Firms ‘struggle’ to build strong cybersecurity culture’ as leaders spend less than a day a year on cyber risk, finds Marsh

A majority of board members and senior executives with responsibility for their organisation’s cyber risk management spent “less than a day in the last year” focusing on cyber risk issues, according to a survey from insurance broker Marsh and tech company Microsoft.

The 2019 survey, conducted with 1,500 organisations around the world, looked at cyber risk perceptions and risk management. It found that close to 80 percent of organisations put cyber risk as one of their top-five concerns, a higher percentage than the 62 percent reported in a comparable survey in 2017.

However, despite the rise in concerns, just one in 10 (11 percent) were ‘highly confident’ in their ability to assess cyber threats, prevent cyber-attacks, and respond effectively. This is down from 19 percent in 2017.

The report detailing the results, called ‘ 2019 Marsh Microsoft Global Cyber Risk Perception Survey’, concluded that for many organisations, strategic cyber risk management “remains a challenge”.

“For example, while nearly two-thirds (65 percent) of organisations surveyed identified a senior executive or the board as a main owner of cyber risk management, only 17 percent of c-suite executives and board members said they spent more than a few days in the past year focusing on the issue. More than half, 51 percent, spent several hours or less,” it said.

“Likewise, 88 percent of respondents identified their information technology and information security functions as primary owners of cyber risk management, yet 30 percent of IT respondents said they spent only a few days or less over the last year focusing on cyber risk.”

These findings are set against the backdrop of ever increasing technology use. The survey found that 77 percent of respondents said they are adopting or have adopted cloud computing, robotics, or artificial intelligence. But only 36 percent had evaluated the cyber risk both before and after adoption, while 11 percent hadn’t evaluated the risk at all.

Kevin Richards, global head of Cyber Risk Consulting at Marsh said: “We are well into the age of cyber risk awareness, yet too many organisations still struggle with creating a strong cybersecurity culture with appropriate levels for governance, prioritisation, management focus, and ownership.

“This places them at a disadvantage both in building cyber resilience and in confronting the increasing complex cyber landscape.”

Joram Borenstein, general manager of the Cybersecurity Solutions Group at Microsoft, added: “In the era of transformational technology and more interconnected supply chains, the cyber risk management practices and mindsets of yesterday no longer suffice and may actually inhibit innovation.

“It is incumbent upon senior leaders to focus on these issues for the welfare of their organizations, their customers, their employees, and beyond.”

Get all the latest re/insurance industry news with our daily newsletter -  sign up here.

Chief actuary retires as BMS changes up US reinsurance actuarial and analytics team

Frederick Mutual signs up for property analytics to boost risk assessments

​Reinsurer Holborn appoints senior vice president as it plans expansion

Feature:  10 ways insurers are using insurtech to drive new business