Most executives now see cybersecurity as a major risk management priority, but relatively few have a plan in place to address it or are confident their companies can deal with the problem.
The findings are part of a new global survey by Marsh and Microsoft of more than 1,300 executives looking at cyber risk concerns and management strategies in 26 different industry sectors. Survey results underscore the challenge that carriers face in communicating to potential clients why some sort of coverage addressing cyber risks matters.
Two-thirds of survey respondents (about 56 percent) ranked cybersecurity as a top five risk management priority. At the same time, just 30 percent said they’ve developed a plan to respond to a cyber event, and a mere 19 percent said they were highly confident their company could manage and respond to a cyber event.
John Drzik, president of Global Risk and Digital for Marsh, said that executives are making management of cyber risk an increasing priority as the use of technology in daily operations increases. Because of that trend, Drzik said businesses must eliminate the disconnect between awareness of the risk and wide-ranging action.
“It’s time for organizations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer,” he said.
Marsh/Microsoft said that organizations planning for cyber risk should engage both top executives and their boards. Economic modeling to quantify cyber risk and a risk management plan including prevention, mitigation, transfer and response planning are also necessary things in the current environment, they said.
Business Interruption Among Biggest Corporate Cyber Fears
Other major findings from the survey:
- 70 percent of respondents said the IT department was the main driver for cyber risk management at their companies. About 37 percent said those decisions came from the C-suite, and 32 percent said their risk management departments made those decisions.
- 75 percent of respondents said business interruption due to a cyber attack could have the greatest financial impact. At the same time, less than 50 percent actually estimate financial losses from a potential attack. Of those who do, only 11 percent measured cyber risk exposure quantitatively.
- 25 percent of respondents said they don’t know their cyber insurance status. One in five organizations don’t have any cyber insurance and lack a plan to buy it.
- 64 percent of respondents said they expect their organizations to boost their investment in both cyber and risk management.
- About 37 percent of organizations with cyber insurance said they plan to maintain their current limits over the next year. Just under 30 percent said they’d broaden the number and types of risk covered, and 17 percent would actually increase coverage limits.
- Of those organizations that don’t purchase cyber insurance, 26 percent said the coverage doesn’t give sufficient protection for the cost, and 25 percent said there is no internal agreement that coverage is needed in the first place. About 22 percent said that their cybersecurity framework is strong enough to not need insurance, and 18 percent said they lacked the money to buy it.
Companies Don’t All See Need for Cyber Attack Response Plan
Of organizations with high confidence in their cyber risk management strategy:
- Nearly 70 percent of organizations conducted a cybersecurity assessment.
- About 38 percent said they model potential cyber loss scenarios.
- 68 percent started enhanced phishing awareness training for their employees.
- 53 percent developed a cyber incident response plan.
The full Marsh/Microsoft report is called “By the Numbers: Global Cyber Risk Perception Survey.” Participating companies included small and medium-sized businesses, startups and large companies. Executives who responded included CEOs, CFOs, chief technology officers, chief risk officers, corporate directors and others.