Now that businesses have a clear understanding of the need to implement cybersecurity controls, it is time to focus efforts on deploying the tools, according to the authors of a recent report.
In the document Using data to prioritize cybersecurity investments published in 2023, experts from Marsh McLennan proposed ways to limit losses. In a recent report from its Cyber Risk Intelligence Center (CRIC), the firm provides an update on the implementation of cybersecurity controls.
The authors of the 2025 report, entitled Cybersecurity signals: Connecting controls and incident outcomes, confirm the links between the implementation of these controls and the likelihood of a cyber insurance claim. “Our research continues to demonstrate that focusing on cybersecurity fundamentals is critical, as these foundational practices correlated highly with a reduction in the likelihood of cyber incidents,” they say.
“By prioritizing essential controls and adhering to best practices, organizations may minimize their risk exposure and enhance their cyber resilience. In addition, we hope this research continues to drive the industry toward a more evidence-based approach to security investment,” add the CRIC experts.
“Cybersecurity awareness training also demonstrated increased value, highlighting the importance of maintaining an educated and vigilant workforce,” the authors add.
Key indicators
Over the years, the global insurance brokerage giant has developed its cybersecurity practices assessment grid, called Cyber Self-Assessment (CSA). Based on a positive or negative response to the criteria established in the CSA, the company claims to be able to estimate the likelihood of a security breach. The questions are updated as threats evolve.
The 2025 report highlights experts' concerns about twelve key indicators for cybersecurity control. “Our findings highlight the significance not only of implementing certain controls, but also of ensuring their comprehensive deployment and proper configuration,” say CRIC experts.
They note that the effectiveness of user-level control solutions (endpoint detection response, or EDR) appears to be maximized when deployed on a high percentage of computers and used in blocking mode as often as possible. “Similarly, the capabilities of a security operations center (SOC) may play a crucial role in helping to enhance security outcomes, emphasizing that the quality of implementation may be as important as the presence of controls themselves,” they add.
In addition, the experts' analysis reveals that incident response planning, cybersecurity awareness training, and regular vulnerability management practices can be essential to creating a resilient security posture. “Organizations that engage in proactive training and maintain rigorous vulnerability assessment and patching processes appeared to be better positioned to mitigate risks associated with evolving cyber threats,” note the CRIC experts.
This article is a Magazine Supplement of the October 2025 issue of the Insurance Journal.