Groundbreaking Research from Marsh McLennan Reveals Direct Link between Key Cybersecurity Controls and Reduced Cyber Risk

Rhea-AI Summary

Marsh McLennan (NYSE: MMC) has released a report from its Cyber Risk Analytics Center linking key cybersecurity controls to reduced cyber incident risks. The report emphasizes automated hardening techniques as the most effective control, making organizations nearly six times less likely to experience a cyber incident. It challenges previous insurance recommendations, highlighting that multifactor authentication (MFA) shows significant effectiveness only when broadly implemented. Additionally, patching high-severity vulnerabilities within seven days decreased the likelihood of incidents by a factor of 2, but only 24% of organizations implement this control. The insights aim to guide organizations in making informed cybersecurity investments, positively influencing their stance in the cyber insurance market.

Positive

• Automated hardening techniques reduce cyber incident likelihood by nearly six times.
• MFA implementation can decrease successful cyberattacks by 1.4 times when properly applied.
• Patching high-severity vulnerabilities within seven days can decrease cyber event probability by a factor of 2.

Negative

• Only 24% of organizations patch high-severity vulnerabilities promptly, limiting their effectiveness.

NEW YORK--(BUSINESS WIRE)-- Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people, today released a report from its Cyber Risk Analytics Center that directly links key cybersecurity controls commonly required by cyber insurers to a reduced chance of a cyber incident. By assessing the relative effectiveness of each control, organizations are now able to allocate resources towards those that provide the best protection, better position their risk with insurers, and build their cyber resiliency more confidently.

According to a new Marsh McLennan report, these five controls, among the 12 key control categories commonly required by cyber insurers, were determined to have the greatest ability to decrease the likelihood of a successful cyberattack. (Graphic: Business Wire)

According to the report, Using data to prioritize cybersecurity investments, automated hardening techniques were found, by a wide margin, to have the greatest ability of any control studied to decrease the likelihood of a successful cyberattack. Organizations with such techniques in place, which apply baseline security configurations to system components like servers and operating systems, are nearly six times less likely to have a cyber incident than those that do not.

The finding is surprising, the report notes, given that until now, the three controls most frequently recommended by insurers have been endpoint detection and response (EDR), multifactor authentication (MFA), and privileged access management (PAM).

The analysis also shows that MFA, long a staple among cybersecurity tools and recommendations, only works when it is in place for all critical and sensitive data, for all remote login access, and for administrator account access. Organizations with such broad implementation are 1.4 times less likely to experience a successful cyberattack than those that do not.

Additionally, patching high severity vulnerabilities across the enterprise within seven days of the patch’s release ties as the fourth most effective control – decreasing an organization’s probability of experiencing a cyber event by a factor of 2, yet it is has the lowest implementation rate among organizations studied, at only 24%, the report found.

“All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organizations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,” said Tom Reagan, US and Canada Cyber Practice Leader, Marsh. “Our research provides organizations the data they need to more effectively direct cybersecurity investments, which in turn, helps favorably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”

For the report, Marsh McLennan paired its extensive proprietary dataset of cyber claims with the results from Marsh Cybersecurity Self-Assessment (CSA) questionnaires, which are composed of hundreds of questions and responses from individual organizations. Based on the correlation, data scientists calculated and assigned a “signal strength” to each control. The higher the signal strength, the greater the impact the control has on decreasing the likelihood of an event.

Among the hundreds of cyber capabilities, tools, and implementation techniques analyzed and measured, the report focuses only on those falling within the 12 key control categories commonly required by cyber insurers. Among those, the top five controls determined most effective are:

Key control category	Signal strength
Hardening techniques System configuration management tools, such as active directory group policy, which enforce and redeploy configuration settings to systems	5.58
Privileged access management Managing desktop or local administrator privileges via endpoint privilege management (EPM)	2.92
Endpoint detection and response Operating advanced endpoint security	2.23
Logging and monitoring Operating a security operations center (SOC) and/or having an outsourced managed security service provider (MSSP) with the following capabilities at a minimum: a. Established incident alert thresholds b. Security incident and event management (SIEM) monitoring and alerting for unauthorized access connections, devices and software	2.19
Patched systems Patching common vulnerability scoring system (CVSS) v3 high severity 7.0-8.9 vulnerabilities across the enterprise within 7 calendar days of release	2.19

Additional insights from the research will be used as part of a forthcoming cyber event attritional loss model from Marsh McLennan that will inform insureds of potential losses they could suffer, and the potential savings benefit from increasing their cybersecurity posture.

“Marsh McLennan launched the Cyber Risk Analytics Center in late 2021 with the goal of helping organizations make smarter investments in the ways they identify, prepare for, and recover from cyber risk,” said Scott Stransky, who leads the Marsh McLennan enterprise-wide resource. “This groundbreaking report will be indispensable to Marsh McLennan clients as we work together to build society’s resilience to this critical and costly risk.”

About Marsh McLennan

Marsh McLennan (NYSE: MMC) is the world’s leading professional services firm in the areas of risk, strategy and people. The Company’s more than 85,000 colleagues advise clients in 130 countries. With annual revenue of over $20 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses. Marsh provides data-driven risk advisory services and insurance solutions to commercial and consumer clients. Guy Carpenter develops advanced risk, reinsurance and capital strategies that help clients grow profitably and pursue emerging opportunities. Mercer delivers advice and technology-driven solutions that help organizations redefine the world of work, reshape retirement and investment outcomes, and unlock health and wellbeing for a changing workforce. Oliver Wyman serves as a critical strategic, economic and brand advisor to private sector and governmental clients. For more information, visit marshmclennan.com and follow us on LinkedIn and Twitter.

View source version on businesswire.com: https://www.businesswire.com/news/home/20230406005089/en/

Media:

Amelia Woltering

Marsh McLennan

+1 347 703 5358

amelia.woltering@mmc.com

Source: Marsh McLennan

FAQ

What does Marsh McLennan's report reveal about cybersecurity controls?

The report identifies automated hardening techniques as the most effective cybersecurity control, significantly reducing cyber incident risks.

How much less likely are organizations to face cyber incidents with automated hardening?

Organizations using automated hardening techniques are nearly six times less likely to experience a cyber incident.

What is the impact of multifactor authentication (MFA) according to the report?

MFA is effective when applied broadly; organizations with comprehensive MFA are 1.4 times less likely to face successful cyberattacks.

What percentage of organizations patch high-severity vulnerabilities promptly?

Only 24% of organizations patch high-severity vulnerabilities within seven days, which is essential to reduce cyber event risks.

What is the report's objective for organizations regarding cybersecurity investments?

The report aims to help organizations allocate cybersecurity resources effectively, improving their positions during insurance underwriting.