Cyber cover penetration still low: Marsh

According to new research published by Marsh in partnership with Microsoft Corp., only four percent of business leaders in the Middle East & Africa region are confident in their organisation’s ability to manage cyber risks.

The report, The Middle East & Africa State of Cyber Resilience, questioned over 660 regional and global cyber risk decision makers and analyses how cyber risk is viewed by various functions and executives in leading organisations, including cybersecurity and IT, risk management and insurance, finance, and executive leadership.

According to the report, confidence in their organisation’s core cyber risk management capabilities – including the ability to assess cyber threats, mitigate or prevent cyber-attacks, and manage and respond to cyber-attacks – remains a major concern for the region’s business leaders. Over three quarters (76 percent) in the MEA region have no confidence in their own organisation’s cyber resilience.

The report also called for shared responsibilities among risk managers, CFOs, CISOs, executive leaders and their teams while discussing key cyber risks and working together to identify, quantify, and manage them. The reality is often very different, with views of cyber risks and organisational strengths and weaknesses differing by function, the report stated. This often leads to tunnel vision, where firms cannot get the big picture view necessary to identify and respond to cyber risks early enough to mitigate them.

“It’s not about if an organisation will get attacked, it’s rather a matter of when, which makes it all the more surprising that organisations continue to take a siloed approach rather than looking at the risk from an enterprise-wide perspective,” opined Christos Adamantiadis, CEO, Marsh Middle East and Africa.

Interestingly, survey respondents ranked ransomware at the top of cyber risks facing their organisations, with one-third saying it is the number one threat. About 62 percent of MEA organisations believed a “lack of understanding/assessment of vulnerabilities to this specific type of attack” contributes to increasing ransomware attacks.

Other findings include:

·       The majority of organizations are still struggling to understand the risks posed by their vendors and digital supply chains as part of their cybersecurity strategies. About 60 percent of respondents stated that they have not conducted a risk assessment of their vendors or supply chains.

·       A third (37 percent) of organisations admitted to not having any kind of cyber insurance in place even though it is a key element in managing cyber risk.

·       More than half (54 percent) of the those organisations who had procured insurance acknowledged that doing so was accepted best practice within their business sector and had helped them adopt a more stringent and resilient approach to cyber risks.

·       Three quarters (75 percent) recognised that insurance was an important part of any cyber risk management strategy. About 23 percent of MEA organisations said their spending on cyber insurance will rise by 25 percent or higher in 2022. CEO/board-level roles generally saw increases coming in cybersecurity technology/mitigation, staff training, and cybersecurity incident planning and preparation.

Simon Bell, cyber and financial & professional lines leader, Marsh MENA said: “Cyber risks are pervasive across most organisations. Successfully countering cyber threats needs to be an enterprise-wide goal, aimed at building cyber resilience across the firm, rather than singular investments in incident prevention or cyber defense. Greater cross-enterprise communication can help the region’s businesses bridge the gaps that currently exist, boost confidence, and better inform overall strategic decision making around cyber threats.”