Few companies have faith in their cyber risk management, despite the skyrocketing stakes of an attack.
Two-thirds of 1,300 senior executives surveyed in a newly released global survey by Marsh and Microsoft ranked cybersecurity among their top five risk management priorities, yet only 19% felt highly confident in their ability to prevent and respond to an attack.
Of companies with over US$1bn in revenue, nearly half predicted a doomsday cyber event could rack up a bill of over US$50m. But only 30% have a response plan in place for such a scenario. That’s shocking news considering cyber attacks are no longer a matter of if, but when. “Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, president Global Risk and Digital, Marsh. “It’s time for organizations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”
Quantifying the economic risk of an attack is seen as an important part of cyber risk management, yet fewer than half of respondents said their company has estimated the potential financial impact of a cyber incident. Without quantifiable information, organisations have difficulty making risk-appropriate decisions on strategic planning and investment decisions, particularly as they relate to purchasing insurance coverage, says the report.
Despite the enterprise-wide impact of incidents, cyber risk management remains stunted by its relegation to the IT department. As new types of attacks emerge, and major financial losses are incurred, organisations are being challenged to move cyber risk management out of the IT silo and into the realms of stakeholders across the entire enterprise. However, an overwhelming 70% of respondents still cited IT as the primary decision-maker for cyber risk within their organisation.
“While technology is the foundation of any good cybersecurity strategy, companies can benefit from investing in non-technology solutions like risk management as part of a holistic approach,” said Matt Penarczyk, vice president and deputy general counsel, Microsoft. “Through advanced technology, tools and training, for example, companies can better protect the data in their networks and be ready for the business interruptions and reputational risks associated with cyberattacks.”