Cyber Risk Management: 2019 Insights from Microsoft, Marsh, & Deloitte
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Cyber Risk Management: 2019 Insights from Microsoft, Marsh, & Deloitte

A look into the perceptions and attitudes of businesses concerning cyber security risks

Cyber risk management, or what’s sometimes called cyber security risk management, has been identified as a growing priority for businesses, governments, and organizations alike in recent years. More and more businesses are embracing digital transformation to spark new growth, increase revenue and efficiency, and to stay relevant in the face of the fourth industrial revolution. They do this by embracing new technologies that fall within the realms of artificial intelligence (AI), machine learning (ML), and the Internet of Things (IoT).

But as these new and exciting technologies evolve, they become increasingly complex. So, too, do the risks that evolve with them.

What’s particularly troubling about these growing cyber risks is that there’s often a disconnect between acknowledging that there’s an issue and actually taking the steps required to mitigate them. In this article, we’ll review the findings of two surveys and reports published in 2019 — one by Marsh and Microsoft, and the other by Deloitte — and discuss what these findings mean for businesses and the industry as a whole.

Let’s hash it out.

2 Recent Cyber Risk Management Surveys of Note

There are many reports out there in recent years relating to cyber risk management and the topic of cyber risk as a whole. The first report we’ll discuss, the “Global Cyber Risk Perception Survey Report 2019,” is based on the findings of a recent survey conducted by Marsh and Microsoft. Although the survey does have a focus on cyber insurance, it provides a wealth of useful information relating to organizations’ perceptions of cyber risks and their cyber security efforts overall.

The global cross-sector survey, conducted between February and March 2019, shares insights from more than 1,500 business leaders who perform a variety of roles, including risk management, infotech and infosec, compliance, etc.

  • 22% of the survey respondents are based in North America (U.S. and Canada).
  • 35% of the survey respondents are based in Europe.
  • 35% of the survey respondents are based in Latin America and the Caribbean.
  • Twenty-five percent of the survey respondents work at organizations with USD $1 billion or more in annual revenue.
  • Another 31% report that their organizations achieve between $100 million and $1 billion in annual revenue.

The second report we’ll cover is Deloitte’s “The Future of Cyber Survey 2019.” Although this survey isn’t focused only on cyber risk alone, the topic does play an important role in the study. The findings are based on an online cross-sector survey of 500 C-level executives at cyber security companies that have at least $500 million in annual revenue. These surveyed leaders include:

  • 100 chief information security officers (CISOs),
  • 100 chief security officers (CSOs),
  • 100 chief technology officers (CTOs),
  • 100 chief information officers (CIOs), and
  • 100 chief revenue officers (CROs).

Top Cyber Risk Management Findings from These Two Surveys

Now that we’ve discussed who was involved in the two studies, let’s dive into some of the top findings from each of the reports.

1. Organizations May Be Proactive in Their Cyber Security and Cyber Risk Management Efforts

The findings of the Deloitte report indicate that:

“… organizations are no longer taking a wait-and-see philosophy to preparing for and responding to cyber incidents. Questions related to budgets, resource allocation, and prioritization of cyber defense efforts indicate that they are proactively addressing cyber risk from various aspects of security—data, application, identity, infrastructure, and incident response.”

This is great news for sure. However, the report also notes that organizations still have a long road ahead to align these cyber initiatives with the digital transformation priorities of their leadership. This is, in part, because many executives — even within the same organization — don’t agree on what should be the top digital transformation initiative. Even when just considering what should be the focus for the next 12 months, their attention appears to be split between multiple initiatives, including cloud (17%), AI/cognitive computing (15%), and several other areas.

The results from the Marsh/Microsoft survey paint a different picture. Their data indicates that organizations tend to be more reactive to cyber risks. Sixty-four percent of respondents answered that their organizations would be more likely to increase their planned budget allocation for cyber risk management if a cyber incident or attack was to occur. (Forty-six percent said the same if news of an incident or attack affected another organization.) Sadly, only 38% indicated that those allocations would occur due to changing or new regulations such as the European Union’s General Data Protection Regulation (GDPR). 

In all reality, the importance of the relationship between cyber risk and risk management can’t be emphasized enough. Both cyber risk and cyber security should be considered key factors in every enterprise risk management (ERM) plan. However, many organizations are not sure how to incorporate cyber risk within their ERM frameworks — as a result, it can leave organizations open to new or unexpected concerns. 

2. Security is Viewed as a Top Concern, But…

The Marsh/Microsoft study indicates that 79% of survey respondents ranked cyber risk as one of their top five business concerns. This shouldn’t come as much of a surprise in light of the data breaches, hacks, ransomware, and other threats that have been making headlines over the past few years.

This statistic jives with the data from other reports, including one from the World Economic Forum (WEF), which ranks cyber attacks and data fraud/theft among the five most likely risks to businesses in its 2019 Global Risks Report.

However, the findings from Marsh and Microsoft’s report also show something different as well. Respondents’ answers to many of the survey questions demonstrate “a striking dissonance between the high concern about cyber risk and the overall approach to managing it.” Their research indicates that, across the board, enterprises around the world could benefit by incorporating strategic risk management principles into their approach to cyber risk.

These best practices range from creating a strong cyber security-focused organizational culture to viewing supply chain risk as a collective issue that requires trust and shared security standards with partners.

3. Organizations’ Confidence in Their Cyber Resilience is Dwindling

Although cyber risk ranks among the top five business concerns for the majority of organizations surveyed in the Marsh/Microsoft study, their confidence in their ability to assess, prevent, and responding to or recovering from those is decreasing.

The study noted a substantial decrease in confidence concerning three main areas of cyber resilience:

  • 22% report having “no confidence” in their ability to manage, respond to, or recover from cyber events.
  • 19% doubt their abilities and have “no confidence” that they can prevent cyber incidents and attacks.
  • 18% have “no confidence” in their ability to understand and evaluate cyber risks. 

The industry has been pouring hundreds of billions of dollars into the cyber security market with the hope of increasing their defenses and increasing their resilience. Fortune Business Insights reports that the market currently stands at $131.1 billion and is expected to reach $289.8 billion by 2026. Yet, despite their efforts, the cybercrime industry — yes, it’s an entire industry — is worth $1.5 trillion.

It’s understanding why there can be feelings of frustration or decreased confidence. With everything companies are investing into increasing their cyber defenses and cyber resilience, they may feel like it’s not making enough of a difference.

It’s no wonder why these surveyed guys and gals sound like they all need hugs.  

4. The Perceptions of Cyber Risks Within the Supply Chain Differ by Organization Size

When considering their own organizations and third parties, the perception of which organizations pose the greatest threats varies greatly depending on the size of the organization. The Marsh/Microsoft survey results indicate that larger organizations are more likely to believe their excrement smells like roses as compared to their smaller business counterparts. What I mean by that is 61% of companies with $5 billion or more in annual revenue indicate that they face greater risks from the supply chain than the risks they pose to it. Only 19% report the opposite.

The gap is noticeably smaller when considering smaller organizations — they’re less confident of their own security and the risks they pose as part of the supply chain. Of those with $25 million or less in annual revenue, 28% believe that the supply chain poses high risks to their organizations, whereas only half believe that they pose risks to it themselves. 

When you dig into the data, you’ll also notice that organizations expect more of themselves than they do their vendors or other third parties. For example, 71% implement cyber awareness training for their employees, yet only 56% expect their supply chain partners to do the same.

5. Shadow IT and Cyber Transformation Rank as Greatest Cyber Risk Management Challenges

Part of the decrease in confidence could due to how cyber risk management is perceived. The Deloitte study shows that there are gaps when it comes to meeting the challenges of cyber management. Fifteen percent of survey respondents view prioritizing cyber risk across their organizations as an ongoing challenge.  

The findings also indicate that CSOs and CIOs, in particular, view shadow IT (34%) and cyber transformation (32%) as top two most challenging aspect of cyber risk management. It’s doesn’t come as a surprise that shadow IT would rank among the top three challenges. Unknown, unsanctioned, and potentially outdated technologies or expired digital certificates pose significant risks to every business. If you’re someone who’s charged with IT security and IT management within your organization, how can you effectively manage or assess the risks of technologies that you may not know exist on your network or servers?

These statistics underscore the importance of actively engaging in access management, performing threat assessments and certificate discovery, and maintaining a current list of technologies and software.    

6. There’s a Disconnect Between the Perceptions & Reality of Cyber Risk Management Functions

According to the Marsh/Microsoft study, a discrepancy exists between whom respondents think are responsible for “owning” cyber risk management and who the individuals who are actually spending their time focusing on these functions. When asked to choose the three groups who are the main owners or drivers of cyber risk management within their organization, they identified the following groups:

  • Information technology/information security (88%)
  • Executive leadership/board members (65%), and
  • Risk management (49%). 

Although executive leaders/board members rank second for heading up cyber risk management initiatives, only 17% of executives reported spending more than a few days focusing on cyber risk over the span of the previous year.

Considering that these leaders and board members are, ultimately, responsible for the success of their organizations, it’s imperative that they have an active role in cyber security and cyber risk management. This is where it’s important for organizations to change their perspectives concerning cyber risk — the reality is that it’s no longer an IT concern, it’s an enterprise-wide issue. So regardless of positions, titles, and where it falls within the breakdown of roles, what matters is that cyber risk management is regarded as being important enough to influence strategy and operations.

7. Organizations Are Increasingly Depending on SOCs for Risk Management Functions

Organizations are recognizing that they need to change their approach to cyber risk management and mitigation. Results from the Deloitte study indicate that traditional secure operations center (SOC) models are evolving to increase their data and analytics functionalities. They’re increasingly adopting artificial intelligence and machine learning technologies to enhance their visibility and automate their detection and threat response capabilities for their enterprises as a whole.

These tools, such as cWatch Web, provide incredible value in that they can analyze vast amounts of data, identity and respond to threats far more quickly than any team of humans. However, they don’t eliminate the need for having a human element in an organization’s security — rather, they enhance it. After all, technology isn’t perfect. And while computers are faster than people when it comes to data analysis and threat identification, people have unique abilities to assess and evaluate data and threats in ways that machines cannot (at least for now).

8. More Organizations are Turning to Cyber Insurance to Reduce the Impact of Cyber Events

Organizations are gaining more confidence in cyber insurance. Research from the Marsh and Microsoft study indicates that uncertainty about cyber insurance coverage has decreased from 44% in 2017 to 31% in 2019. Of those surveyed who have cyber insurance, 89% report being fairly or highly confident that their existing policies would cover the costs associated with a cyber event.

Let’s hope they’re right, considering that the average cost of a data breach globally is $3.92 million or $8.19 million for U.S. organizations alone, according to research from IBM and the Ponemon Institute. The publication’s data breach cost calculator shows that the U.S. is followed by the Middle East ($6 million) and Germany ($4.8 million) for the highest average cost of a data breach.

If the policies are insufficient, then these surveyed companies are in for a world of hurt — financially and reputationally speaking. Cybersecurity Ventures estimates that cybercrime damages will cost businesses and organizations upwards of $6 trillion annually by 2021. And considering the $1.5 trillion cybercrime industry stat we mentioned earlier, it’s easy to see why the criminal life is so appealing to black hats.

Cybercrime truly is a booming industry, and it serves as a strong reminder of why cyber risk management is necessary for every business.

9. Cyber Risks Aren’t Necessarily Barriers to New Tech

New technologies and innovations are attractive tools that organizations can use to improve their operational performance and efficiency. But not all organizations view the risks vs benefits of new technology equally. The Marsh/Microsoft report indicates that while half of the survey respondents view cyber risks as non-barriers to tech adoption, more than 25% do view the risks as outweighing the potential benefits.

Luckily, most organizations err on the side of caution when it comes to adopting and implementing new technologies — though not as much as we’d like to see. Survey respondents reported that:

  • 74% are more likely to evaluate the risks of such actions prior to adoption,
  • 54% evaluate those risks post adoption,
  • 36% evaluate risks before and after adoption,
  • 5% evaluate risks at all stages of the lifecycle, and
  • 11% don’t evaluate risks at any point.

It’s rather disconcerting to see that only one-twentieth of all the surveyed organizations report evaluating cyber risks at all stages of the technology lifecycle. This is because many seem to view cyber risk assessments as one-time events rather than continuous or ongoing evaluations. In reality, however, cyber risk assessments help inform decision-makers and support proper risk responses. As such, they should occur at all stages of the technology lifecycle.

So, why aren’t more organizations more concerned with this crucial aspect of cyber risk management?

It could be because one-third of these surveyed organizations trust that their technology vendors have done their due diligence and considered any pertinent cyber risks — meaning that they don’t have to do it themselves. Thankfully, not everyone shares this assumption — though not many more. Only 40% report saying that they always perform their own verification of security claims and security measures concerning new technologies.

10. Organizations Place More Faith in Industry Standards Than Government Regulations

The findings from Marsh and Microsoft indicate that organizations and their employees have less faith in government laws and regulations and approach cyber security in less prescriptive ways. The respondents also indicated that they believe that industry guidance and standards are more effective at increasing cyber security than government laws and regulations. One-quarter of the surveyed organizations said they think the government’s regulation of cyber risk is very effective, although these numbers were higher in highly regulated industries. 

The frameworks and standards created by industry organizations such as NIST (the National Institute of Standards and Technology) and ISO (International Organization for Standardization) hold greater sway with larger enterprises. Forty-eight percent of respondent organizations with $5 billion and 56% of financial institutions indicate that such standards are “very effective in helping is improve our cybersecurity posture,” whereas only 29% of organizations with $100 million or less in revenue said the same.

Essentially, businesses are indicating that they prefer to manage their cyber risks through their own methods — with one clear exception: nation-state cyber attacks. The biggest support for government influence and protection — as indicated by the majority of respondents from all surveyed geographic areas and industries — relates to these dangerous threats. Overall, 54% voiced significant concern about the impact of nation-state attacks, and 55% indicated governments need to do more to help protect private enterprises from such attacks.


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.