Cyber risk is now at the forefront of the corporate risk agenda, but cyber risk management strategies are not keeping pace despite an increasingly complex threat environment and escalating financial impact.
A new global survey of more than 1,300 executives, undertaken by Marsh in partnership with Microsoft, examines cyber risk concerns and management strategies by organizations of all sizes in a range of industries worldwide.
Two-thirds of survey respondents ranked cybersecurity as a top five risk management priority, but only 19% expressed high confidence in their organization’s ability to manage and respond to a cyber event, and only 30% have developed a plan to do so.
Other key findings point to a misalignment between cyber risk awareness and approach:
70% of respondents named the IT department as a primary owner and decision-maker for cyber risk management, compared to 37% who cited the C-suite and 32% Risk Management.
75% identified business interruption as the cyber loss scenario with the greatest potential financial impact, but fewer than 50% actually estimate financial losses – and of those, only 11% measure cyber risk exposure quantitatively.
One in five organizations does not currently have or plan to purchase cyber insurance, and 25% don’t know their cyber insurance status, said the report.
A successful cyber incident has the potential to disrupt supply chains, shut down core operations, and cause other losses.
The financial impact can be severe. Among respondents to the Marsh-Microsoft Cyber Perception Survey, nearly one-third of those who said their organization estimates the potential financial costs of a cyber event projected that losses from a worst-case incident could reach into the tens of millions of dollars.
Among companies with over US$1 billion in revenue, more than 40% of respondents estimated their worst-case financial impact would exceed US$50 million.
Among the key takeaways for business leaders are the need for broad stakeholder engagement, including the C-suite and board; economic modeling that quantifies cyber risk; and a holistic approach that spans prevention, mitigation, transfer, and response planning..
According the report, in the last four decades, the world has experienced an enormous shift in where value lies. Consider that in 1975,just 17 per cent of the market value of S&P 500 companies was tied to intangible assets,including data, intellectual property, and other technologies.
The bulk of their value was in physical assets. Today, the numbers have reversed: Just 16% of value is in physical assets; the rest comes from intangibles. That shift has been facilitated by, among other things,advances in computer processing,cloud computing, sensors, software,and ever-smarter devices.