Nearly three quarters of global cyber-risk decision-makers recently surveyed said their company experienced at least one cyber attack in the past year, and while these attacks have spurred more investment in cyber-risk mitigation efforts, just 3 percent rated their company’s cyber hygiene as excellent.

Broker Marsh partnered with Microsoft Corp. for the survey and report, The State of Cyber Resilience, and found that leadership confidence in their organization’s core cyber-risk management capabilities – including the ability to understand/assess cyber threats, mitigate/prevent cyber attacks, and manage/respond to cyber attacks – is largely unchanged since the last survey in 2019, when 19.7 percent of respondents stated they were highly confident, compared to 19 percent in 2022.

“Given the continued rise of ransomware and the current tumultuous threat landscape, it is not surprising that many organizations do not feel any more confident in their ability to respond to cyber risks now than they were in 2019,” said Sarah Stephens, international head of cyber, Marsh, in a statement.

Insurance is playing a role in building resilience, according to the report. A majority of respondents said insurance is an important part of cyber-risk management strategy and it is worth the money. Also, 41 percent said their cyber insurer impacted the company’s cybersecurity measures.

“The adoption of certain controls has now become a minimum requirement for a majority of insurers, with organizations’ potential insurability on the line,” the report concluded. With 40 percent of respondents saying their organization’s cyber hygiene needs improvement, the underwriting requirements from cyber insurers is helping. Respondents with insurance were more likely to adopt controls and build security than those without insurance, according to the survey.

Still, there appears to be some disconnect across many organizations when it comes to measuring and understanding cyber risk across the entire enterprise. Just 26 percent of those surveyed said they put cyber risks into financial terms, which may affect how top executives within an organization perceive the need for, or effectiveness of, cybersecurity expenditures. Survey results showed executive leaders have a much lower level of confidence in the ability of the company to manage and respond to a cyber attack than they do in department leaders. The difference in perception could impact where resources are deployed as part of a cyber-risk strategy.

“Cyber risks are pervasive across most organizations. Successfully countering cyber threats needs to be an enterprise-wide goal, aimed at building cyber resilience across the firm, rather than singular investments in incident prevention or cyber defense,” said Tom Reagan, U.S. and Canada cyber risk practice leader at Marsh. “Greater cross-enterprise communication can help organizations bridge the gaps that currently exist, boost confidence, and better inform overall strategic decision making around cyber threats.”