Digital advances are recreating global business through ongoing advances in artificial intelligence, the Internet of Things (IoT), data availability, blockchain, and other key areas. The rapidity with which these technologies are evolving and reconfiguring traditional business models keeps increasing. Meanwhile, cyber-threats seem to develop just as fast, if not faster.\nToday, cyber-risk is about far more than the data breaches and privacy concerns we\u2019ve all heard about in the news. Now it involves maddeningly clever schemes that can disrupt entire companies, industries, supply chains, and nations, and cost the economy billions of dollars. No company, in any sector, is unaffected. The truth is, organizations must accept that cyber-risk can be mitigated, managed, and recovered from. But it\u2019s impossible to escape from. \u00a0\nThat stark reality is outlined in the 2019 Global Cyber Risk Perception Survey, joint research conducted by Microsoft and insurance broker Marsh, based on a global poll of 1,500 business leaders. The survey finds that cyber-risk is now perched atop most corporate risk agendas. However, many organizations are still wrestling with how best to respond to cyber-risk in the context of their broader risk framework. This, even as an endless flood of technological advances introduces novel and undreamed-of cyber-risk concerns.\nGrowing awareness, declining confidence\nAround the world, organizations are showing a worrisome disconnect between their acknowledgement of cyber-risk as a top-rank priority and the way they are dealing with it. Essentially, it seems that organizations are zeroing in more on technology and prevention than on setting aside the time, resources, and activities they need to build meaningful cyber-resilience.\nSeventy-nine percent of respondents ranked cyber-risk as a top-five concern in their organization. This, in comparison to 62 percent in 2017. In fact, the number of firms that cited cyber-risk as their prime concern almost quadrupled, from 6 percent to 22 percent.\nThis year\u2019s survey revealed a notable drop in the firms\u2019 confidence in every cyber-resilience area that matters. These include understanding, assessing, and measuring potential cyber-risks; the ability to reduce the likelihood of cyber-attacks or avert potential damage; and managing, responding to, and recovering from adverse cyber-events. This year, a mere 11 percent of companies reported a high degree of confidence in all three aspects of cyber resilience.\nLax risk management\nHowever, to some extent, this is a known pattern. Many executives still sit on their hands and act after they\u2019re hit by a cyber-attack. Two-thirds (64 percent) of survey respondents said that a cyber-attack on their company would be the biggest driver of increased cyber-risk spending.\nToo, in spite of the general enthusiasm for novel and evolving technologies and working methods, some survey respondents were unsure about how risky it was to actually use them. Only 36 percent assessed the risks before and after they adopted new technologies, and only 5 percent evaluate risks across the product\u2019s full lifecycle. A whopping 11 percent don\u2019t check anything out at all.\nCyber governance remains IT\u2019s job\nAlthough cyber-risk is one of the top organizational priorities, the degree to which firms are figuring out who takes ownership of cyber-risk and oversees risk management efforts doesn\u2019t always line up with that ranking. Much of the time, the people who should be on top of it, or at least involved in it, are not. Information technology and information security departments are still viewed as the primary owners of cyber-risk management.\nNine out of ten respondents (88 percent) cited information technology\/information security (IT\/InfoSec) as one of the three main owners of cyber-risk management, followed by executive leadership\/board (65 percent) and risk management (49 percent).\nMore airtime needed\nThere is a lot of opportunity to give risk management teams more say in cyber-risk agendas \u2014 but only about half of organizations said this was the case in 2019. Still, that\u2019s much better than the 32 percent response of 2017, and indicates greater ownership by risk management. Generally, the ranking of boards, IT and risk managers as the main owners of cyber risk management is a good sign that the right people are leading the way. That said, that IT is still usually named as a primary owner nearly twice as often as risk management shows that corporate leaders still view cyber-risk as a technology matter, and not a critical business threat that requires a strategic, whole-company risk-management approach.\nLess than 20 percent of senior leaders and board members spent more than a few days last year thinking hard about their cyber-risk exposure and what they should do to counter an active threat. Only 30 percent of the IT respondents said they spent only a few days or less doing the same thing. This low level of focus on the issue is worrisome, especially since these two constituencies are among the top three corporate owners of cyber-risk management.\nAs cyber-risks become more sophisticated and difficult to fight, the report\u2019s findings show a positive trend. Enterprises are gradually starting to put best practices in cyber-risk management into place. Virtually everyone understands the magnitude of the risk.\nThat said, the 2019 survey shows there\u2019s still a gulf between cyber risk\u2019s ranking on the corporate risk agenda and the degree to which organizational cyber-risk management has evolved on the ground to deal with looming challenges.\nIt\u2019s time that companies begin taking cyber-risk more seriously by directing real resources, and not more talk, towards the issue. More and more, business is inextricably tied to the digital world, from internal communications and supply chains, to sales and customer satisfaction. A successful cyber-attack can cripple or destroy a company\u2019s brand and its reputation, not to mention wreak havoc on the bottom line. Consequently, doing what worked yesterday is no longer enough. Today, companies must shift their thinking from a focus on the security of their firm only and accept the reality that they are responsible for network security across the entire supply chain. Doing that effectively entails a wrap-around approach that includes risk assessment, measurement, mitigation, transfer, and planning. The combination of these elements that works best will depend on each company\u2019s individual risk profile and risk tolerance.