Jeffrey Alpaugh is the US and Canada Growth and Industry Leader, Marsh and the US Country Corporate Officer, Marsh McLennan.
It’s important for leaders throughout an organization to understand cyber risk—its trends, its costs and the best strategies to mitigate it. Marsh and Microsoft recently collaborated on a global cyber risk survey, the results of which back up a key tenet of our cyber risk management approach: Managing cyber risk should be a shared responsibility across your enterprise.
What does such an approach entail? At its core, it’s about broad-based communication.
In a firm that takes an enterprise-wide approach, a risk manager considering cyber insurance options is able to do so with knowledge gained from the finance team which can help optimize the investment. In turn, the risk management function also shares insights from insurers with the organization’s cybersecurity and IT professionals to identify and address organizational weak spots. At another level, the board and CEO will hear from various stakeholders, synthesizing information to guide the overall strategy.
Such connections have the potential to boost cyber risk resilience while also increasing confidence in the company’s approach. Unfortunately, that is not always the reality.
Consider that 63% of risk management and insurance professionals in our survey said they are not involved in decisions regarding cybersecurity tools and services. This despite how important insurance is to an effective cyber risk management strategy. Regular communication about cybersecurity concerns can arm risk management teams with information to help secure more effective coverage as well as link the rest of the enterprise to insurer and broker insights.
Here are eight trends which should be considered when trying to develop a shared view of cyber risk management across an enterprise.
1. As every organization can expect a cyberattack, cyber-specific goals must be aligned across the enterprise.
Nearly 75% of the organizations in our survey said they had experienced one or more cyberattacks in the past year, with phishing, social engineering and ransomware being most common. Larger companies experienced more attacks in both number and variety, with 85% subject to at least one attack, compared to 68% of smaller organizations.
2. Ransomware is considered the top cyber threat, but it isn’t the only one.
Our respondents cited ransomware as the top cyber risk facing their organizations. But it isn’t the only threat: privacy breaches, supplier disruptions, phishing and other social engineering also ranked high.
3. Insurance is an important part of cyber risk management strategy, with significant influence over the adoption of best practices and controls.
Since the late 1990s, cyber insurance has developed into a product that addresses an array of digitally derived risks. This helps companies manage risks more responsibly and holistically as they innovate and digitalize their businesses. It also creates a valuable feedback loop as insurers learn from claims and are able to shift the focus of their underwriting requirements to those controls that could have mitigated them. Among our survey respondents, 61% said they purchase some type of cyber coverage. In addition, 41% said that insurers’ requirements played a part in developing their cybersecurity controls.
4. Adoption of more cybersecurity controls leads to higher cyber hygiene ratings.
Organizations looking to strategically address cyber risk and increase cyber hygiene should consider adopting the 12 cybersecurity controls recognized by cybersecurity experts to help prevent, respond, minimize and recover from a cyberattack. Survey respondents whose organizations use all or most of these controls were almost twice as likely to rate their cyber hygiene as “very good” or “excellent.”
5. Organizations lag in measuring cyber risk in financial terms, which hurts their ability to effectively communicate cyber threats across the enterprise.
Only 26% of our respondents said their organization uses a financial measure when evaluating cyber risk. This is alarming, given the potential financial consequences of cyberattacks. Understanding the ways in which cyberattacks can create financial volatility should be an essential part of cyber risk resilience.
6. Cyber risk mitigation investments are increasing, but spending priorities vary across the enterprise.
Most organizations surveyed said they plan to increase investments in cybersecurity technology, incident planning, staff training, insurance and cyber advisory services over the next year. But within the company, different players thought investments should be made differently. Risk managers, for example, were more likely to prioritize investments in cyber insurance and hiring cybersecurity personnel, while the C-suite looked to cybersecurity technology, mitigation efforts, staff training and incident planning.
7. New technologies should be assessed and monitored on a continuous basis, not just during exploration and testing prior to adoption.
Most organizations (69%) said they assess the risks of the new technologies they adopted during the exploration and testing stage only—only 46% said they continued to evaluate beyond that point. As digitalization and technological advancements provide new opportunities for cyber vulnerabilities, continuous assessment and monitoring of a new technology past the implementation phase is crucial.
8. Firms take many cybersecurity actions, but widely overlook their vendors and digital supply chains.
A common blind spot for many organizations involves the relationship between cyber risk and third-party suppliers and vendors. And yet, monitoring these risks is more important than ever, as many cyber insurers want more information about the vendor ecosystem.
We must build an enterprise-wide approach to cyber risk.
Executive leaders expressed the lowest confidence level across the four areas we asked about—assessing, measuring, mitigating and responding to cyber threats—and were less likely than departmental leaders to say they were highly confident. When it came to their organization’s ability to manage and respond to cyberattacks, just 9% of executive leaders indicated they were highly confident, and nearly a third said they had no confidence.
More effective cross-enterprise communication may hold the potential to bridge such gaps. As information is shared across functions, companies can better align their teams and identify where investments are most needed.
Cybersecurity measures, cyber insurance, data and analytics and cyber incident response plans all play a role. But the key to developing effective cyber resilience is to implement an enterprise-wide alignment around cyber risk management. All stakeholders have a role to play when cybersecurity is considered across the enterprise.