Widespread concern exists among risk and IT professionals about the scale and diversity of cyber risk but there is little agreement about how organisations should assess, manage and mitigate the threats. That is the key finding of a Chubb study undertaken among risk managers and IT professionals which is launched today at the FERMA European Risk Management Forum in Monte Carlo.
"Bridging the Cyber-Risk Gap" is based on a survey of the views of more than 250 senior managers in both IT and risk each from major businesses across Europe with annual revenues exceeding $500m. The report identifies the fundamental differences of opinion that departments within an organisation can have on cyber risk and explores ways to resolve them.
For example, IT professionals are more likely than their counterparts in the risk function to expect the impact of a cyber event to be severe, evidence that not all organisations have reached a single view of the scope of the threat or how to tackle it, which can leave them vulnerable. However, for almost all areas of cyber risk, IT respondents think more highly of their capabilities than their peers in the risk function.
What was once an issue managed by an organisation's IT function is increasingly viewed as a crucial C-suite priority, and functions as diverse as risk, legal and HR are all expected to play a part in responding. Despite this broad response, many organisations are struggling to build governance models that allow for a consistent approach.
Six in ten respondents say senior leaders expect their business to be invulnerable to cyber attack. This is worrying in an era of constantly-evolving threats and places intense pressure on their risk and IT teams to mitigate these with a 100% success rate.
Kyle Bryant, Cyber risks manager, Europe, Chubb says: "The results of this extensive research project show that a clear disparity continues to exist between risk and IT managers around how to deal most effectively with cyber risk." Ultimately, insurers may hold the key to bringing functions together to assess, quantify and prioritise different cyber risks, and build stronger defences and protections. "Nothing will provide you with total assurance that an incident won't happen," says Bryant. "But insurance now provides a practical solution to help you identify, mitigate and protect your organisation's vulnerabilities."
To report "Bridging the Cyber-Risk Gap"