How should risk managers address cyber risk?

The last few years have been a busy time for risk managers – and technology has been central to many of the changes. Whether part of the solution or one of the identified risks, technology is top of mind for many risk managers and boardrooms.

The Grant McGregor team looks at the evidence and discusses how risk managers should respond.

As long ago as 2019, McKinsey argued that “Top managers at most companies recognise cyber risk as an essential topic on their agendas. Worldwide, boards and executive leaders want to know how well cyber risk is being managed in their organisations.”

It argued, “Debilitating attacks on high-profile institutions are proliferating globally and enterprise-wide cyber efforts are needed now with great urgency.”

A few short months later after this advice was published, the COVID-19 pandemic swept the globe, putting risk mitigation and organisational resilience efforts right at the top of the corporate agenda. Organisational responses to the crisis often hastened the pace of digitalisation and strengthened the need for the focus to be placed on technological resilience and addressing cyber risk.

A renewed focus on cyber risk

In 2022, McKinsey reported, “During the pandemic, cyber attackers have been taking advantage of security vulnerabilities created in the shift to work-from-home operations. In response, many organisations have strengthened defences, closing potential gaps before hackers can compromise networks.”

This observation is backed up by the findings of Proofpoint’s latest Cyber Security: The 2023 Board Perspective report. It found almost three-quarters (73 percent) of board members surveyed believe they face the risk of a major cyber attack in the next 12 months. That figure is a noteworthy increase from the 65 percent who agreed with that statement in Proofpoint’s 2022 survey.

Worryingly, here in the UK there seems to be wide disparity between the perception of risk and the perception of risk preparedness. Globally, 73 percent of respondents said cyber security is a priority for their board. In 2022, in the UK this figure even higher. Eighty-four percent of UK respondents said cyber security was a board priority.

However, in the 2023 survey, this UK figure has fallen to just 56 percent of respondents. It’s a worrying sign that cyber risk has fallen off the agenda of UK companies.

Risk drops down the agenda between crises

The Proofpoint survey also identifies a declining confidence in the boardroom that organisations are investing enough in their own cyber security. Overall, 70 percent of respondents said their organisation has invested enough in cyber security in the past 12 months – down from 76 percent in 2022.

Here in the UK, the fall in cyber security investment is even starker. While 84 percent expressed confidence that their organisation was investing enough in cyber security in 2022, this year’s survey found less than half (48 percent) of UK respondents felt their organisation was investing enough in cyber security.

McKinsey points out that the importance of resilience can be forgotten between big crises. This is clearly something that UK risk managers need to be cognizant of. Given the warnings in the Proofpoint report that, risk managers must introduce measures to reprioritise cyber security and keep it at the top of the boardroom agenda.

What should organisations be doing to address cyber risk?

Proofpoint makes a number of suggestions to improve cyber strategy and ensure boardroom focus on cyber risk:

• Ensure that cyber security is high on the agenda every time the board meets. This will give regular visibility and underline its importance in the running of your business.

• Prioritise regular interaction between the board, CISO and other security leaders. The stronger and more open these relationships, the easier it is to align on cyber-security planning and decision making.

• Make sure everyone understands their cyber-security responsibilities. This means mandated, company-wide security awareness initiatives and regular reviews of security budgets, resources and technology.