Study: Co.’s ‘not confident’ in ability to handle cyber-attack
After nearly three years of a business model shift, inevitable digital transformation, and countless ransomware attacks, most leaders are no longer confident in their ability to manage cyber risk compared to two years ago.
That’s according to a new report released by insurance broker and risk consultant Marsh and Microsoft Corp.
“The State of Cyber Resilience” report surveyed more than 660 cyber risk decision makers globally and 162 in Latin America to analyze how cyber risk is viewed by various executives from leading organizations, including cyber security, IT, risk and insurance management, finance, and executive leadership.
Leaders’ confidence in their organization’s cyber risk management capabilities, including the ability to understand and assess cyber threats, mitigate, and prevent cyber-attacks, and manage and respond to cyber-attacks, is virtually nonexistent it has changed since 2019, the report revealed.
“Companies must structure cybersecurity strategies with a sense of urgency, taking into account that a cyber-attack is imminent, regardless of the branch or industry, including not only initiatives related to mitigation, but also to the transfer of risk, through cyber risk insurance” said Mari Evelyn Rodríguez, managing director of Marsh Puerto Rico.
In 2019, 22% of respondents in Latin America said they were very confident in their ability to understand and assess cyber threats and 18% in their abilities to manage and respond to cyber incidents; while in 2022, the values varied slightly, with 19% and 16% respectively.
However, in 2019, 20% had high confidence in their capabilities to mitigate or prevent cyber-attacks, while in 2022, this number has dropped to 12%.
“Given the continuing rise of ransomware and today’s growing threat landscape, it’s no surprise that many organizations don’t feel more confident in their ability to respond to cyber risks now than they did in 2019,” said Edson Villar, cyber risk consulting lead at Marsh Advisory for Latin America.
Additionally, many organizations still struggle to understand the risks posed by their suppliers and digital supply chains as part of their cybersecurity strategies. Only 43% of respondents said they have carried out a risk assessment of their suppliers or supply chains.
Other findings of the report for this region are:
- Only 41% of organizations look beyond cybersecurity and insurance to involve their legal, corporate planning, finance, operations, or supply chain management functions in developing cyber risk plans.
- Four in 10 respondents in the region (41%) said their organization uses quantitative methods to measure its exposure to cyber risk, which is a critical step in understanding how cyber-attacks and other events can drive volatility. This is an improvement over the 2019 survey, when only three in 10 respondents (30%) said their organization used quantitative methods. Cyber insurance rates continued to rise, driven largely by the continued increase in the frequency and severity of ransomware claims, with many insurers attempting to tighten the terms and conditions of coverage, especially in relation to the conflict in Ukraine.
- 63% of companies in Latin America and the Caribbean consider that the Home Office puts them at risk of a cyber-attack, followed using personal mobile devices by employees (59%)
- Half of companies (50%) mention that they cannot measure their exposure to cyber risk due to a lack of talent within the organization.
“Cyber risks are pervasive in most organizations. Successfully countering cyber threats should be an enterprise-wide goal, aimed at building cyber resilience across the organization, rather than separate investments in attack prevention or cyber defense,” Villar said.
“Greater business-to-business communication can help organizations close the gaps that currently exist, increase trust, and better inform overall strategic decision-making around cyber threats.” Villar added.