Despite all the attention that cyber threats and cyber attacks get in the mainstream media, top business leaders and executives are still not paying enough attention to cyber risk. That’s the big takeaway from a new report from Marsh and Microsoft (“2019 Global Cyber Risk Perception Survey”) that surveyed more than 1,500 global organizations about cyber risk management practices. In fact, only 17% of C-suite or board members who are responsible for cyber risk management spend more than a few days per year focusing on cyber risk. And more than half (51%) of those responsible for cyber risk management spend less than a day per year focusing on cyber risk issues.
Gap between awareness and action for cyber risk
Perhaps the primary finding that stands out in this 2019 Marsh-Microsoft cyber risk survey, which follows up on a similar study conducted in 2017, is just how big the gap remains between theory and practice. In other words, survey respondents almost unanimously agreed that cyber risk was an important concern, and that their organizations should be doing more to prevent, mitigate and respond to cyber threats. Yet, at the same time, more than half of respondents said they were spending less than a day per year on cyber risk.
According to the global survey, 79% of respondents ranked “cyber risk” as a top risk management concern, up from 62% in 2017. And, in nearly two-thirds (65%) of organizations, there is a top senior executive or board member who is the primary owner of cyber risk management. This would seem to suggest that the message is finally getting through to organizations around the world that they need to elevate cyber risk to a C-suite (e.g. CEO, CIO, CTO) concern and engage their board members as part of their overall cyber risk management approach.
On the other hand, global organizations appear to be woefully unprepared for the current cyber risk environment. For example, only 11% of respondents said they had a high degree of confidence in their organization’s ability to assess, prevent, or respond to cyber threats. This is down from 19% two years earlier, suggesting that the emergence of new cyber threats is happening much more quickly than organizations can keep up with.
In fact, when it comes to building cyber resilience, 18% of organizations said they had “no confidence” in understanding the full scope of cyber threats facing their organization, up from 9% in 2017. Moreover, 19% of respondents said they had “no confidence” in being able to prevent cyber threats, and 22% of respondents said they had “no confidence” in being able to respond to cyber threats appropriately. Thus, while organizations might be sinking more money annually into cyber security issues, they are less prepared than ever before for the current risk environment.
The link between rapid technological change and cyber risk
One key factor here, suggests the Marsh-Microsoft report, might be the rapid pace of technological change. We live in an era of “transformational change,” and every new technological innovation – from artificial intelligence (AI) to blockchain to the Internet of Things – promises to transform organizations. Thus, at the same time that a corporate IT department might be scrambling frantically to deploy a new Internet of Things solution, it is also finding out that the so-called “attack surface” of the organization is expanding exponentially. No wonder only 11% of respondents said they had a high degree of confidence in their organization’s ability to deal with new cyber threats.
According to the Marsh-Microsoft survey, organizations must also deal with increasingly interdependent digital supply chains, and that introduces a whole new set of cyber risks into the equation as well. For example, your organization might have an ironclad, highly tested cyber defense system in place – but do all of your customers, vendors and supply chain partners also have similar cyber defenses in place? As the old saying goes, a chain is only as strong as its weakest link – so a cyber weakness at any point along your digital supply chain has the ability to impact your organization. As the report points out, only 39% of organizations are highly or somewhat confident that they can deal with the cyber risks posed by their supply chain partners.
Possible options and responses to cyber threats
So what can the modern, global organization do to cope with the new cyber threat environment? First and most importantly, they need to integrate cyber risk management into their overall enterprise risk management framework. This includes broad stakeholder engagement across the organization, and the elevation of cyber risk to a board-level issue.
Secondly, organizations need to do some economic modeling that quantifies the amount of economic risk involved with cyber risk. In other words, what is the total economic cost to an organization if a hacker makes a ransomware threat or steals your organization’s valuable data in order to sell it on the Dark Web?
And, finally, organizations need to take a more holistic approach to cyber risk management that takes into account three key factors: prevention, mitigation, and incident response. At the very least, the primary owner of cyber risk within an organization needs to have a “playbook” for what to do in the event of a cyber attack or data breach. And cyber risk awareness should become part of the overall culture of the organization, rather than something that happens only after a major cyber event.
The role of cyber insurance in mitigating cyber risk
Given insurance company Marsh’s role in putting together this report on cyber risk, it’s perhaps understandable that the report has some very profound consequences for the role of cyber insurance in the corporate sector. If companies are feeling overwhelmed by cyber risk and are terrified by the prospect of a huge data breach making national headlines, then cyber insurance is a potential option. The numbers from the report support this notion: in 2017, only 34% of respondents had cyber insurance, but by 2019, 47% of respondents had cyber insurance.
However, keep in mind that cyber insurance might not be the panacea that some organizations hope it will be. Simply having a cyber insurance policy in place should not be an excuse for having sloppy cyber security practices, or for failing to embed cyber risk management within the broader framework of enterprise risk management.