Many business issues keep CEOs and CFOs up at night, but none may be more prevalent or critical than cyber security.

While bigger companies typically make the headlines when a breach is discovered, smaller firms are also the target of increasingly sophisticated assaults from hackers around the world.

The good news from Marsh & McLennan Agency’s 2018 cyber risk report is that C-suite and other senior executives of small- to -midsize organizations say they are ready and quite capable of dealing with or thwarting a cyberattack.

However, the findings also suggest that many may be overconfident, and key elements of their response plan may be lacking.


In MMA’s survey of more than 1,100 executives across North America, most said they understand the risks facing their organizations and the magnitude of the challenge.

  • 78% said they were highly or at least fairly confident that their organization would be able to manage and respond to a cyber attack.
  • 82% said they were highly or at least fairly confident that their organization would be able to understand and assess a cyber-attack.
  • 60% said cyber security is one of the top five risks facing their business.

But awareness of the risk doesn’t necessarily translate into concrete steps to actively manage it. The findings raise questions about whether C-suite executives and their team members are taking on more cyber risk than they realize.

  • Only 18% said their organizations have developed a cyber incident response plan. A common theme in the findings is the gap between understanding the risk of a cyber breach and having a plan in place to manage an incident.
  • Less than 40% of participants have performed gap assessments, phishing training, or penetration testing. These security practices are becoming more common and affordable. Some vendors and insurance policies include these services.
  • 17% are not confident of their organization’s ability to manage, respond, and recover from a cyber incident. However, organizations that took preventative measures were more confident in their ability to handle an attack.
  • 36% don’t know what their organization is doing about cyber insurance. Of the 36% of respondents that have cyber insurance, none planned to discontinue their coverage.


Even well prepared organizations experience breaches

Thus far in 2018, the 10 largest breaches resulted in the unauthorized disclosure of more than 1.7 billion records. One of the breaches alone involved more than 1.1 billion records.


For reprint and licensing requests for this article, CLICK HERE.