“Most organizations now rank cybersecurity among their highest risk management priorities.” — Marsh’s “Global Cyber Risk Perception Survey”
In February 2018, Marsh and Microsoft released a new report titled “By the Numbers: Global Cyber Risk Perception Survey” based on a survey of over 1,300 risk professionals and other senior executives, including chief executive officers (CEOs), chief financial officers (CFOs), chief technology officers (CTOs), chief risk officers (CROs) and board directors, across 26 industries.
Participants came from organizations located around the globe. More than 30 percent of respondents’ organizations did business in Europe, the U.K. and/or Ireland, North America and Asia. In terms of organization size, their revenues ranged from less than $10 million (about 20 percent) to over $1 billion (over 22 percent).
Cyber Risk Emerges as a Top Priority
In January 2018, a month prior to the report’s publication, the World Economic Forum (WEF) released its “Global Risks Report 2018,” which ranked two technological threats — cyberattacks and data fraud or theft — in the top five global risks by likelihood. The risk of cyberattacks also ranked sixth by impact.
The Marsh report echoed the findings from the WEF report. When asked how much attention their organization pays to cyber risks, 56 percent of respondents said they would rank it as a top-five concern, and 6 percent cited it as a No. 1 priority. Meanwhile, organizations that have been successfully attacked are only “slightly more likely” to prioritize cyber risks than companies that had not sustained an attack.
What Are Top Executives Concerned About?
According to the survey, the financial impact of cyber incidents varied between companies of different sizes. For example, 9 percent of organizations with less than $50 million in revenue estimated a financial impact of $10 million to $100 million. That figure rose to 26 percent for organizations with $50 million to $500 million in revenue, and 33 percent for companies that reported revenues of $500 million to $1 billion. Seventy-two percent of companies that earned more than $1 billion in revenue reported at least $10 million in potential financial losses associated with cyber risk, including 28 percent of such organizations that estimated losses above $100 million.
When asked about cyber events with high levels of potential impact, respondents said they were particularly concerned about business interruption (75 percent), reputational damage (59 percent) and the integrity of customer data (55 percent). Since the survey was administered in the summer of 2017, it should come as no surprise that extortion/ransomware and disruption of operational technology figured relatively high on the list of high-impact cyber events at 41 percent and 29 percent, respectively.
Business leaders are also concerned about how a successful attack or breach can affect their partnerships and contracts. Thirty-five percent of executives cited liability to third parties resulting from a system breach as a top risk. “In an era in which increasingly sophisticated attacks are likely, how an organization responds is subject to intense public scrutiny,” the report noted.
Only 28 percent of respondents reported a high level of confidence in their organization’s ability to identify and assess threats. Even more worrisome, just 19 percent said they were confident that their company could respond to and recover from a security incident.
What Are Organizations Doing About Cyber Risks?
The report noted that “sophisticated organizations” are more likely to have adopted a holistic approach that “enlists stakeholders from across the enterprise focused on the entire life cycle — beyond only prevention — to include risk assessment, mitigation and cyber resilience.” This is reflected in the range of responses about functional areas that were reported as “primary owners and decision-makers for cyber risk management.” While IT is still listed as the primary owner for over 70 percent of respondents, more than 25 percent also pointed to the CEO or president, board of directors or a formal risk management function as primary owners of cyber risks. For organizations smaller than $10 million by revenue, the CEO or president was more likely to be listed as the primary owner of cyber risks than the IT department.
The report also shed light on the actions that organizations are taking to get their cyber risks under control. Sixty-nine percent of “highly confident” organizations said they conducted a cybersecurity assessment, and another 55 percent said they conducted penetration tests. For organizations that are only “fairly confident” in their management of cyber risks, those numbers dropped to 49 percent and 38 percent, respectively.
Concerning their actions to prevent and mitigate cyber risks, highly confident organizations implemented or improved phishing awareness (68 percent), encrypted machines (55 percent), vulnerability and patch management (52 percent), and multifactor authentication (MFA) for remote users (53 percent). Fairly confident organizations took similar actions but at a somewhat lower rate: 56 percent boosted phishing awareness, 45 percent deployed encryption, 49 percent prioritized patch management and 42 percent adopted MFA.
Finally, 53 percent of highly confident organizations said they had developed a cyber incident response plan. Meanwhile, 30 percent of fairly confident organizations and only 10 percent of organizations that self-reported as being not confident in their risk management capabilities said they had established an incident response strategy.
The Final Grade: Cyber Risk Perception Survey Reveals Room for Improvement
Even with the increased involvement of various stakeholders, Marsh’s risk perception survey pointed to ongoing disconnects between the security function and the board. While 45 percent of risk and technology executives said they report information to board directors about cybersecurity investment initiatives, only 18 percent of board directors said they receive such information.
“This information gap points to the need to develop cyber risk economic/business models that facilitate a shared dialogue, including common language among IT, the board and other corporate departments,” the report’s authors noted. The survey also highlighted how rarely cyber risks are put in business terms: Only 11 percent of respondents reported quantifying cyber risks in economic terms, such as value at risk.
Taken in its entirety, the report painted a mixed picture of the state of cyber risk communication and management. While 45 percent of organizations said they estimate the financial impact of a cyber incident, executives should improve their ability to prioritize cybersecurity investments based on their risk appetite and link those investments to business strategy and the performance of controls. They should also follow common risk governance frameworks, such as the Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s enterprise risk management (ERM) framework and the International Organization for Standardization (ISO)’s updated guidelines, ISO 31000:2018.