MMC CYBER HANDBOOK 2021 Cyber Resilience Perspectives: Clarity In the Midst of Crisis MMC Cyber Handbook 2021
FOREWORD
Cyber attacks are among the most severe and likely risks facing business leaders in advanced economies, according to the latest Global Risk Report, published by the World Economic Forum with support from Marsh & McLennan. Further heightening this cyber risk for businesses, the world subsequently experienced an unprecedented level of societal, economic, and geopolitical upheaval brought on, in part, by the COVID-19 public health crisis.
Cyber security will remain an enduring focus and responsibility for businesses for several reasons. First, COVID-19 has forced many businesses into a remote mode of work, presenting an expanded threat surface for cyber-criminals to exploit. A trend which will persist well beyond the current crisis. Second, the pace of technological development continues to rapidly advance. Artificial Intelligence is enhancing both the effectiveness and peril of traditional cyber threats, while other emerging technologies increasingly create unforeseen vulnerabilities in novel ways — deep fakes, voice-based digital assistants, Internet of Things (IoT) devices, and more. Finally, many firms operate in complex supply chains that expose them to third-parties, which may not have the resources to maintain the same level of focus on cyber risk management. This interdependency heightens the challenge of maintaining cyber resilience across the ecosystem.
Given these factors, business leaders recognize that cyber is a risk that must be identified, quantified, and managed — but it is also one that cannot be entirely eliminated. A cohesive cyber strategy is required, one which keeps pace with technological development in an environment of increasing digital seamlessness and data ubiquity, and also, considers the human elements necessary to promote good cyber hygiene — culture, awareness, and technology enablement and support.
In the coming year, the cyber landscape will be more complex than ever before. The MMC Cyber Handbook 2021 features perspectives from business leaders across Marsh & McLennan, as well as strategic partners who hold some of the most dynamic perspectives about the cyber economy. This handbook explores significant cyber trends, industry-specific implications, emerging regulatory challenges, and strategic considerations.
I hope that you find these perspectives informative.
John Doyle President and Chief Executive Officer Marsh
© Marsh & McLennan 2 MMC Cyber Handbook 2021
TABLE OF CONTENTS
01. TREND WATCH
Cyber Security for a Remote Workforce 6 Paul Mee, Partner, Digital and Financial Services, Oliver Wyman Rico Brandenburg, Partner, Financial Services, Risk and Public Policy and Digital, Oliver Wyman
Digital Deception: Is Your Business Ready for Deep Fakes? 10 Stephen Vina, Senior Vice President, Marsh Steve Bunnell, Former General Counsel, Department of Homeland Security
Prepare to Protect Your Customers’ Voices 13 Paul Mee, Partner, Digital and Financial Services, Oliver Wyman Gokhanedge Ozturk, Partner at Oliver Wyman
Cyber Literacy and Education Index 17
02. INDUSTRY DEEP DIVE
Is Your Company a Risk to Others in the Supply Chain? 19 Joram Borenstein, General Manager, Microsoft’s Cyber security Solutions Group
Looking Beyond the Clouds: A US Cyber Insurance Industry Catastrophe Loss Study 23 Siobhan O’Brien, Head of International Cyber Center of Excellence, Guy Carpenter Erica Davis, Managing Director and Cyber Risk Strategy Leader, Guy Carpenter Christopher Shafer, Assistant Vice President, Cyber Center of Excellence, Guy Carpenter
Winning the Cyber Risk Challenge: Rapid Digitalization in the Energy/Power Sector Continues to Outpace Cyber Readiness 27 Leslie Chacko, Managing Director, Marsh & McLennan Advantage, Solutions Wolfram Heidrich, Partner, Risk and Finance Practice, Oliver Wyman Rachel Lam, Consultant, Oliver Wyman
Cyber Attacks: The increasing Risks for Retail 32 Stephen Picard, Principal, Retail, Oliver Wyman James Bacos, Global Retail and Consumer Goods Practice Leader and Russia Lead, Oliver Wyman
© Marsh & McLennan 3 MMC Cyber Handbook 2021
03. CURRENT AND EMERGING REGULATIONS
Silent Cyber — no longer silent? 34 Siobhan O’Brien, Head of International Cyber Center of Excellence, Guy Carpenter Erica Davis, Managing Director and Cyber Risk Strategy Leader, Guy Carpenter
Two Years On, the GDPR Continues to Shape Global Data Privacy Regulation 38 Marsh
With the Commencement of CCPA Enforcement, Now is the Time to Prepare and Measure its Potential Impact 42 Allison Pan, Senior Vice President, Emerging Risks, Marsh Jennifer Lawson, Senior Vice President, Legal and Claims Practice, Marsh
04. STRATEGY
How to Protect Data in an Age of Digital Seamlessness 47 Paul Mee, Partner, Digital and Financial Services, Oliver Wyman Rico Brandenburg, Partner, Financial Services, Risk and Public Policy and Digital, Oliver Wyman
Human Resources’ Increasing Role in Cyber Risk Management 50 Brian Warszona, UK Cyber Growth Leader, Marsh
Don’t Forget Your Cyber Risk Sentries 54 Karen Shellenback, Global Products Leader, Analytics and Research, Mercer
Cyber security After COVID-19: 10 Ways To Protect Your Business And Refocus On Resilience 57 Thomas Fuhrman, Managing Director, Cyber security Advisory, Marsh
© Marsh & McLennan 4 01. TREND WATCH
5 MMC Cyber Handbook 2021
Paul Mee Partner, Digital and CYBER SECURITY FOR A REMOTE WORKFORCE Financial Services, Oliver Wyman Employees are starting to return to offices as countries begin to ease Rico Brandenburg Partner, Financial COVID-19-induced lockdowns and lift stay-at-home orders. But as Services, Risk and uncertainty related to the pandemic lingers, many organizations Public Policy and Digital, Oliver Wyman are choosing to maintain semi-remote, virtual workplaces over the next 12 to 18 months — and possibly for good. Facebook This article was first published in MIT Sloan is allowing employees to work from home permanently, while Management Review Canadian e-commerce platform Shopify announced that it is on July 23, 2020 becoming “digital by default.”
© Marsh & McLennan 6 MMC Cyber Handbook 2021
Organizations have rapidly shifted to semi- 2. Changing attack surfaces remote working arrangements and thus they The shift to using new teleworking must be equally speedy in mitigating the infrastructure and processes may lead to the cyber risks created by the expanded “attack undetected exploitation of vulnerabilities in surfaces” that have accompanied the “work existing remote work technologies. Security anywhere” operating models. agencies in both the United States and the United Kingdom have warned that a growing To take on the new cyber security challenges number of cyber criminals are targeting of this virtual working environment, individuals and organizations with malware. organizations must understand the changes In addition, cyber risks via business partners in their cyber security risk profile and revamp and third parties are increasing as well. It is their strategies, training, and exercises to hard enough to prepare internally for a semi- address these changes. remote working environment but even harder to verify the preparedness of vendors ranging from IT service providers to business process THE NEW CYBER NORMAL outsourcing firms to law firms. Five key factors drive the cyber security risk implications in this new, likely semi-remote, working environment. Organizations should 3. Distracted workforces keep these factors in mind when defining how A vast number of successful cyber attacks to adjust their cyber security risk programs. are caused by human error, including an estimated 90 percent of such attacks in the UK in 2019. Increasingly preoccupied 1. An increasing number of by greater personal and financial stress at cyber attacks home, employees are more vulnerable to Since the COVID-19 outbreak began, the cyber threats and “social engineering” cyber number of cyber attacks has soared as hackers attacks designed to trick them into revealing have exploited a greater number of weakly sensitive information. protected back doors into corporate systems as well as the human distraction caused by COVID-19-related events. The FBI is receiving 4. Unanticipated staff shortages 3,000 to 4,000 cyber security complaints daily, Workforces are stretched thin as employees up from 1,000 prior to the pandemic. Hackers (including cyber security professionals) call in continue to target key industries such as health sick or take time off to care for dependents, care, manufacturing, financial services, and further harming organizational abilities public sector organizations like the World to respond to cyber threats. Furthermore, Health Organization. Banks are now fending since mass work from home began during off nearly three times as many cyber attacks the coronavirus outbreak, self-reported as cyber criminals flood employees’ inboxes data in the United States shows decreased with COVID-19-related phishing emails, productivity across industries, with 11 percent often attaching seemingly innocuous files of professional and office workers and designed to lure unsuspecting employees 17 percent of industrial and manual service into executing malware. workers reporting lower productivity.
© Marsh & McLennan 7 MMC Cyber Handbook 2021
5. Multi-stress environment ADJUST YOUR CYBER STRATEGY Security teams are operating in an Start with stopgap measures that can be unprecedented environment in which implemented immediately, such as revising multiple crises are constantly arising, each existing cyber risk guidelines, requirements, demanding significant attention from cyber and controls on how employees access data security and management teams. COVID-19- and communicate with a company’s network. related challenges will be the baseline for the Rules of behavior analytics need to be adjusted foreseeable future. Moreover, organizations to consider changes to the “normal” behavior still have to manage through other crises and of employees, many of whom now work outside stress events, like hurricanes, forest fires, or standard business hours so that security teams widespread protests as recently observed in can effectively focus investigations. the United States. Then examine new security tools and requirements for sharing and maintaining ASSESS YOUR CHANGING CYBER private information with vendors. For example, SECURITY RISK PROFILE organizations may need to adopt more robust As organizations transition to the new ways data loss controls, traffic analysis tools, and of working, the resulting changes to the access restrictions. Ensure that vendors that company’s cyber security risk profiles must be aren’t currently prepared for heightened repeatedly assessed and monitored so that cyber attack risk commit to developing they can be actively managed, prioritized, cyber preparedness plans to safely and mitigated. handle information or interact with your corporate network. The list of entry points for attacks as a result of far-flung workplaces keeps growing. Bad Review changes to boost your technology actors can openly record sensitive customer and security infrastructure today, even if such information shared with customer service changes may take years to implement. Some employees taking service calls on their mobile organizations may want to speed up their phones at home, instead of in highly secure cloud strategies so that their IT resources can and monitored call centers. Inadequately rapidly meet demand spikes from large-scale tested new technologies and digital products remote work. Other common improvements rapidly deployed to meet customer needs include investing in automation and advanced during the pandemic, like customer service analytics to improve the effectiveness of chatbots and Paycheck Protection Program security processes, introducing greater applications could inadvertently introduce discipline around cyber-relevant data, new threats. Remote working operations rationalizing duplicative monitoring and of interconnected vendors and customers security tools to manage the cost of exploding further amplify organizational risk. data volume, and focusing cyber security teams on the highest-risk areas. Based on this risk assessment, teams of risk management, business, and Finally, develop mechanisms to understand security personnel should work together how your security program changes reduce to reevaluate cyber security budgets cyber security risks after each initiative and prioritize investments to improve is rolled out. This is not a one-and-done a company’s cyber resilience in line exercise; organizations need ongoing agility with its risk tolerance. to hit what is a decidedly moving target.
© Marsh & McLennan 8 MMC Cyber Handbook 2021
STEP UP CYBER TRAINING Management teams should engage in walk- AND EXERCISES throughs and simulations for new cyber attack Employees need to be informed of new cyber scenarios armed with playbooks that provide risks and reminded of their role in effectively clear guidelines for required actions, including preventing, detecting, responding to, and when (and to whom) decisions should be recovering from cyber attacks. escalated. By doing so, teams can identify shortcomings that must be overcome in order Design role-based training programs and to respond effectively to cyber attacks. exercises to raise the awareness at every level of new and changed cyber risks introduced by Much of the operational shift that has increased remote working. Training programs occurred as a result of the pandemic will should cover new threats, rules for approved outlast the immediate crisis and aftermath. device and data use, and processes to report To adapt securely, organizations need to suspected cyber incidents. understand how their cyber risk profiles have changed and must revamp their strategies, training, and exercises to address threats and minimize risks.
© Marsh & McLennan 9 MMC Cyber Handbook 2021
Stephen Vina Senior Vice DIGITAL DECEPTION: President, Marsh Is your business ready for “deepfakes”? Steve Bunnell Former General Counsel, Department ABC Shoe Corporation has just completed the most successful quarter of Homeland Security in its history. The CEO holds a press conference to announce the good This article was news. Several hours later, an altered video of the CEO at the press previously published conference goes viral on social media, showing him slurring his words by Business Insurance and appearing inebriated. ABC Shoe Corporation has become a victim of a “deepfake.”
© Marsh & McLennan 10 MMC Cyber Handbook 2021
This story may seem farfetched, but similar was used to mimic the voice of a CEO to incidents have already played out in real life, facilitate the fraudulent transfer of funds. impacting mostly politicians and celebrities. This type of misuse introduces a potentially Businesses too are starting to see deepfakes dangerous trend. targeting them. What once took significant skill and time to create can now be done cheaply, Deepfakes can also have a severe impact on a quickly, and convincingly, posing a major company’s reputation. A deepfake posted on threat to both public and private sectors. social media could easily go viral and spread worldwide within minutes. Companies would A “deepfake” is a sophisticated digital forgery have to spend valuable resources identifying, of an image, sound, or video. The forgery may removing, and rebutting such fake content; be so good that a human is unlikely to detect legal fees and crisis management expenses the manipulation. The goal is to mislead and would likely also stack up. If the deepfake was deceive, making it appear as though a person embedded in internal materials, companies has said or done something when that is not would need to investigate the network intrusion the case. Supported by advances in artificial and remediate corrupted systems and data. intelligence, deepfakes have proliferated Though a company might ultimately prove it across the internet as the technology was the victim of a deepfake, the damage to becomes less expensive and more accessible. its reputation will already have been done, potentially resulting in lost revenues.
RISKS FOR BUSINESSES Businesses have always taken great strides CURRENT LEGAL REGIME to protect the “CIA” triad of information As with many advances in technology, security — confidentiality, integrity, and deepfakes are outpacing the law. While no law availability. Data confidentiality has frequently directly addresses deepfakes, several criminal been threatened by massive data breaches and civil laws may be applicable. involving businesses, while attacks on the availability of data have become a new normal Criminal statutes governing fraud, extortion, with the proliferation of ransomware attacks. and cyberstalking, for example, may broadly serve as criminal remedies and deterrents to Attacks on data integrity, however, appear combat deepfakes. Federal securities law may to be a more recent phenomenon. And also apply to a deepfake used to defraud businesses may not be prepared to respond anyone in connection with registered securities. to this sleeping giant, one that could have Impersonating a government official through a devastating impacts. deepfake could also result in criminal penalties.
Nation-states, competing businesses, Civil remedies provide more flexibility for disgruntled employees, criminals, and businesses in holding deepfake perpetrators anonymous saboteurs may use deepfake accountable. Unlike criminal remedies, if a technology to disrupt business operations business can prove a general harm, such as or facilitate fraud. Indeed, news reports defamation, copyright infringement, or a surfaced in August 2019 that — for the violation of the right of publicity, the business first time — deepfake audio technology can sue the perpetrator.
© Marsh & McLennan 11 MMC Cyber Handbook 2021
Knowing exactly whom to bring actions crisis communications and computer forensic against and being able to bring perpetrators specialists responding to an incident. If data under the jurisdiction of US laws — has been corrupted, cyber insurance policies particularly if they live abroad — may be may cover the cost to replace, restore, or difficult. If a deepfake is spread over the recreate the data. A cyber policy may also internet, however, the victim business will respond to a ransom demand linked to a likely only be able to sue the perpetrator of deepfake on a corporate network. the deepfake. Content platforms, even when hosting fake content, are typically immune Cyber policies are also expanding to include from civil liability under US law. coverage for attacks on a company’s reputation from adverse publicity after a cyber incident or privacy breach. For example, a cyber PROTECTING DATA INTEGRITY policy can cover lost revenues and the costs Risk managers can take action now to build to hire public relations consultants after a enterprise resilience and address the potential reputational attack. While wordings vary and onslaught of new data integrity threats. are often tied to a network intrusion, these Public relations and crisis communication coverages continue to evolve and could be planning — along with identifying properly helpful to a company that suffers reputational legal remedies — can be critical to responding harm from a damaging deepfake. to a deepfake and mitigating reputational harm. Cyber risk assessments and strong Crime policies — and, to a lesser extent, cyber cyber hygiene can also help thwart attacks policies — could also help companies that that are targeting data on company networks, have fallen victim to deepfakes recover funds while robust backup procedures can help that were transferred to third parties under restore or verify corrupted information. false pretenses.
For those businesses that fall victim to a Deepfakes are a new type of threat for deepfake, cyber insurance policies may businesses, and insurers are still assessing provide relief for some financial loss. potential risks. Whether a cyber policy responds to a deepfake ultimately depends A data integrity attack on a company upon the circumstances of the incident and network, like other cyber attacks, could the terms and conditions of the policy. Risk result in a security incident that would need managers should carefully review their policies to be investigated and remediated. Cyber and work with their insurance advisors and insurance policies often offer broad cyber legal counsel to assess potential exposures event management coverage for the cost of and coverages for this evolving threat.
© Marsh & McLennan 12 MMC Cyber Handbook 2021
Paul Mee Partner, Digital and PREPARE TO PROTECT YOUR Financial Services, Oliver Wyman CUSTOMERS’ VOICES
Gokhanedge Ozturk Partner, Oliver Wyman The threat of voice-based cybercrime is growing along with the
This article was first explosion of voice-directed digital assistants, billions of which are published in MIT Sloan already embedded in our mobile phones, computers, cars, and homes. Management Review on May 05, 2020 Digital assistants are always listening, creating a significant security risk, especially as millions of people work from home during the pandemic. It’s estimated that in the next two years, there will be more virtual digital assistants than people in the world. Nearly two-thirds of businesses plan to use voice assistants for their customer interactions, according to a 2018 survey conducted by Pindrop Security.
© Marsh & McLennan 13 MMC Cyber Handbook 2021
Already, the number of cyber attacks on by voice — such as account balances and stock voice-recognition systems is rising as people quotes — and have them continue to use converse with bots to play music, pay their manual means or biometrics like the person’s bills, book reservations at restaurants, and face or fingerprint to execute transactions. perform other everyday tasks. It now takes less than four seconds of original audio As the range of voice-activated services to create a deepfake of someone’s voice. extends and becomes more sophisticated, here Recently, hackers used machine learning are some other measures businesses can take. software to impersonate a CEO and order subordinates to wire hundreds of thousands of dollars to a fraudulent account. STRENGTHEN CUSTOMER AUTHENTICATIONS Much of today’s voice fraud, known as Companies should introduce screening “vishing,” involves controlling voice assistants protocols for voice-controlled services that by methods such as embedding undetectable are at least as robust as those used for audio commands, replaying voice recordings, other digital services. Customers should and modifying fraudsters’ voices to match receive alerts if their orders exceed a certain the pitch of their victims’ voices. As hackers threshold or appear to deviate from their become better at impersonating people, they typical purchasing patterns. will be able to apply deepfakes of voices that will be far harder to detect. Companies can increase awareness of potential scams by distributing checklists to help The damage could be catastrophic unless customers gauge whether a third party’s companies take appropriate cyber security approach or a request for information could precautions. Financial services companies be fraudulent. For example, a company send millions of customers new credit cards could advise customers to hang up if a caller after criminals steal information, but they doesn’t know their name and relationship to can’t send them new voices. Unless voice the company, or if the caller’s phone number activation is made secure, the rapid growth seems suspicious. Recently, scammers have of machines that recognize voice commands been tricking people into giving away sensitive could grind to a halt, damaging customers’ information when they use voice searches to trust in the privacy safeguards of the many find customer service numbers. Customers companies that use voice systems. should also be made aware of the extent to which they are insured against fraud Pindrop’s survey found that 80 percent whenever a company launches a new voice- of businesses worldwide considered the directed service. security of their voice-directed services to be a concern. So how can managers make their At the same time, voice-directed services customers’ voices safe? should ask for additional forms of authentication. These could consist of As a first principle, companies should roll out biometrics such as a customer’s fingerprint voice-directed services only when they are or face. Or they could be qualitative verbal confident of their ability to mitigate the authentications that can’t be found in the accompanying cyber security risks. For example, public domain — personal preferences, for at first, financial companies may want to offer instance, or the relative a customer visited customers only the ability to check basic facts with most often as a child, or both.
© Marsh & McLennan 14 MMC Cyber Handbook 2021
Companies will also have to invest in filtering should puzzle out in advance how to react to technologies that detect whether a voice is scenarios by considering a series of questions: real or synthesized as they become available. If withdrawals are suddenly made from a Some companies are already trying out bank using deepfaked customer voices, how technologies that can detect clues that human should it react? How would it detect an attack hearing normally misses, such as the sound in the first place? And what alternatives of breathing, which may be present in a should be made available in the event of genuine voice but absent in a synthesized an emergency? impersonation. Systems are also being designed to block inaudible commands by identifying and canceling ultrasonic signals, COMMUNICATE ACROSS INDUSTRY which researchers have found can take Today, regulations exist for voice-directed control of voice-recognition systems. services. For example, the California Consumer Privacy Act limits the sale and mining of consumer voice data collected CONDUCT CYBER EXERCISES through smart televisions. Europe’s General Hackers will continue to develop new Data Protection Regulation requires methods to exploit the weakest links in companies to report personal data breaches systems. Companies offering voice-activated to their relevant local regulatory authority, services need to test their security constantly, though it does not currently address voice conducting cyber exercises that identify compromises directly. vulnerabilities to determine ways to plug the gaps. They should also prepare responses Whatever the rules, cyber security officers to deploy in the event of a successful should maintain regular contact with cyber attack. governments and others in their industries in order to stay ahead of regulations and As a training exercise, some of a company’s potential new threats. Voice operations — cyber security experts could try to exploit a and the convenience and efficiency they voice assistant’s security gaps while others bring — will only spread so long as the guard against the attackers. Alternatively, companies offering them show that they companies could engage ethical hackers can safeguard customers’ voices. to conduct surprise attacks on voice- assistant services — either on their own Companies should establish forums and or in collaboration with other businesses other methods to share data about voice- or industries. The defense and payment assistant breaches so that whole industries industries already hold cross-industry cyber can stay ahead of their adversaries. Once war games of this kind. voice assistants become a common method for transferring money, new security protocols Cyber security teams should simultaneously may also be needed. explore alternate ways of operating should a voice-related cyber crisis arise. Experts
© Marsh & McLennan 15 MMC Cyber Handbook 2021
THE POTENTIAL OF THE But delivering this conversational future CONVERSATIONAL ECONOMY will require cyber security to stay ahead If voice-directed services were made of hackers’ ability to abuse voice systems. secure, they could deliver services that Businesses should prioritize exploring now would improve — and possibly transform what it will take to keep their customers’ — consumers’ daily lives. People could tell voices safe — and prepare to continue the cars to take them to appointments. They battle indefinitely. could turn to mobile phones to arrange their vacations. One day, they might even ask virtual assistants for financial advice.
© Marsh & McLennan 16 MMC Cyber Handbook 2021
Exhibit 1: Summary of index rankings, weighted driver scores CYBER (as of October 2020)
LITERACY AND 01. er an 26. a n EDUCATION INDEX 02. n a re 27 e 03. n e n 28 a an Like financial literacy 04. s ra a 29. a a or health literacy, 05. e her an s 30 a ra a cyber risk literacy is 06. ana a 31 a fundamental knowledge 07 s n a 32 h rea that all individuals should 08. srae 33 ss a understand. As the world 09. re an 34. L h an a digitizes, governments and 10. n e a es 35 en a businesses increasingly rely 11. er an 36. r s on individuals to protect 12. en ar 37 a themselves and others 13. e en 38. r a a in cyberspace. 14. n an 39 n ar 15. rance 40 ar a 16. e ae an 41. reece The Oliver Wyman Forum’s 17. ech e c 42. ra Cyber Risk Literacy and Education 18. n e ra ra es 43 an a Index provides a comprehensive framework for measuring literacy 19. s r a 44 Me c at the population-wide level to 20 La a 45. n a enable geographies to discover 21 r a 46 n nes a best global practices and focus 22. an 47. r en na their attention on areas of need. 23 r ean n n 48. r e 24 a ar 49. h na The Index measures not only 25. r a 50 h r ca current populations’ ability to understand cyber risk but also whether current structures in Public Cyber risk awareness of the population governments, education systems, motivation Cultural proclivity towards personal/societal cyber-risk reduction and employers have the tools Government Long-term vision and commitment by the government to advance and incentives to train future policy cyber literacy generations with essential cyber Education Formal education that incorporat es early cyber-risk awareness risk knowledge and skills in an system Labor upskilling ability and actions to strengthen cyber-risk inclusive manner. consciousness of the national workforce Labor Cyber-risk skills demand from employers The first edition of the Index market Demand for innovation-driven skills ranks 50 geographies, including Population Technological inclusivity which creates equality in digital access the European Union as a inclusivity and digital pervasiveness population-weighted aggregate Educational inclusivity on cyber security programs available for vulnerable population and non-traditional communities of our ranked EU geographies. Source: Oliver Wyman Forum
© Marsh & McLennan 17 02. INDUSTRY DEEP DIVE
18 MMC Cyber Handbook 2021
Joram Borenstein General Manager, IS YOUR COMPANY A RISK TO OTHERS Microsoft’s Cyber Security IN THE SUPPLY CHAIN? Solutions Group
This article was first In the world of global supply chains, trust is becoming an increasingly published by BRINK on December 17, 2019 important commodity.
The concept of “technological social responsibility” — the recognition and acknowledgment by each organization of its cyber security obligations within the supply chain — is now on the agenda for many industry leaders.
© Marsh & McLennan 19 MMC Cyber Handbook 2021
Every organization needs to play a role in appreciate the risk in reverse, according to the integrity and security of its digital supply the 2019 Global Cyber Risk Perception Survey chains, as a lack of trust can impede business from Marsh and Microsoft. There is a marked performance and innovation. discrepancy in many organizations’ views of the cyber risks they face from supply chain “Risk management, supply chain security partners, compared to the level of risk their assurance, safety, regulatory compliance and organization poses to its counterparties. licensing all require a synergetic approach toward quality assurance and end-to-end Thirty-nine percent of organizations perceive discipline, traceability and visibility,” according risk from their supply chain partners, but only to a report titled ICT Supply Chain Integrity: 16 percent perceive risk they present to their Principles for Governmental and Corporate supply chain partners. This pattern appears Policies from the Carnegie Endowment for consistently across industry sectors and International Peace. geographic regions.
And this gap increased significantly with ARE YOU A RISK TO OTHERS? revenue size, with 61 percent of companies Organizations are aware of the risks their of US five billion revenues or more saying they supply chain partners may pose to their faced high risks from their supply chain — and own cyber posture, but most do not fully only 19 percent saying they posed a risk to it.
Exhibit 1: Perceptions of cyber risks in supply chains
Percentage of perceived risk level ase ans er n n
Man r an a ns are re a ne he r s s he ace r he r s cha ns han he r s s he he se es se