Proper economic quantification of an organisation’s cyber exposure is essential to help board members and other decision-makers understand their cyber value at risk, determine optimal investment strategies, and achieve measurable outcomes within their cyber-risk management programmes. Those were the key recommendations from the recent Marsh-Microsoft Cyber Perception Survey which shows that companies are now recognising the potentially massive impact of a cyber event more than ever.
Nearly two-thirds of survey respondents said that cyber risk is among their organisation’s top five risk management priorities, roughly double the number who rated cyber as such in a survey Marsh, a global leader in insurance broking and innovative risk management solutions, conducted in 2016. This echoes the insights from the World Economic Forum’s 2018 Global Risks Report that highlighted cyber-related risks are two of the top five risks facing corporations – the first time ever that two tech-related risks have been in the top five.
“Businesses are struggling to adjust to the significant shift in risk that accompanies this shift in value. Technological advances bring a near-universal vulnerability to cyberattacks, where a single incident can inflict damage in the hundreds of millions of dollars,” explains Tom Reagan, cyber practice leader within Marsh’s financial and professional products (FINPRO) specialty practice.
Over the last 40 years we have seen a transformation in where value lies for most organisations, moving from physical assets and infrastructure being the largest to today where market capitalisation is tied to data, intellectual property, and other technologies which fuel our information economy.
The Cyber Perception Survey highlights that despite recognising the magnitude of the risk, few companies seem to be managing how they can protect themselves. Fewer than half of survey respondents (45%) said they formally estimate the financial impact of a potential cyber event as part of risk management, and only 11% conduct economic quantification based on estimated financial losses within a timeframe, such as value-at-risk modelling.
Showing the costly danger, among those that do quantify their cyber risk, more than 40% of companies with over USD1 billion in revenue estimate the financial impact from an event would exceed USD$50 million.
“An organization needs to work as a team to effectively manage cyber risks. By sharing oversight responsibility among stakeholders—including corporate boards, C-suite executives, risk professionals, and technologists—the managerial and technological challenges presented can be reduced,” says Mr Reagan.
However, a majority of companies are not employing a truly collaborative governance model to manage cyber risk, according to the survey findings – almost three quarters (70%) of survey respondents point to their IT department as a primary owner and decision-maker around cyber-risk management, with smaller numbers citing the CEO, board, risk managers, and legal/compliance.
But there is evidence now that the world’s largest firms are moving in the direction of shared cyber-risk governance. The survey shows that organisations with more than USD5 billion in revenue were more likely to cite directors and risk management teams as among the primary owners and decision-makers than did smaller firms, possibly reflecting the additional resources available to larger firms.
It is evident from the survey that there is both appropriate concern about cyber risk and room for improvement in its management. Roughly 70% of respondents who identified as board members said they ranked cyber risk as a top five concern, yet only 14% reported that they were “highly confident” in their organisation’s ability to respond to a cyberattack. “We also found evidence that directors may not be receiving—or perhaps understanding—the information about cyber risk that is being sent to them,” explains Mr Reagan.
Business executives worry most about financially motivated attackers, the survey has found. Exactly three quarters of respondents cited business interruption as one of the most worrisome consequences of a cyber-attack, and nearly 30% cited the potentially related disruption to their industrial systems or operational technology. While the cost of a breach of personal information can be estimated based on historical data, cyber BI costs are more difficult to project, says Marsh.
Cyber risk is now at the forefront of the corporate risk agenda, but cyber risk management strategies are not keeping pace despite an increasingly complex threat environment and escalating financial impact. Marsh argues that like other major enterprise risks that face an organisation, cyber threats should be “managed strategically, comprehensively, and quantitatively”.
LEARN MORE: view the full ‘By the Numbers: Global Cyber Risk Perception Survey’