Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence to the Internet of Things (IoT), to data availability and blockchain. The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster.
The Marsh Microsoft 2019 Global Cyber Risk Perception Survey looks at how organizations are managing the escalating threat of cyber risk, particularly within a highly dynamic business environment that is being transformed by technological innovation and interdependence.
Key survey findings show that, while there is improvement since 2017 in several areas around organizations' awareness and tactics to address cyber risk, there is a striking dissonance between the high concern about cyber risk and the overall approach to managing it.
Priority and Confidence
Cyber risk became even more firmly entrenched as an organizational priority in the past two years. Yet at the same time, organizations' confidence in their ability to manage the risk declined.
- 79% of respondents ranked cyber risk as a top five concern for their organization, up from 62% in 2017.
- Firms' confidence declined in each of three critical areas of cyber resilience. Those saying they had "no confidence" increased:
- From 9% to 18% for understanding and assessing cyber risks.
- From 12% to 19% for preventing cyber threats.
- From 15% to 22% for responding to and recovering from cyber events.
Technology innovation is vital to most businesses these days, but often adds to the complexity of an organization's technology footprint, including its cyber risk.
- 77% of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering.
- 50% said cyber risk is almost never a barrier to the adoption of new technology, but 23% – including many smaller firms – said that for most new technologies, the risk outweighs potential business benefits.
- 74% evaluate technology risks prior to adoption, but just 5% said they evaluate risk throughout the technology lifecycle – and 11% do not perform any evaluation.
The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.
- There was a discrepancy in many organizations' view of the cyber risk they face from supply chain partners, compared to the level of risk their organization poses to counterparties.
- 39% said the cyber risk posed by their supply chain partners and vendors to their organization was high or somewhat high.
- But only 16% said the cyber risk they themselves pose to their supply chain was high or somewhat high.
- Respondents were more likely to set a higher bar for their own organization's cyber risk management actions than they do for their suppliers.
Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk – with the notable exception of nation-state attacks.
- 28% of businesses regard government regulations or laws as being very effective in improving cybersecurity.
- 37% of businesses regard soft industry standards as being very effective in improving cybersecurity.
- A key area of difference relates to cyber-attacks by nation-state actors:
- 54% of respondents said they are highly concerned about nation-state cyber-attacks.
- 55% said government needs to do more to protect organizations against nation-state cyber-attacks.
Cybersecurity Culture and Resilience
Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.
- 88% said Information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/ board (65%) and risk management (49%).
- Only 17% of executives say they spent more than a few days on cyber risk over the past year.
- 64% said a cyber-attack on their organization would be the biggest driver of increased cyber risk spending.
- 30% of organizations reported using quantitative methods to express cyber risk exposures, up from 17% in 2017.
- 83% have strengthened computer and system security over the past two years, but less than 30% have conducted management training or modelled cyber loss scenarios.
Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.
- 47% of organizations said they have cyber insurance, up from 34% in 2017.
- Larger firms were more likely to have cyber insurance: 57% of those with annual revenues above $1 billion had a policy compared to 36% of those with revenue under $100 million.
- Uncertainty about whether available cyber insurance could meet their firm's needs dropped to 31%, down from 44% in 2017.
- 89% of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.