Incident response, MFA, and EDR rank as top controls in Marsh McLennan’s latest cyber risk study - Industrial Cyber

Attacks And Vulnerabilities Critical Infrastructure Malware, Phishing & Ransomware News Reports Risk & Compliance Incident response, MFA, and EDR rank as top controls in Marsh McLennan’s latest cyber risk study SEPTEMBER 01, 2025 Marsh McLennan, through its Cyber Risk Intelligence Center, examines which cybersecurity measures actually reduce risk and pushes the conversation on how controls should be evaluated across the industry. The report explores how the cybersecurity control landscape has evolved over the past two years to keep defenses relevant, identifies which controls are most widely adopted and which truly deliver the greatest risk reduction, and pinpoints the five control areas proven to have the biggest impact on lowering organizational risk exposure. Building on its 2023 report, Using Data to Prioritize Cybersecurity Investments, which delivered one of the first large-scale, evidence-based analyses of control effectiveness, Marsh McLennan’s study draws on data from thousands of organizations’ cyber control implementations. The results highlight a critical shift as the question is no longer whether a control exists but how well it is deployed. The Marsh McLennan study found that most of the controls analyzed in the 2023 report are now even more widely adopted, shifting the focus from whether a control is in place to how effectively it is deployed. Incident response planning emerged as a top control, even though the analysis primarily measured breach likelihood rather than severity. This finding demonstrates that incident response planning and testing drive positive security behaviors and strengthen control implementation across organizations. Endpoint detection and response (EDR) and multi-factor authentication (MFA) continue to play a critical role, with growing emphasis on the scope and configuration of those deployments. Logging and monitoring also contained several high-ranking signals, particularly around logon monitoring, security information and event management (SIEM), and security operations center (SOC) capabilities. Cyber awareness training showed increased value, underscoring the importance of maintaining an educated and vigilant workforce. Patching and vulnerability management remain essential as well, with the study stressing the need for regular assessments and greater use of automation to close gaps quickly. Marsh’s research continues to demonstrate that focusing on cybersecurity fundamentals is critical, as these foundational practices correlate highly with a reduction in the likelihood of cyber incidents. By prioritizing essential controls and adhering to best practices, organizations may minimize their risk exposure and enhance their cyber resilience. In addition, we hope this research continues to drive the industry toward a more evidence-based approach to security investment. In the report, ‘signal strength’ is defined as the probability of a breach claim when a control is absent or receives a negative response, divided by the probability of a breach claim when that same control is present or receives a positive response. A signal strength above one indicates that the control is associated with a reduced likelihood of a breach. The higher the signal strength, the stronger the correlation, making it a clear indicator of which controls should be prioritized. Over the last two years, the nature of questions in the Marsh Cyber Self-Assessment (CSA) has changed, along with many changes in the threat and insurance space. “In addition, we have adjusted our calculations to account for variation in threat levels across industries, in an effort to more accurately evaluate control effects. For these reasons, a one-to-one comparison of 2023 values to 2025 values at a signal level is not appropriate. Instead, we categorized the 2025 control signals into the 12 key control groups that reflect major categories of controls tracked in the cyber insurance industry.” Marsh also calculated the relative ranking and range of each of these controls, as well as the boxplot for each control, determined by the signals it contains. The report identified that two key signals rose to the top of the EDR category. “The first relates to the extent of EDR deployment among workstations and laptops. The implementation of endpoint security tools reduced expected breaches. However, the extent of EDR deployment has a significant impact on the degree to which advanced endpoint security/EDR deployment can help. We found that across thousands of CSA respondents, each jump of 25% in deployment was correlated with an additional decrease in breach likelihood.  Put another way, the total benefits of EDR deployment appear to be more fully realized when it is deployed to 100% of workstations and laptops.” The Marsh McLennan report identified the second theme as being that it may be critical to fully use the capabilities of modern EDR solutions, namely blocking, which prohibits execution of malicious code. Organizations that noted that their endpoint tools were deployed in blocking mode saw a further decrease in breach likelihood. “In 2023, deploying MFA was still a significant step forward for many companies. Since then, positive CSA responses regarding MFA adoption have neared 90% to 100% across almost all organizations,” the report highlighted. “While still critical, the mere presence of MFA is no longer a strong risk differentiator in recent data, largely because there are few organizations without it. The differentiators now are in the type of MFA enforcement. Is the MFA deployment resistant to phishing and bypass? What is the organization’s complete scope of MFA enforcement? These questions are key to mitigating modern cyber threats.” Marsh McLennan analyzed cyber awareness training highlighting the importance of user education and phishing simulation to better understand the rapidly evolving phishing environment. “Interestingly, some signals indicated a priority of realistic or updated training versus the cadence of training, suggesting that quality, not frequency, of training may be the more important factor. This resonates in today’s threat environment: Users in 2025 are likely already aware of cyber threats — now they want to know how to identify and respond to them.”  The report states that realistic simulations and up-to-date training can prepare employees beyond general awareness, giving them the tools and practice to reduce risk. With vulnerability exploitation at or near the top of many threat intelligence reports, Marsh McLennan reported that vulnerability patching and mitigation have never seen more attention than now. “There is active discussion around which metrics to prioritize and what scores to use when managing the seemingly endless barrage of vulnerabilities in a modern network. Our analysis of signals showed that good habits and foundational processes, including regular assessment and evaluation behaviors, correlated with reduction in breach likelihood.”  The report identified that increased patching frequency had a positive security signal; “however, when we isolated the effect of specific timelines for the common vulnerability scoring system (CVSS) score, the signal strength was much lower. This suggests that relying on CVSS scoring alone may be insufficient to enforce strict patching targets. Additionally, automating patch management had a high signal strength, which indicates the benefits of removing manual steps to patching processes. Recognizing this is not possible for all assets, it also highlights the potential benefits of obviating patch management altogether via cloud-hosted services.” Anna Ribeiro Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT. Related Building ‘Incident Management for Industrial Control Systems’ to address gaps in OT cyber incident response GAO report highlights risks to CMMC rollout as nation-state attacks target defense contractors Why industrial cybersecurity must evolve as climate disruption and digitalization reshape critical infrastructure ISAC advisory highlights cyber and physical risks to critical infrastructure as Middle East tensions rise Suspected Iran-linked cyberattack hits medical technology giant Stryker amid Middle East tensions Finland’s National Security Overview 2026 flags Russian and Chinese cyber espionage targeting government, critical infrastructure Cydome flags NAVTOR NavBox path traversal and authentication flaws exposing vessel data, networks to cyber risk Iran-linked cyber espionage surges across Middle East as conflict tensions rise, researchers say Microchip expands Trust Platform to help manufacturers meet EU Cyber Resilience Act security requirements Texas orders cybersecurity review of state agencies for Chinese-made medical devices after federal warnings