alphaspirit - Fotolia

Few organisations managing cyber risk, survey shows

Cyber risk management practices are not keeping up with rising cyber security concerns among senior executives around the world, a study shows

Few organisations are highly confident in their ability to manage the risk of a cyber attack, a survey has revealed.

This is despite viewing cyber security as a top risk management priority, according to a global survey by risk management firm Marsh and Microsoft.

In the survey of more than 1,300 senior executives, two-thirds ranked cyber security among their organisations’ top five risk management priorities – approximately double the response to a similar question Marsh asked in 2016.

The survey also found three quarters of those polled identified business interruption as the cyber loss scenario with the greatest potential to impact their organisation, followed by breach of information, which was cited by 55% of respondents and has historically been the focus for organisations.

But, despite this growing awareness and rising concern, only 19% of respondents said they are highly confident in their organisation’s ability to mitigate and respond to a cyber event. Moreover, only 30% said they have developed a plan to respond to cyber attacks.

The report notes that a broad reliance on data and information extends to all companies, and, as a result, organisations of all sizes and across all industries are vulnerable to cyber attacks.

“Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, president of global risk and digital at Marsh. “It’s time for organisations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer,” he said.

Read more about cyber risk

  • How and why to conduct a cyber threat and risk analysis.
  • Business needs to get real about cyber security, warn BT and KPMG.
  • Cyber risk management can add business benefit while improving security.
  • Many UK firms are failing to adequately assess their customers and trading partners for cyber risk.

An important step toward this goal is risk quantification, according to the survey report, which highlights the fact that fewer than 50% of respondents said their organisation estimates financial losses from a potential cyber event and, of those that do, only 11% make their estimates in economic terms.

This means most organisations are failing to do these calculations, which are a key step in helping boards and others develop strategic plans and investment decisions, including those related to cyber insurance purchase, the report notes.

At the same time, responsibility for cyber risk management continues to lie primarily with the IT department, with inconsistent involvement of other stakeholders across the enterprise.

According to the survey, 70% of respondents pointed to IT as a primary owner and decision-maker for cyber risk management, compared with just 37% who cited the president/CEO or the board of directors, and 32% who cited the risk management function.

“While technology is the foundation of any good cyber security strategy, companies can benefit from investing in non-technology solutions like risk management as part of a holistic approach,” said Matt Penarczyk, vice-president and deputy general counsel at Microsoft.

“Through advanced technology, tools and training, for example, companies can better protect the data in their networks and be ready for the business interruptions and reputational risks associated with cyber attacks.”

Sharing responsibility

While organisations can manage cyber risk more effectively by applying a comprehensive approach that includes proven security practices, such as updating systems regularly and other preventative measures, the report said overcoming the managerial and technological challenges this presents can be addressed more effectively when responsibility is shared among stakeholders, including corporate boards, C-suite executives, risk professionals, and technologists.

Governments also have a critical role to play as well, the report said. Given the growth of state-sponsored and organised crime-sponsored attacks, more needs to be done by all “instruments of government” to work with industry to improve cyber readiness across sectors and develop standards and best practices to improve cyber risk management.

Cyber security risk can be managed, but not eliminated, the report said. “The scale and complexity of the challenge is too great for a ‘silver bullet’ solution. Effective adaptation and coordination is required to remain resilient against this significant and dynamic threat,” it said.

Read more on Hackers and cybercrime prevention