“Most organizations now rank cybersecurity among their highest risk management priorities.” — Marsh’s “Global Cyber Risk Perception Survey”

In February 2018, Marsh and Microsoft released a new report titled “By the Numbers: Global Cyber Risk Perception Survey” based on a survey of over 1,300 risk professionals and other senior executives, including chief executive officers (CEOs), chief financial officers (CFOs), chief technology officers (CTOs), chief risk officers (CROs) and board directors, across 26 industries.

Participants came from organizations located around the globe. More than 30 percent of respondents’ organizations did business in Europe, the U.K. and/or Ireland, North America and Asia. In terms of organization size, their revenues ranged from less than $10 million (about 20 percent) to over $1 billion (over 22 percent).

Cyber Risk Emerges as a Top Priority

In January 2018, a month prior to the report’s publication, the World Economic Forum (WEF) released its “Global Risks Report 2018,” which ranked two technological threats — cyberattacks and data fraud or theft — in the top five global risks by likelihood. The risk of cyberattacks also ranked sixth by impact.

The Marsh report echoed the findings from the WEF report. When asked how much attention their organization pays to cyber risks, 56 percent of respondents said they would rank it as a top-five concern, and 6 percent cited it as a No. 1 priority. Meanwhile, organizations that have been successfully attacked are only “slightly more likely” to prioritize cyber risks than companies that had not sustained an attack.

What Are Top Executives Concerned About?

According to the survey, the financial impact of cyber incidents varied between companies of different sizes. For example, 9 percent of organizations with less than $50 million in revenue estimated a financial impact of $10 million to $100 million. That figure rose to 26 percent for organizations with $50 million to $500 million in revenue, and 33 percent for companies that reported revenues of $500 million to $1 billion. Seventy-two percent of companies that earned more than $1 billion in revenue reported at least $10 million in potential financial losses associated with cyber risk, including 28 percent of such organizations that estimated losses above $100 million.

When asked about cyber events with high levels of potential impact, respondents said they were particularly concerned about business interruption (75 percent), reputational damage (59 percent) and the integrity of customer data (55 percent). Since the survey was administered in the summer of 2017, it should come as no surprise that extortion/ransomware and disruption of operational technology figured relatively high on the list of high-impact cyber events at 41 percent and 29 percent, respectively.

Business leaders are also concerned about how a successful attack or breach can affect their partnerships and contracts. Thirty-five percent of executives cited liability to third parties resulting from a system breach as a top risk. “In an era in which increasingly sophisticated attacks are likely, how an organization responds is subject to intense public scrutiny,” the report noted.

Only 28 percent of respondents reported a high level of confidence in their organization’s ability to identify and assess threats. Even more worrisome, just 19 percent said they were confident that their company could respond to and recover from a security incident.

What Are Organizations Doing About Cyber Risks?

The report noted that “sophisticated organizations” are more likely to have adopted a holistic approach that “enlists stakeholders from across the enterprise focused on the entire life cycle — beyond only prevention — to include risk assessment, mitigation and cyber resilience.” This is reflected in the range of responses about functional areas that were reported as “primary owners and decision-makers for cyber risk management.” While IT is still listed as the primary owner for over 70 percent of respondents, more than 25 percent also pointed to the CEO or president, board of directors or a formal risk management function as primary owners of cyber risks. For organizations smaller than $10 million by revenue, the CEO or president was more likely to be listed as the primary owner of cyber risks than the IT department.

The report also shed light on the actions that organizations are taking to get their cyber risks under control. Sixty-nine percent of “highly confident” organizations said they conducted a cybersecurity assessment, and another 55 percent said they conducted penetration tests. For organizations that are only “fairly confident” in their management of cyber risks, those numbers dropped to 49 percent and 38 percent, respectively.

Concerning their actions to prevent and mitigate cyber risks, highly confident organizations implemented or improved phishing awareness (68 percent), encrypted machines (55 percent), vulnerability and patch management (52 percent), and multifactor authentication (MFA) for remote users (53 percent). Fairly confident organizations took similar actions but at a somewhat lower rate: 56 percent boosted phishing awareness, 45 percent deployed encryption, 49 percent prioritized patch management and 42 percent adopted MFA.

Finally, 53 percent of highly confident organizations said they had developed a cyber incident response plan. Meanwhile, 30 percent of fairly confident organizations and only 10 percent of organizations that self-reported as being not confident in their risk management capabilities said they had established an incident response strategy.

The Final Grade: Cyber Risk Perception Survey Reveals Room for Improvement

Even with the increased involvement of various stakeholders, Marsh’s risk perception survey pointed to ongoing disconnects between the security function and the board. While 45 percent of risk and technology executives said they report information to board directors about cybersecurity investment initiatives, only 18 percent of board directors said they receive such information.

“This information gap points to the need to develop cyber risk economic/business models that facilitate a shared dialogue, including common language among IT, the board and other corporate departments,” the report’s authors noted. The survey also highlighted how rarely cyber risks are put in business terms: Only 11 percent of respondents reported quantifying cyber risks in economic terms, such as value at risk.

Taken in its entirety, the report painted a mixed picture of the state of cyber risk communication and management. While 45 percent of organizations said they estimate the financial impact of a cyber incident, executives should improve their ability to prioritize cybersecurity investments based on their risk appetite and link those investments to business strategy and the performance of controls. They should also follow common risk governance frameworks, such as the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s enterprise risk management (ERM) framework and the International Organization for Standardization (ISO)’s updated guidelines, ISO 31000:2018.

More from Risk Management

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

The Role of Finance Departments in Cybersecurity

Consumers are becoming more aware of the data companies collect about them, and place high importance on data security and privacy. Though consumers aren’t aware of every data breach, they are justifiably concerned about what happens to the data companies collect. A recent study of consumer views on data privacy and security revealed consumers are more careful about sharing data. The majority of respondents (87%) say they wouldn’t do business with companies that appear to have weak security. Study participants…

What Does a Network Security Engineer Do?

Cybersecurity is complex. The digital transformation, remote work and the ever-evolving threat landscape require different tools and different skill sets. Systems must be in place to protect endpoints, identities and a borderless network perimeter. The job role responsible for handling this complex security infrastructure is the network security engineer. In a nutshell, the network security engineer is the person who is responsible for the design and implementation of the organization’s security system, ensuring there are no gaps or vulnerabilities for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…