On September 18, global insurance broker Marsh and global technology company Microsoft jointly issued the 2019 Global Cyber Risk Perception Survey (Survey). The Survey, which built on a related survey conducted in 2017, reflects responses from 1,500 business leaders, in all six inhabited regions of the world, in a variety of key functions that included risk management, information technology/information security, finance, legal/compliance, C-suite officers, and boards of directors.
The Survey’s results fall into six principal categories:
- Priority and Confidence. Over the past two years, even as cyber risk “became even more firmly entrenched as an organizational priority, . . . organizations’ confidence in their ability to manage the risk declined.” For example, 79 percent of respondents ranked cyber risk as a “top five” concern for their organizations – increase from 62 percent in 2017. Yet firms’ confidence “declined in each of three critical areas of cyber resilience “. In particular, those who responded that they had “no confidence” increased (1) from 9 percent to 18 percent for understanding and assessing cyber risks; (2) from 12 percent to 19 percent for preventing cyber threats; and (3) from 15 percent to 22 percent for responding to and recovering from cyber events.
- New Technology. In this category, 77 percent of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering. Half (50 percent) responded that cyber risk “is almost never a barrier to the adoption of new technology,” but 23 percent (including many smaller firms) responded that “for most new technologies, the risk outweighs potential business benefits.” Nearly three-fourths (74 percent) reported that they “evaluate technology risks prior to adoption,” but only 5 percent said that they “evaluate risk throughout the technology lifecycle, and 11 percent said that they do not perform any evaluation.
- Supply Chain. Although “[t]he increasing interdependence and digitization of supply chains brings increased cyber risk to all parties,” many firms apparently “perceive the risks as one-sided.” Nearly two-fifths (39 percent) responded that the cyber risk that their supply chain partners and vendors posed to their organization was high or somewhat high., but only 16 percent responded the cyber risk that they themselves pose to their supply chain was high or somewhat high.
- Government Role. Respondents generally credited industry standards more than government regulation for having high effectiveness in helping to manage cyber risk. Only 28 percent viewed government regulations or laws as being very effective in improving cybersecurity, while 37 percent viewed soft industry standards as being very effective in improving cybersecurity. At the same time, 54 percent responded that they “are highly concerned about nation-state cyber-attacks,” and 55 percent said that “government needs to do more to protect organizations against nation-state cyber-attacks.”
- Cybersecurity Culture and Resilience. The Survey reported that “[m]any organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.” The vast majority of respondents (88 percent) responded that information technology/information security (IT/InfoSec) “is one of the three main owners of cyber risk management” – the other two being executive leadership/ board (65 percent) and risk management (49 percent). Only 17 percent of respondents said that they “spent more than a few days on cyber risk over the past year. Nearly two-thirds (64 percent) said that a cyber-attack on their organization “would be the biggest driver of increased cyber risk spending.” More respondents (30 percent) this year reported that their companies are using quantitative methods to express cyber risk exposures (an increase from 17 percent in 2017). The vast majority (83 percent) also reported that their firms “have strengthened computer and system security over the past two years,” but fewer than 30 percent “have conducted management training or modelled cyber loss scenarios.”
- Cyber Insurance. As cyber insurance coverage “is expanding to meet evolving threats,” companies’ attitudes toward policies are reportedly also changing. Nearly half of respondents (47 percent) replied that they have cyber insurance (an increase from 34 percent in 2017), and larger firms were more likely to have cyber insurance. More than half (57 percent) of those with annual revenues above $1 billion reportedly had a cyber insurance policy, compared to 36 percent of companies with revenue under $100 million. Respondents also indicated lessening uncertainty about whether available cyber insurance could meet their firms’ needs, as 31 percent reported such uncertainty (compared to 44 percent in 2017). Finally, 89 percent of respondents in companies with cyber insurance “were highly confident or fairly confident their policies would cover the cost of a cyber event.”
Among other takeaways from the Survey, Joram Borenstein, General Manager of Microsoft Cybersecurity Solutions Group, identified five best practices
that the most cyber resilient firms employ and which all firms should consider adopting:
- Create a strong organizational cybersecurity culture with clear, shared standards for governance, accountability, resources, and actions.
- Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
- Evaluate the cyber risk implications of a new technology as a continual and forward-looking process throughout the lifecycle of the technology.
- Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
- Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.
Note: Bernstein expressed optimism “that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices.” Another way of looking at the Survey results is to state that many companies around the world continue to lag in demonstrating that they have the cultural, as well as the technological, capacity to meet the constantly changing array of cyber risks. Cybersecurity, legal, and compliance officers in every industry should read the Survey closely, compare the Survey results with the state of their companies’ own cybersecurity programs, and discuss with their senior leadership where their companies are doing well or poorly in contending with cyber risk.