Despite the drop, more organisations are using quantitative methods to measure their cyber risk exposure

Executive leaders’ confidence in their ability to manage cyber risk has dropped following almost three years of digital disruption, according to Marsh’s The state of cyber resilience report, published today (26 May 2022) in partnership with Microsoft Corporation.

According to the report, only 19% of respondents indicated they were highly confident in their cyber risk management – compared to 19.7% in 2019.

These levels of confidence, furthermore, depended on roles within firms – only 9% of executive leaders said they were highly confident, while this rose to 19% among departmental leaders.

On the other hand, nearly one-third of executive leaders said they were not confident in managing and responding to cyber risks (31%), compared to 18% of departmental leaders.

“Given the continued rise of ransomware and the current tumultuous threat landscape, it is not surprising that many organisations do not feel any more confident in their ability to respond to cyber risks now than they were in 2019,” said Sarah Stephens, head of cyber for international at Marsh.

To address the issue, Tom Reagan, cyber risk practice leader for the US and Canada at Marsh, added that “greater cross-enterprise communication can help organisations bridge the gaps that currently exist, boost confidence and better inform overall strategic decision making around cyber threats.”

The research comprised a global online survey of 662 cyber risk decision makers, collected from 56 countries throughout November and December 2021.

Cyber resilience

The report further states that many organisations are still struggling to understand the risks posed by third parties as part of their cybersecurity strategies – only 43% of respondents stated that they have conducted a risk assessment of their vendors and supply chains.

Despite confidence dropping, however, nearly four in ten (38%) respondents said their organisation used quantitative methods to measure their cyber risk exposure, which Marsh argued is a critical step in understanding how cyber-attacks and other events can create volatility.

In 2019, only 30% of respondents said their organisation used these methods.

Reagan continued: “Cyber risks are pervasive across most organisations.

“Successfully countering cyber threats needs to be an enterprise-wide goal, aimed at building cyber resilience across the firm, rather than singular investments in incident prevention or cyber defense.”