25 November 2019Analysis

Companies must approach cyber risk strategically, not tactically: Marsh

Too many companies are taking a tactical approach to managing cyber risk, when they should be approaching the issue strategically, according to Susan Young, senior vice president in the cyber center of excellence at Marsh.

Cyber is a top five risk for almost four-fifths of leading retail, wholesale, food, and beverage (RWFB) companies, according to the  2019 Global Cyber Perception Survey, by Marsh and Microsoft.

Cyber risk has considerable potential to damage brands, noted Young, and RWFB companies are especially vulnerable to cyber risks thanks to the customer data they retain and growing technology dependence, Young said.

But too few such companies are taking the necessary steps to manage this risk, Young added.

In a blog post on the Marsh website, Young advised RWFB companies to have a formal risk transfer strategy in place before they experience a devastating cyber attack. “Risk transfer and risk mitigation are complementary — the former addressing severity and the latter, frequency,” she said. Both play an important role in effectively managing cyber risk, she added.

Young said: “Many organisations purchase insurance without understanding what coverage they need. Instead, businesses should strive to understand the economic impact of cyber risk and then decide on a risk retention and transfer strategy.”

She added: “As cyber threats proliferate, organisations must shift to a strategic approach, tackling cyber with the same rigor and discipline applied to other strategic risks. They need to limit the impact of incidents on operations during and right after an attack.”

Young suggested businesses gather all stakeholders, including risk, finance, legal, IT/information security, and C-suite executives, to discuss the potential impact of cyber risk and ensure policy is aligned across the company. They should develop cyber risk management strategies, including scenario-based quantification exercises, to identify the greatest risk exposure and help prioritise risk mitigation investments, which only 11 percent of survey respondents said they do.

Companies should hire cyber specialists to help bolster cyber resilience efforts, which 38 percent of respondents said they plan to do within three years, and provide cyber training for existing employees. And companies should rehearse their response to a cyber attack, ensuring stakeholders understand their roles and enabling them to identify areas which vendors can assist with investigations, response and recovery.

Young said it is important that RWFB companies build strong cybersecurity cultures. “Although a strategic approach might require greater upfront investments, it can reduce downtime and financial impacts, allow for quicker recovery, and ultimately help protect your brand,” she concluded.