Although at their heart they focus on post-breach mitigation and remediation, cyber incident response plans are emerging as a very important cyber security control when it comes to reducing overall risk, particularly the risk of having to claim against cyber insurance.
This is according to a newly published report produced by professional services firm Marsh McLennan, through its Cyber Risk Intelligence Centre (CRIC).
Titled Cybersecurity signals: Connecting controls and incident outcomes, the report revealed that organisations that conduct regular tabletop wargame exercises and scenario-based breach response drills are 13% less likely to fall victim to a material cyber incident than those that do not.
“Marsh has long advocated proactive cyber incident response planning as a tool to help organisations effectively and efficiently respond to and recover from a cyber attack,” said Tom Reagan, global cyber practice leader at Marsh McLennan.
“What our latest research confirms is that thoughtful planning also drives secondary benefits like positive security behaviours and strong control implementations, which help build more organisational resilience and reduce breach incidents,” he said.
Two years have elapsed since Marsh McLennan’s CRIC first started tracking the correlation between the core security controls that cyber insurers take into account and the likelihood of making a claim.
To do this, it has been drawing data from thousands of organisations using Marsh McLennan’s Cyber Self Assessment service to examine their risk levels and help them prepare better for investing in cyber insurance, and analysing this information against claims histories to derive relationships between security practice and claim likelihood.
In the intervening time, much has changed, so it is not really possible to draw a direct comparison between 2023 and 2025, but that said, incident response planning now ranks as the fourth most effective control, behind endpoint detection and response (EDR), logging and monitoring, and security awareness training and phishing testing.
Marsh McLennan said it was possible, though not proven, that effective incident response planning and policies are leading to secondary benefits, exposing other gaps in enterprise security programmes and driving further investment.
Upward trend
Across the other core cyber controls explored in the 2023 report, Marsh McLennan found positive indicators that enterprises are generally improving their security postures two years on.
For example, the number of respondents who have implemented EDR has grown by 9%, from 82% to 91%, while the number who evaluate and quarantine inbound email attachments has grown by 8%, from 75% to 83%.
More impressively, enterprises are demonstrating a much more mature approach to patching. The number that now set target windows to patch high-severity and critical-severity vulnerabilities has soared, from 24% to 89% and from 53% to 89% respectively.
Other metrics saw low single-digit percentage point growth – however, against one control, things did appear to be going backwards. The number of respondents who said they used endpoint privilege management to manage desktop or local admin privileges dropped from an already low 35% to 27%.
“Our findings emphasise that simply deploying key cyber security controls is no longer enough – these tools must be properly managed and comprehensively used,” said CRIC head Scott Stransky.
“By drawing on our insights, organisations can make informed decisions to strengthen their security frameworks and help reduce their exposure to cyber risks.”
