Why Cyber Risk Management Matters: 25 Cybersecurity Statistics

  • October 17, 2019
  • Quantivate

Our focus on cyber risk management continues this week for National Cybersecurity Awareness Month.

Catch up on our previous installment,
How to Stay Ahead of Cybersecurity Threats.”

Maintaining an effective cyber risk management program is a complex undertaking, as organizations struggle to cope with the rapid pace of technological change and the increasing threat of cybercrime. As you’ll see in this roundup of cybersecurity statistics, these and other IT risk management challenges are common, and potentially costly.

Industry research and benchmark studies offer a snapshot of the current cyber risk landscape and reveal how organizations like yours are navigating risk management, reporting, program maturity, and more. They also come with a warning: Neglecting cybersecurity management is a risky business. Browse these cautionary statistics for ideas about pitfalls to avoid and areas for improvement.

Cyber Risk Management

Only 16% of executives say their organizations are well prepared to deal with cyber risk. 6

More than 75% of executives report that their organizations either have no method to measure cyber risk (49%) or they don’t know if their organization measures risk exposure (27%). 5

87% of organizations see tech risk management as a siloed, reactive process rather than “an organization-wide function for proactive risk management.” 4

Organizations rank their top three cybersecurity management challenges as: 1) data management complexities, 2) better prioritization of cyber risks across the enterprise, and 3) rapid IT changes. Following close behind were related challenges, including lack of management alignment on priorities and inadequate governance across the organization. 1

Only 18% of organizations leverage automated processes for IT risk data collection and reporting, even though this methodology provides the most proactive approach to risk mitigation. 4

Only 13% of organizations consistently use key risk indicators (KRIs) to understand and manage IT risk. 4


Cybersecurity Program Strategy & Maturity

77% of organizations are operating with limited cybersecurity and resilience. 2

Only 8% of organizations have information security functions that fully meet their needs. 2

53% of organizations do not have a program (or have an obsolete program) for one or more of the following: threat intelligence, vulnerability identification, breach detection, incidence response, data protection, identity & access management. 2

55% of organizations don’t make “protecting” part of their cybersecurity strategy. 2

Fewer than 10% of organizations believe they are mature in key cybersecurity categories such as architecture, identity and access management, metrics and reporting, software security, third-party management, and threat/vulnerability management. 2

Integrating risk management with strategic planning is a major performance gap for many organizations. This extends to cyber risk management as well, with 55% of organizations saying that information security either doesn’t influence business strategy at all, or only somewhat influences business planning. 2

Out of nine potential business disruptions typically addressed by corporate boards, cybersecurity is in the bottom four topics given priority. Less than 40% of directors say cybersecurity is on their agenda. 7

Only 11% of executives strongly agree that their organizational policies enable them to comply with data protection requirements from various regulators. 1


Cybersecurity Reporting & Analytics

23% of smaller organizations and 16% of larger organizations do not currently produce information security reports. Regardless, 75% of all organizations indicate room for improvement, saying their reporting doesn’t fully meet expectations. 2

More than 60% of organizations say their board/executive management team doesn’t have a comprehensive understanding of information security that allows them to fully evaluate cyber risks and preventive measures. 2

50% of C-level executives employ risk quantification tools to track and evaluate their cybersecurity investment decisions. 1


Cybersecurity Threats & Costs

The average cost of a data breach is $150 per record lost, or a total of $3.9 million. 3

The average time to identify and contain a data breach is 279 days. 3

92% of C-level executives report a need for their organizations to improve policies on how to avoid the disclosure of sensitive business production data. 90% of organizations experienced at least one such disclosure within the past year. 1

Only 18% of organizations have a cybersecurity incident response plan. 5

Identifying critical IT assets and refocusing investment on those areas can save up to 20% of cybersecurity costs. 6


Industry Highlight: Cybersecurity in Financial Services

The financial services sector is a frequent target of cyberattacks. Because banks, credit unions, and other financial organizations possess data that is particularly valuable to criminals, these institutions must take extra precautions to strengthen their data security. Yet research indicates that many companies still have gaps to fill in their cybersecurity programs:

Only 6% of financial services companies say their information security function currently meets their needs, but 65% have plans to make improvements. 2

Financial services organizations are most concerned about cybersecurity program immaturity in the following areas: 2

  • Architecture: 18% report as non-existent or very immature
  • Metrics and reporting: 18% report as non-existent or very immature
  • Asset management: 17% report as non-existent or very immature

Only 16% say that their cybersecurity reporting meets organizational needs. 2


The Takeaway

Effective cyber risk management requires an enterprise-wide strategy for monitoring and measuring risk, identifying and classifying assets, reporting to the board and executive management, and other key cybersecurity program components. To avoid some of the challenges and costs represented in these statistics, businesses must continually improve and mature their IT risk management capabilities.

Find out how Quantivate can help accelerate program implementation and maturity by exploring our IT Risk Solution.


  1. Deloitte, Future of Cyber Survey, 2019
  2. Ernst & Young (EY), Global Information Security Survey, 2018–2019
  3. IBM Security / Ponemon Institute, Cost of a Data Breach Report, 2019
  4. KPMG / Forbes Insights, Disruption Is the New Norm: Tech Risk Management Survey Report, 2018
  5. Marsh & McLennan Agency, Managing Cybersecurity: The Cyber Risk Perception Survey, 2018
  6. McKinsey & Company, A New Posture for Cybersecurity in a Networked World, 2018
  7. McKinsey & Company, A Time for Boards to Act, 2018

Stay up to date with the latest news, compliance alerts, and thought leadership for the financial services industry: