For three years, organizations have faced endless workplace disruption, continuous digital transformation, and seemingly non-stop ransomware attacks. The result? When it comes to cyber risk, most executives today are no more confident in their ability to manage risk than they were two years ago.
This is one of the most important findings from the 2022 Marsh and Microsoft Cyber Risk Surveythe third such collaboration that our companies have entered into in the past four years.
A key to the low level of confidence in many organizations is the lack of an enterprise-wide approach to cyber risk management. Such an approach is based on broad communication that contributes to collaboration and alignment between stakeholders, especially at key decision-making moments related to cyber resilience.
Cyber risk is paramount
We found that 73% of organizations experienced a cyberattack in the past year that was dominated by ransomware and phishing/social engineering events, but also included other types of incidents.
The proliferation of ransomware contributed to a third of respondents naming ransomware the number one threat and almost three quarters placing it in the top three. We also noticed that:
- Many believe that the almost infinite number of vulnerabilities makes it almost impossible to protect against ransomware.
- Employees in risk management and insurance functions were more likely to see ransomware as a top driver for attacks, while board members and CEO-level executives were less likely to see it that way.
- More than half of North America-based companies reported that ransomware contributes to an increase in attacks.
Regardless of the type of attack an organization faces, too many organizations manage their cyber risk in silos and could benefit from an enterprise-wide approach.
Building a cyber team across the company
The level of involvement in different areas of cyber risk management appears to be a mishmash of roles and responsibilities. For example, risk management and insurance professionals are regularly part of the cyber incident management team, but most often they are absent from discussions about cybersecurity tools and services.
As such, views on cyber risk and assessments of organizational strengths and needs can vary widely across departments and risk leaders. The result can be tunnel vision, making it difficult for organizations to see the big picture in a way that allows them to identify and respond to cyber risks in a timely manner to mitigate them.
Responsibility for cyber risk management should be shared. Ideally, an organization’s risk managers, CFOs, CISOs, executives, and their teams work together to identify, quantify, and manage cyber risk.
Executives least expected increased hiring of cybersecurity talent; only 29% expect an increase in this area compared to 57% of risk managers.
We asked respondents how involved they were in three key cyber risk management activities: cyber insurance, cyber incident management, and cyber security tools and services. In particular, we wanted to see if they view their department as a decision-maker, part of a team influencing decisions, or if they are not involved at all.
About our findings:
- IT/cybersecurity professionals were most involved in all three areas – over 90% of these respondents said they were decision makers or part of the team. They were also the least likely to say they were “not involved” in a particular area and the most likely to see themselves as decision makers related to cyber incident management and cybersecurity tools and services.
- Respondents in the Board of Directors/CEO/President ranks were the most likely to say they made the final decision on cyber insurance, closely followed by risk management and finance.
- Cyber insurance was the area showing the highest level of engagement across all departments, with no clear leader.
- On the other hand, decisions about cybersecurity tools and services had the least collaboration among all professionals.
Investment in cyber risk management
Another area where the lack of focus is showing is where companies plan to make investments in cyber risk management.
We found broad agreement on the need to increase investment, but less on where to invest. A previous cyber incident was cited as the main reason for the increase in spending. Other reasons were recommendations from external consultants and the introduction of new technologies.
Most companies around the world plan to increase their investments in cybersecurity technology, incident planning, employee training, cyber insurance and cyber consulting services over the next year.
Risk management/insurance roles most frequently indicated that they will prioritize investing in cyber insurance and hiring cyber security staff. On the other hand, CEO/board level roles generally said spending on cybersecurity technology/mitigation, employee training, and cybersecurity incident planning and preparedness would increase.
Respondents indicated that one of the biggest obstacles preventing them from conducting more rigorous cyber risk assessments was a lack of appropriate staff. Executives least expected increased hiring of cybersecurity talent; only 29% expect an increase in this area, compared to 57% of risk managers and 46% of cybersecurity and IT leaders who expect it. This could well represent a misunderstanding between the various leaders. If so, this is another example where an enterprise-wide approach to cyber risk management would have significant benefit.
Role clarity and clear authority for decision-making would help organizations maximize the efficiency of their cyber risk spend.
Most organizations are looking for solutions to the cyber risks they face today, including cyber security measures, insurance, data and analytics, and incident response plans. An important element that is often missing, however, is an enterprise-wide cyber risk management alignment that encourages shared responsibility.
All stakeholders – including risk managers, finance, cybersecurity/IT, executives – gain confidence in their organization’s cybersecurity posture by being better connected to the broader enterprise.