Our 2019 Global Cyber Risk Perception Survey, conducted in partnership with Microsoft investigates the state of cyber risk perceptions and risk management at organizations worldwide, especially in the context of a rapidly evolving business environment.
Technology is dramatically transforming the global business environment, with continual advances in areas ranging from artificial intelligence and the Internet of Things (IoT) to data availability and blockchain.
The speed at which digital technologies evolve and disrupt traditional business models keeps increasing. At the same time, cyber risks seem to evolve even faster.
Cyber risk has moved beyond data breaches and privacy concerns to sophisticated schemes that can disrupt entire businesses, industries, supply chains, and nations, costing the economy billions of dollars and affecting companies in every sector.
The 2019 Global Cyber Risk Perception Survey reveals many encouraging signs of improvement in the way that organizations view and manage cyber risk.
Cyber risk is now clearly and firmly at the top of corporate risk agendas, and we see a positive shift towards the adoption of more rigorous, comprehensive cyber risk management in many areas.
Below we summarize the key highlights from the report:
While Companies See Cyber as Top Priority, Confidence in Cyber Resilience Is Declining
Cyber risk became even more firmly entrenched as an organizational priority in the past two years. Yet at the same time, organizations’ confidence in their ability to manage the risk declined.
- 79% of respondents ranked cyber risk as a top five concern for their organization, up from 62% in 2017.
- Firms’ confidence declined in each of three critical areas of cyber resilience. Those saying they had “no confidence” increased:
- From 9% to 18% for understanding and assessing cyber risks.
- From 12% to 19% for preventing cyber threats.
- From 15% to 22 for responding to and recovering from cyber events.
New Technology Brings Increased Cyber Exposure
Technology innovation is vital to most businesses, but often adds to the complexity of an organization’s technology footprint, including its cyber risk.
- 77% of 2019 respondents cited at least one innovative operational technology that they have adopted or are considering.
- 50% said cyber risk is almost never a barrier to the adoption of new technology, but 23% — including many smaller firms — said that for most new technologies, the risk outweighs potential business benefits.
- 74% evaluate technology risks prior to adoption, but just 5% said they evaluate risk throughout the technology lifecycle — and 11% do not perform any evaluation.
Increasing Interdependent Digital Supply Chains Brings New Cyber Risks
The increasing interdependence and digitization of supply chains brings increased cyber risk to all parties, but many firms perceive the risks as one-sided.
- There was a discrepancy in many organizations’ view of the cyber risk they face from supply chain partners, compared to the level of risk their organization poses to counterparties.
- 39% said the cyber risk posed by their supply chain partners and vendors to their organization was high or somewhat high.
- But only 16% said the cyber risk they themselves pose to their supply chain was high or somewhat high.
- Respondents were more likely to set a higher bar for their own organization’s cyber risk management actions than they do for their suppliers.
Appetite for Government Role in Managing Cyber Risks Draws Mixed Views
Organizations generally see government regulation and industry standards as having limited effectiveness in helping manage cyber risk — with the notable exception of nation-state attacks.
- 28% of businesses regard government regulations or laws as being very effective in improving cybersecurity.
- 37% of businesses regard soft industry standards as being very effective in improving cybersecurity.
- A key area of difference relates to cyber-attacks by nation-state actors:
- 54% of respondents said they are highly concerned about nation-state cyber-attacks.
- 55% said government needs to do more to protect organizations against nation-state cyber-attacks.
Cyber Investments Focus on Prevention, Not Resilience
Many organizations focus on technology defenses and investments to prevent cyber risk, to the neglect of assessment, risk transfer, response planning, and other risk management areas that build cyber resilience.
- 88% said information technology/information security (IT/InfoSec) is one of the three main owners of cyber risk management, followed by executive leadership/ board (65%) and risk management (49%).
- Only 17% of executives say they spent more than a few days on cyber risk over the past year.
- 64% said a cyber-attack on their organization would be the biggest driver of increased cyber risk spending.
- 30% of organizations reported using quantitative methods to express cyber risk exposures, up from 17% in 2017.
- 83% have strengthened computer and system security over the past two years, but less than 30% have conducted management training or modelled cyber loss scenarios.
Cyber insurance coverage is expanding to meet evolving threats, and attitudes toward policies are also shifting.
- 47% of organizations said they have cyber insurance, up from 34% in 2017.
- Larger firms were more likely to have cyber insurance 57% of those with annual revenues above $1 billion had a policy compared to 36% of those with revenue under $100 million.
- Uncertainty about whether available cyber insurance could meet their firm’s needs dropped to 31%, down from 44% in 2017.
- 89% of those with cyber insurance were highly confident or fairly confident their policies would cover the cost of a cyber event.
At a practical level, this year’s survey points to a number of best practices that the most cyber resilient firms employ and which all firms should consider adopting:
- Create a strong organizational cybersecurity culture, with clear, shared standards for governance, accountability, resources, and actions.
- Quantify cyber risk to drive better informed capital allocation decisions, enable performance measurement, and frame cyber risk in the same economic terms as other enterprise risks.
- Evaluate the cyber risk implications of new technology as a continual and forward-looking process throughout the lifecycle of the technology.
- Manage supply chain risk as a collective issue, recognizing the need for trust and shared security standards across the entire network, including the organization’s cyber impact on its partners.
- Pursue and support public-private partnerships around critical cyber risk issues that can deliver stronger protections and baseline best practice standards for all.
Despite the decline in organizational confidence in the ability to manage cyber risk, we are optimistic that more organizations are now clearly recognizing the critical nature of the threat, and beginning to seek out and embrace best practices.
Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.
Still, these recommendations address many of the common and most urgent aspects of cyber risk that organizations today are challenged with, and should be viewed as signposts along the path to building true cyber resilience.