Building an Enterprise-Wide Approach to Cyber Risk Management

For three years, companies have faced endless workplace disruptions, continual digital transformation and seemingly nonstop ransomware attacks. The upshot? For cyber risk, most leaders today have no more confidence in their ability to manage the risk than they did two years ago.

That’s one of the key findings from the 2022 Marsh and Microsoft Cyber Risk Survey, the third such collaboration our companies have undertaken in the past four years.

A key to the low level of confidence at many companies is the lack of an enterprise-wide approach to managing cyber risk. Such an approach is built on broad-based communication, which helps bring about collaboration and alignment between stakeholders, especially during key decision-making moments related to cyber resilience. 

Cyber Risk Is Top of Mind

We found that 73% of companies have experienced a cyberattack in the past year, dominated by ransomware and phishing/social engineering events, but also including other types of incidents. The pervasiveness of ransomware contributed to one-third of respondents saying it is the number one threat, and nearly three-quarters placing it in the top three. We also found that:

  • Many feel the almost infinite number of vulnerabilities make ransomware nearly impossible to safeguard against. 
  • Those in risk management and insurance roles were more likely to view ransomware as a key driver of attacks, with board members and CEO-level leaders less likely to see it that way. 
  • More than half of North American-based companies said that paying ransom demands contribute to the increasing incidence of attacks. 

Regardless of the type of attack a company faces, too many organizations manage their cyber risk in silos and could benefit from an enterprise-wide approach.

Building a Cyber Team Across the Enterprise

The level of involvement in various areas of cyber risk management looks to be a mishmash of roles and responsibilities. For example, risk management and insurance professionals are regularly a part of the cyber incident management team, but more often than not, they’re absent from talks about cybersecurity tools and services. 

Thus, views of cyber risks and assessments of organizational strengths and needs can differ greatly by department and by risk leader. The result can be a kind of tunnel vision, making it difficult for firms to see the big picture in a way that will help them identify and respond to cyber risks in time to mitigate them.

The responsibility for cyber risk management should be a shared one. Ideally, a company’s risk managers, CFOs, CISOs, executive leaders and their teams will work together to identify, quantify, and manage cyber risks. 

Executive leaders were the least likely to foresee increased hiring of cybersecurity talent; just 29% expect any increase in this area, compared to 57% of risk managers.

We asked respondents how involved they are in three key cyber risk management activities: cyber insurance, cyber incident management, and cybersecurity tools and services. Specifically, we wanted to see if they consider their department to be the decision-maker, or part of a team with input into decisions, or if they’re not involved at all. 

Among our findings:

  • IT/cybersecurity professionals were the most involved in all three areas — over 90% of these respondents said they were the decision-maker or were part of the team. They were also least likely to say they were “not involved” in a given area, and the most likely to see themselves as decision makers regarding cyber incident management and cybersecurity tools and services. 
  • Respondents who were in the board/CEO/president ranks were most likely to say they held the final decision on cyber insurance, with risk management and finance close behind. 
  • Cyber insurance was the area that showed the highest level of involvement across all departments, with no clear leader. 
  • On the flip side, decisions regarding cybersecurity tools and services had the lowest level of collaboration among all professionals. 

Investment in Cyber Risk Management

Another area where the lack of alignment shows up is in where organizations plan to make investments in cyber risk management.

We found broad agreement on the need to increase investments, but less on where the investments should be made. The main reason cited to increase spending was having previously experienced a cyber incident. Other reasons included external advisor recommendations and the adoption of new technologies. 

Globally, most companies said they plan to increase investments in cybersecurity technology, incident planning, staff training, cyber insurance and cyber advisory services over the next year. 

Risk management/insurance roles most often said they will look to prioritize investments in cyber insurance and hiring cybersecurity personnel. CEO/board-level roles, on the other hand, generally said spending would increase in cybersecurity technology/mitigation, staff training, and cybersecurity incident planning and preparation. 

Respondents said that one of the top barriers holding them back from conducting more rigorous cyber risk assessments was the lack of relevant staff. Executive leaders were the least likely to foresee increased hiring of cybersecurity talent; just 29% expect any increase in this area, compared to 57% of risk managers and 46% of cybersecurity and IT leaders who expect it. This could well represent miscommunication among the various leaders. If so, it provides another example where an enterprise-wide approach to cyber risk management would have a meaningful benefit. 

Role clarity and clear authority for decision-making would help organizations maximize the efficiency of their cyber risk spending. 

Sharing Responsibility

Most companies are looking for solutions to the cyber risks facing them today, including cybersecurity measures, insurance, data and analytics, and incident response plans. However, one critical element that is often missing is enterprise-wide alignment around cyber risk management, one that encourages shared responsibility. 

All stakeholders — including risk managers, finance, cybersecurity/IT, executive leaders — will gain confidence in their organization’s cybersecurity posture by being better connected to the broader enterprise.