Although the majority of senior executives view cyber as a top risk management priority, few organisations are confident in their ability to manage the risk of a cyber-attack, according to a survey by Marsh and Microsoft that highlighted ways in which risk management is falling behind in cyber risk mitigation efforts.
John Drzik, President, Global Risk and Digital, Marsh, said; “Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex.
“It’s time for organisations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”
The study surveyed over 1,300 senior executives and found that two-thirds ranked cybersecurity among their organisations’ top five risk management priorities, a figure that’s doubled since a previous Marsh survey in 2016.
Business interruption resulting from cyber loss was cited by executives as the threat with the greatest potential impact to their organisation.
55% cited breach of customer information, which has historically been the focus for organisations.
Matt Penarczyk, Vice President and Deputy General Counsel, Microsoft, commented that although technology is the foundation of any good cybersecurity strategy, “companies can benefit from investing in non-technology solutions like risk management as part of a holistic approach.
“Through advanced technology, tools and training, for example, companies can better protect the data in their networks and be ready for the business interruptions and reputational risks associated with cyberattacks.”
Responsibility for cyber risk management continues to lie primarily with the information technology (IT) department, with inconsistent involvement of other stakeholders across the enterprise.
In addition, risk quantification is an important step towards understanding and preventing a potential cyber event and an area highlighted by the survey as being neglected with less than half of respondents saying their organisation estimates financial losses from a potential cyber event and, of those that do, only 11% make their estimates in economic terms.
Few firms have taken sufficient measures to improve cyber security; only 30% have developed a plan to respond to cyber-attacks and even less are highly confident in their organisation’s ability to mitigate and respond to a cyber incident; despite the growing awareness surrounding the cyber threat, businesses are still largely lagging behind in appropriate response measures to the risk.
