After three years of unrelenting workplace disruption, digital transformation, and ransomware attacks, business leaders are no more confident in their ability to manage cyber risk than they were two years ago, to according to a study by global insurance broker Marsh and tech giant Microsoft.
With global organizations expecting to face more cyberattacks in 2022, the study by Marsh and Microsoft, called “2022 Marsh and Microsoft Cyber Risk Survey,” aims to help leaders from all departments align and prioritize their cyber strategies for 2022 and beyond.
The study found that 41% of organizations engage legal, corporate planning, finance, operations, or supply chain management in making cyber risk plans. After analyzing the survey respondents' answers, Marsh and Microsoft identified eight key cyber risk trends:
Cyber-specific enterprise-wide goals – including cybersecurity measures, insurance, data and analytics, and incident response plans – must be aligned to building cyber resilience rather than simply preventing incidents as every organization expects a cyberattack.
Ransomware is considered the top cyber threat faced by companies, but not the only one. Other prevalent threats include phishing or social engineering, privacy breaches, and business interruption due to an external supplier being attacked. This aligns with the results of a 2022 survey from WTW and Clyde & Co, which found that directors and officers see cyber-related issues as the top risks facing leaders in 2022.
Insurance is an important part of cyber risk management strategy and influences the adoption of best practices and controls. Specifically, 61% of the respondents said their company buys cyber insurance coverage.
Adoption of more cybersecurity controls leads to higher cyber hygiene ratings. However, only 3% of the respondents rated their company's cyber hygiene as excellent.
Organizations lag in measuring cyber risk in financial terms, impacting their ability to effectively communicate cyber threats across the enterprise, with 26% of the respondents claiming their organization uses financial measures for cyber risk.
Increased investment in cyber risk mitigation continues, although spending priorities vary across the enterprise, with 64% saying the spur to increasing cyber risk investments was having experienced an attack.
New technologies need to be assessed and monitored continuously, not only during exploration and testing before adoption, with 54% of companies saying they do not extend risk assessments of new technologies beyond implementation.
Firms take cybersecurity actions, but widely overlook their vendors or digital supply chains, with only 43% saying they had conducted a risk assessment of their vendor or supply chain.
Marsh and Microsoft emphasized the significance of understanding how professionals across an organization view their role concerning cyber insurance, cyber incident management, and cybersecurity tools and services, among others. They also claimed that a best practice approach to cyber risk management spans organizational roles, including investing and engaging in a broad, balanced, and continuously updated array of resources and activities to mitigate cyber risks and reinforce cyber resilience.