Groundbreaking Research from Marsh McLennan Reveals Direct Link between Key Cybersecurity Controls and Reduced Cyber Risk

Marsh McLennan (NYSE: MMC), the world’s leading professional services firm in the areas of risk, strategy and people, today released a report from its Cyber Risk Analytics Center that directly links key cybersecurity controls commonly required by cyber insurers to a reduced chance of a cyber incident. By assessing the relative effectiveness of each control, organizations are now able to allocate resources towards those that provide the best protection, better position their risk with insurers, and build their cyber resiliency more confidently.

This press release features multimedia. View the full release here:

According to a new Marsh McLennan report, these five controls, among the 12 key control categories commonly required by cyber insurers, were determined to have the greatest ability to decrease the likelihood of a successful cyberattack. (Graphic: Business Wire)

According to a new Marsh McLennan report, these five controls, among the 12 key control categories commonly required by cyber insurers, were determined to have the greatest ability to decrease the likelihood of a successful cyberattack. (Graphic: Business Wire)

According to the report, Using data to prioritize cybersecurity investments, automated hardening techniques were found, by a wide margin, to have the greatest ability of any control studied to decrease the likelihood of a successful cyberattack. Organizations with such techniques in place, which apply baseline security configurations to system components like servers and operating systems, are nearly six times less likely to have a cyber incident than those that do not.

The finding is surprising, the report notes, given that until now, the three controls most frequently recommended by insurers have been endpoint detection and response (EDR), multifactor authentication (MFA), and privileged access management (PAM).

The analysis also shows that MFA, long a staple among cybersecurity tools and recommendations, only works when it is in place for all critical and sensitive data, for all remote login access, and for administrator account access. Organizations with such broad implementation are 1.4 times less likely to experience a successful cyberattack than those that do not.

Additionally, patching high severity vulnerabilities across the enterprise within seven days of the patch’s release ties as the fourth most effective control – decreasing an organization’s probability of experiencing a cyber event by a factor of 2, yet it is has the lowest implementation rate among organizations studied, at only 24%, the report found.

“All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organizations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,” said Tom Reagan, US and Canada Cyber Practice Leader, Marsh. “Our research provides organizations the data they need to more effectively direct cybersecurity investments, which in turn, helps favorably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”

For the report, Marsh McLennan paired its extensive proprietary dataset of cyber claims with the results from Marsh Cybersecurity Self-Assessment (CSA) questionnaires, which are composed of hundreds of questions and responses from individual organizations. Based on the correlation, data scientists calculated and assigned a “signal strength” to each control. The higher the signal strength, the greater the impact the control has on decreasing the likelihood of an event.

Among the hundreds of cyber capabilities, tools, and implementation techniques analyzed and measured, the report focuses only on those falling within the 12 key control categories commonly required by cyber insurers. Among those, the top five controls determined most effective are:

Key control category

Signal strength

Hardening techniques

System configuration management tools, such as active directory group policy, which enforce and redeploy configuration settings to systems


Privileged access management

Managing desktop or local administrator privileges via endpoint privilege management (EPM)


Endpoint detection and response

Operating advanced endpoint security


Logging and monitoring

Operating a security operations center (SOC) and/or having an outsourced managed security service provider (MSSP) with the following capabilities at a minimum:

a. Established incident alert thresholds

b. Security incident and event management (SIEM) monitoring and alerting for unauthorized access connections, devices and software


Patched systems

Patching common vulnerability scoring system (CVSS) v3 high severity 7.0-8.9 vulnerabilities across the enterprise within 7 calendar days of release


Additional insights from the research will be used as part of a forthcoming cyber event attritional loss model from Marsh McLennan that will inform insureds of potential losses they could suffer, and the potential savings benefit from increasing their cybersecurity posture.

“Marsh McLennan launched the Cyber Risk Analytics Center in late 2021 with the goal of helping organizations make smarter investments in the ways they identify, prepare for, and recover from cyber risk,” said Scott Stransky, who leads the Marsh McLennan enterprise-wide resource. “This groundbreaking report will be indispensable to Marsh McLennan clients as we work together to build society’s resilience to this critical and costly risk.”

About Marsh McLennan

Marsh McLennan (NYSE: MMC) is the world’s leading professional services firm in the areas of risk, strategy and people. The Company’s more than 85,000 colleagues advise clients in 130 countries. With annual revenue of over $20 billion, Marsh McLennan helps clients navigate an increasingly dynamic and complex environment through four market-leading businesses. Marsh provides data-driven risk advisory services and insurance solutions to commercial and consumer clients. Guy Carpenter develops advanced risk, reinsurance and capital strategies that help clients grow profitably and pursue emerging opportunities. Mercer delivers advice and technology-driven solutions that help organizations redefine the world of work, reshape retirement and investment outcomes, and unlock health and wellbeing for a changing workforce. Oliver Wyman serves as a critical strategic, economic and brand advisor to private sector and governmental clients. For more information, visit and follow us on LinkedIn and Twitter.


Data & News supplied by
Stock quotes supplied by Barchart
Quotes delayed at least 20 minutes.
By accessing this page, you agree to the following
Privacy Policy and Terms and Conditions.