Although at their heart they focus on post-release mitigation and cleanup, Cybercrime Response Plans are presented as a very important cybersecurity control when it comes to reducing overall risk – particularly the risk of having to file a claim against cybersecurity.
This is according to a report prepared by professional services firm Marsh McLennan through its Cyber Risk Intelligence Center (CRIC).
Titled Cybersecurity Signals: Connecting Control and Incident Outcomes, the report found that organizations that regularly conduct tabletop wargame exercises and scenario-based breach response training are 13% less likely to become victims of a significant cyber incident than those that do not.
“Marsh has long supported proactive cyber incident response planning as a tool to help organizations respond to and recover from cyberattacks effectively and efficiently,” said Tom Reagan, global cyber practice leader at Marsh McLennan.
“What our latest research confirms is that thoughtful planning also creates secondary benefits, such as positive safety behaviors and strong control implementation, which help build greater organizational resilience and reduce incidents of breaches,” he said.
It’s been two years since Marsh McLennan’s Cric first began tracking the correlation between key security controls considered by cyber insurers and the likelihood of a claim.
To do this, it has obtained data from thousands of organizations using Marsh McLennan’s Cybercrime Service to examine their risk levels and help them better prepare for cybersecurity investments, and analyzed this information against claims history to derive a relationship between security practices and the likelihood of claims.
A lot has changed in the interim, so it’s not really possible to make a direct comparison between 2023 and 2025, but it does mean that incident response planning is now the fourth most effective control, behind endpoint detection and response (EDR), logging and monitoring, as well as security awareness training and phishing testing.
Marsh McLennan said it is possible, although not proven, that effective response planning and policies create secondary benefits by exposing other weaknesses in a company’s security programs and driving further investment.
Upward trend
Across all other Cyber Controls explored in the 2023 report, Marsh McLennan found positive indicators that companies typically improve their security postures after two years.
For example, the number of respondents who have implemented EDR has increased by 9%, from 82% to 91%, while the number who assess and quarantine incoming email attachments has increased by 8%, from 75% to 83%.
More impressively, companies are demonstrating a much more mature approach to patching. The number now setting target windows for patching high-variance and critical-strength vulnerabilities has increased from 24% to 89% and from 53% to 89%, respectively.
Other metrics saw low single-digit percentage point increases—however, against one control, everything seemed to be going backwards. The number of respondents who said they used Endpoint Privilege Management to manage desktop or local administrator privileges fell from an already low 35% to 27%.
“Our findings highlight that simply deploying key cybersecurity controls is no longer enough – these tools must be properly managed and comprehensively used,” said Scott Stransky, Cric CEO.
“Using our insights, organizations can make informed decisions to strengthen their security frameworks and help reduce their exposure to cybercrime.”
