As Cyber-Risk Awareness Grows, Some Areas of Cyber-Risk Management Lag

Business leaders have no more confidence in their organizations's core cyber-risk management competencies today than they had before the COVID-19 pandemic, according to a recent report.

The report, titled The State of Cyber Resilience, published May 26, 2022, by Marsh and Microsoft Corp., found that that level of confidence has actually decreased slightly, with 19.7 percent of survey respondents saying they were highly confident in their organizations' cyber-risk management in 2019 versus 19.0 percent today.

Marsh indicated that those core cyber-risk management capabilities include the ability to understand and assess cyber threats, mitigate and prevent cyber attacks, and manage and respond to those attacks.

The report is based on the opinions of 660 cyber-risk decision-makers around the world. It analyzes how cyber risk is viewed by various functions and executives in leading organizations, including cyber security and information technology, risk management, and insurance, finance, and executive leadership.

"Given the continued rise of ransomware and the current tumultuous threat landscape, it is not surprising that many organizations do not feel any more confident in their ability to respond to cyber risks now than they were in 2019," Sarah Stephens, head of Cyber, International at Marsh, said in a statement.

The 2022 Marsh and Microsoft Cyber-Risk Survey also found that many organizations continue to struggle to understand cyber risks posed by vendors and digital supply chains. Only 43 percent of survey respondents said they have conducted risk assessments of their vendors or supply chains.

As they make cyber-risk plans, only 41 percent of organizations look beyond cyber security and insurance and engage legal, corporate planning, finance, operations, or supply chain management functions, Marsh and Microsoft found.

The survey showed improvement in organizations using quantitative methods to measure cyber-risk exposures. Some 38 percent reported doing so in this year's survey, up from 30 percent in 2019. Such quantitative methods are critical to understanding how cyber attacks and other events can create volatility, Marsh said.

The survey found that 78 percent of companies said they had experienced a cyber attack, and the report noted that cyber-specific enterprise-wide goals should be aligned to build cyber resilience as every organization can expect an attack.

The largest companies by revenue faced more attacks in both number and variety, according to the survey, with 85 percent reporting that they had experienced at least one attack, compared to 68 percent of smaller businesses.

Ransomware attacks topped the list of perceived cyber threats to organizations at 71 percent, the survey found, followed by privacy breach, 50 percent; business interruption due to a disruption at an external supplier or partner, 41 percent; and employees working from home and the increased exposure to social engineering or phishing attacks, 40 percent.

Other perceived threats included loss of non-personal private or proprietary information, 34 percent; denial of service attacks, 31 percent; supply chain compromises, 17 percent; physical damage caused by cyber attacks, 9 percent; and nation-state attacks, 5 percent.

Insurance is an important part of cyber-risk management strategies, the survey found, with 61 percent of respondents indicating their organization purchases some type of cyber insurance. Insurers' cyber-insurance underwriting requirements are having an impact on many organizations' cyber-security efforts, with 41 percent of respondents indicating that their insurers prompted them to adopt new or additional cyber-security controls.

The adoption of more cyber-security controls leads to higher cyber-hygiene ratings for organizations, the report said. The report listed 12 cyber-security controls it said organizations should consider adopting to help prevent, respond to, minimize, and recover from cyber attacks.

• Email filtering and web security
• Logging and monitoring/network protections
• Secured, encrypted, and tested backups
• Patch management/vulnerability management
• Cyber-security awareness training/phishing testing
• Multifactor authentication for remote access and administrator privileged access
• Endpoint detection and response
• Replacing or protecting end-of-life systems
• Hardening techniques including remote desktop protocol mitigation
• Cyber-incident response planning and testing
• Privileged access management
• Vendor/digital supply chain risk management

"Organizations using all or most of the 12 cyber-security controls were nearly two times more likely to rate their cyber hygiene as 'very good' or 'excellent,'" the report said.

Marsh and Microsoft found that many organizations are deficient in measuring cyber risks in financial terms, which increases the difficulty of communicating cyber threats across the organization. Of the 26 percent of survey respondents that use value-at-risk calculations in assessing cyber risks, 90 percent use business interruption in their calculations, the report said, while more than half use the theft of personal data and privacy breaches, potential ransomware demands, and the costs of helping customers following an attack.

Investment in cyber-risk mitigation efforts continues to increase, the report said. Most organizations expect to increase spending on cyber-security technology, incident planning, staff training, cyber insurance, and cyber-advisory services over the next year, the survey found. While cyber-risk leaders overall recognize the need to invest in both internal and external resources to increase cyber resilience, thoughts on where those investments should be made often varies within organizations by department or cyber-risk leader, Marsh and Microsoft found.

The survey found that while 69 percent of those surveyed feel it's important to assess risks associated with new technologies while they are in the exploration and testing stage of development, 54 percent said they do not extend such risk assessments of new technologies after implementation. "Continuous assessment and monitoring of a new technology past the implementation phase is necessary given the fact that digitalization and technological advancements increase exposure to new and more intense cyber vulnerabilities," the report cautioned.

The survey also found that while organizations are often undertaking numerous actions to improve their cyber security and cyber resilience, they often overlook risks posed by their vendors and digital supply chains. Only 43 percent of those surveyed indicated they'd conducted a risk assessment of vendors and supply chain partners over the past 12 months.

"Auditing and verifying vendors and supply chains is the area that larger organizations are least likely to have addressed, although they have been fairly aggressive overall in taking cyber-security actions," the report said.

Ultimately, a best practices approach to cyber-risk management is based on an enterprise-wide commitment to sharing the responsibility for creating cyber resilience, the report said. Cyber risk management should be a shared responsibility, according to Marsh and Microsoft, with leaders from across various functions in the organizations acting together to identify, quantify, and manage cyber risks.