Marsh has warned against overconfidence after a survey found three-quarters of companies have a high level of faith in their digital risk management strategies.

“The cyber threat environment is muddled, with many incident types and scenarios that can potentially affect an organisation,” the global broker says.

“Cyber confidence can be shaken when real-life events play out in ways that a company had not anticipated, or if they arise in an area that has been overlooked.

“Ascribing meaning to organisational confidence can be tricky, as an organisation can have high confidence in an area where they have invested much time and effort, but they don’t know what they don’t know.” 

The study drew on insights from more than 2200 cyber risk leaders across eight regions, including Australia and New Zealand.

About 75% of participants in this region have high confidence in their cyber risk management strategies – above the global average of 72% – and 62% plan to increase cybersecurity investments in the coming year, compared with 65% worldwide.

The region ranks denial of service attacks as the biggest danger (29% of respondents), with ransomware and privacy breaches sharing second place (27%).

“These threats are highly visible and impactful, often causing significant operational disruption, financial loss and reputational damage,” Marsh says.

But the broker says it is important not to overplay the significance of any one threat, because there are many possible breach types.

“Incident planning that emphasises scenarios and tabletop exercises can help organisations respond to a range of event types.

“Drilling down, many organisations expressed a lower level of certainty regarding specific cyber risk management strategies and capabilities, such as incident response training and employee training.

“No matter what the specific threat, effective cyber risk management should include robust cybersecurity controls, incident response capabilities and insurance coverage. Together, these can form the foundation of a comprehensive cyber resilience strategy.”