Cyber risk management failing to keep up with changing threat landscape
- Published: Tuesday, 20 February 2018 08:38
Few organizations are highly confident in their ability to manage the risk of a cyber attack, despite viewing cyber security as a top risk management priority, according to a new global survey conducted by Marsh and Microsoft.
In the survey of more than 1,300 senior executives, two-thirds ranked cyber security among their organizations’ top five risk management priorities – approximately double the response to a similar question Marsh asked in 2016. The survey also found that a vast majority – 75 percent – identified business interruption as the cyber loss scenario with the greatest potential to impact their organization. This compares to 55 percent who cited breach of customer information, which has historically been the focus for organizations.
Despite this growing awareness and rising concern, only 19 percent of respondents said they are highly confident in their organization’s ability to mitigate and respond to a cyber event. Moreover, only 30 percent said they have developed a plan to respond to cyber attacks.
“Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, president Global Risk and Digital, Marsh. “It’s time for organizations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”
An important step toward this goal is risk quantification. According to the survey, fewer than 50 percent of respondents said their organization estimates financial losses from a potential cyber event and, of those that do, only 11 percent make their estimates in economic terms. Such calculations are a key step in helping boards and others develop strategic plans and investment decisions, including those related to cyber insurance purchase, the report notes.
At the same time, responsibility for cyber risk management continues to lie primarily with the information technology department, with inconsistent involvement of other stakeholders across the enterprise. According to the survey, 70 percent of respondents pointed to IT as a primary owner and decision-maker for cyber risk management, compared to just 37 percent who cited the president/CEO or the board of directors, and 32 percent who cited the risk management function.