber threats.
- 15 percent to 22 for responding to and recovering from cyber events.
New technology brings increased cyber exposure
Technology innovation is vital to most businesses, but often adds to the complexity of an organization’s technology footprint, including its cyber risk.
- 77 percent of the 2019 respondents cited at least one innovative operational technology they adopted or are considering.
- 50 percent said cyber risk is almost never a barrier to the adoption of new technology, but 23 percent—including many smaller firms—said that for most new technologies, the risk outweighs potential business benefits.
- 74 percent evaluate technology risks prior to adoption, but just 5 percent said they evaluate risk throughout the technology lifecycle—and 11 percent do not perform any evaluation.
Increasing interdependent digital supply chains brings new cyber risks
The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.
- There was a discrepancy in many organizations’ view of the cyber risk they face from supply chain partners, compared to the level of risk their organization poses to counterparties.
- 39 percent said the cyber risk posed by their supply chain partners and vendors to their organization was high or somewhat high.
- Only 16 percent said the cyber risk they themselves pose to their supply chain was high or somewhat high.
- Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.
Appetite for government role in managing cyber risks draws mixed views
Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk—with the notable exception of nation-state attacks.
- 28 percent of businesses regard government regulations or laws as being very effective in improving cybersecurity.
- 37 percent of businesses regard soft industry standards as being very effective in improving cybersecurity.
- A key area of difference relates to cyberattacks by nation-state actors:
- 54 percent of respondents said they are highly concerned about nation-state cyberattacks.
- 55 percent said government needs to do more to protect organizations against nation-state cyberattacks.
Cyber investments focus on prevention, not resilience
Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.
- 88 percent said information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/board (65 percent) and risk management (49 percent).
- Only 17 percent of executives say they spent more than a few days on cyber risk over the past year.
- 64 percent said a cyberattack on their organization would be the biggest driver of increased cyber risk spending.
- 30 percent of organizations reported using quantitative methods to express cyber risk exposures, up from 17 percent in 2017.
- 83 percent have strengthened computer and system security over the past two years, but less than 30 percent have conducted management training or modeled cyber loss scenarios.
Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.
- 47 percent of organizations said they have cyber insurance, up from 34 percent in 2017.
- Larger firms were more likely to have cyber insurance—57 percent of those with annual revenues above $1 billion had a policy, compared to 36 percent of those with revenue under $100 million.
- Uncertainty about whether available cyber insurance could meet their firm’s needs dropped to 31 percent, down from 44 percent in 2017.
- 89 percent of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.
At a practical level, this year’s survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:
- Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
- Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
- Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
- Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
- Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.
Despite the decline in organizational confidence in the ability to manage cyber risk, we’re optimistic that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.
Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.
Still, these recommendations address many of the common and most urgent aspects of cyber risk that organizations today are challenged with; as such, they should be viewed as signposts along the path to building true cyber resilience.
Read the full 2019 Marsh-Microsoft Global Cyber Risk Perception survey or find additional report content on Marsh’s website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.