Navigating the path towards Cyber and Business Resilience.
2023 Cyber Resilience Report
Companies of all sizes will find this report to be a resource and tool to help inform Cyber risk decision-making in 2023 and beyond. Cyber resilience is a journey, best navigated in partnership and through teamwork.
Companies are coming off a challenging four years marked by the rise in the number and severity of cyber threats and ransomware attacks, followed by an insurance market with rising premiums and retentions and significant underwriting scrutiny. In working with clients, we observed that the C-suite came to the stark realization that cyber events have the potential to impact all areas of their business. Consequentially, achieving cyber resilience is a recurring theme in board room discussions and the threat is finally being considered from a holistic risk perspective.
Between 2020 and 2022, insurers reacted to the sheer enormity of cyber risk and the need to ensure profitability.
Increased underwriting rigor was introduced in the cyber and E&O market resulting in deeper scrutiny of security controls, more rigid guidelines, and re-evaluation of cyber risk overall.1 Based on Aon client-reported data, organizations responded to this increased rigor and began to focus more on improving risk maturity in controls designated as critical, or red flags, by insurers.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic. Data collected globally, from over 2,000 Aon clients across regions, industries, and revenue bands from Aon’s Cyber Quotient (CyQu), a global eSubmission and risk assessment platform, inform this Report. Augmenting this CyQu data is input from Aon’s Ransomware Supplemental Application and Operational Technology Supplemental providing expanded visibility into security controls prioritized by insurance carriers.2 This client input was then layered with cyber claims market intelligence and enriched with commentary from Aon’s Cyber Advisory and Digital Forensics & Incident Response teams, allowing us to provide a comprehensive examination of cyber resilience and risk within this report. The CyQu data helps clarify the broad understanding that the insurance marketplace is a crucial driver of the accepted controls that drive accepted maturity in cyber security. Clients reported that cyber maturity and readiness improved between 2020 and 2022, realizing a global average shift from “basic” to “managed”cyber maturity. Companies, in general, employed measures to strengthen security domains and controls deemed critical by insurers, including an increased focus on access management and multi-factor authentication (MFA) strategies. Correlated with this, we saw ransomware claims decline by 32 percent, and overall cyber insurance claims frequency decline by 14 percent in 2022.3
In contrast, based on the data, organizations across all sectors struggled with third-party risk management, for which no sector reported a “managed” profile. While this result is not surprising, it tends to validate a rising theme within the cyber industry that the risk introduced across a company’s supply chain is complex, and the deepening interconnection across technology stacks exponentially increases third-party risk. As a result of this heightened risk, most recently illustrated in a delivery platform data breach, we expect that many insurers will shift their focus to systemic and correlated risk exposure and impact this year.
This preliminary data marks the tip of the insight delivered across this report. Individual articles comprise this report. Sector analysis is delivered for the finance and insurance, healthcare, and manufacturing industries, and regional views will be published for North America, EMEA, the United Kingdom, Latin America, and Asia Pacific.
Navigating the path towards achieving cyber and ultimately, business resilience, is a significant challenge for any organization. Resilience is an essential component to help minimize risk from a financial, operational and reputational perspective. It demands a holistic view that connects proactive risk management, response preparation, and risk transfer mechanisms. Risk transfer is a fundamental component of resilience and not limited to traditional insurance placement alone. Captives and alternative capital are viable options to be considered for balance sheet protection. Whether you are steering a Fortune 100 company or leading a small to medium-sized entity facing similar risks, yet feeling underserved by the marketplace, I hope this report is a resource and tool to help inform your 2023 and beyond decision-making. Cyber resilience is a journey, best navigated in partnership and through teamwork.
Christian E. Hoffman
Aon Global Cyber Leader
2 See the ‘Methodology‘ article within Aon’s 2023 Cyber Resilience Report
3 Source: Risk Based Security, analysis by Aon. Data as of 1/3/2023
Our Cyber Resilience Journey
The Story Behind Aon’s Cyber Quotient Evaluation (CyQu)
Cyber resilience is a journey. This article explains how CyQu has been redesigned to streamline the complex process of gathering underwriting information year over year. By aligning a market of insurers around a single information intake process, CyQu encourages greater efficiency, data-informed decisions, and collaboration.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
How Cyber Risk Touches Nearly all Aspects of Business Risk
Increased underwriting rigor in the cyber and E&O insurance market helped drive growth in cyber risk maturity across industries and revenue bands in 2022.
Cyber Insider Threats are a Growing Business Risk
Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.
Take These Steps to Mitigate Operational Risks
Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.
Build a Plan to Address the Perils of Reputational Risk
Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.
Cyber Attacks on Supply Chains Are Causing a Widespread Impact
Cyber threats add a layer of complexity to supply chain risk. Third-party risk management, central to protecting the organization, received the lowest CyQu score of all nine scored domains.
Building cyber resilience across industries.
Sectors often face a complex globally interconnected risk landscape and leaders should make decisions that demand rapid analysis and execution.
Finance and Insurance
Backup security continues to be an area of vulnerability for the sector, and U.S. companies reported deficiencies in almost 40 percent of the critical IT controls. This domain needs to be an area of focus in 2023.
No other sector must make security decisions that could impact the safety and wellbeing of patients like the healthcare sector. Mid-market and enterprise and global healthcare clients reported improved cyber risk profiles with the majority moving from “basic” to “managed”.
Manufacturers enjoyed steady improvement in their overall cyber risk profile between 2020 and 2022. But resilience is still a work in progress, with U.S. manufacturers especially lacking significant business resilience IT controls.
Cyber Maturity by Region
Companies’ overall cyber maturity can differ per region. Learn more about the gaps, challenges and opportunities, including suggested steps leaders can take to build cyber and business resilience.
Asia-Pacific: Shifting Threat Landscape
For the first time, cyber earns a place in Asia Pacific’s top five list of business risk rankings. Companies report improvement in cyber maturity levels with a focus on governance, data protection and supply chain controls
Europe, the Middle East and Africa: Forward Movement Demonstrates Shifting Mindset
EMEA companies focused on improving data security and safeguarding organizational data in 2022, partly driven by the Ukraine-Russia conflict.
Latin America: Three Crucial At-Risk Control Areas
Latin American companies' overall cyber maturity is close to those in EMEA and the UK, yet three significant gaps surfaced: third-party management, business resilience and application security.
North America: Cyber Resiliency Improving — But with Room to Grow
Organizations across North America have recorded broad improvements in critical areas of cyber resiliency. However, there are opportunities for improvement in key areas such as backup strategy and MFA — particularly for small and medium-sized companies.
Aon’s CSO Viewpoint
Bridging the C-suite: Perspectives from Aon’s CSO
Cyber incidents can impact every area of a business. Dismantling the silos across the C-suite is essential if an organization is to increase their odds in winning the cyber battle. Because security and technology are discussed at boardroom level, the link between executive leadership and the CSO must be strong.
Build Ransomware Resilience
Ransomware Attacks are Up: 8 Steps to Build Better Resilience
After more than a year of declining ransomware frequency, attacks increased in early 2023. Underwriting security controls and assessments have helped mitigate attacks, but better resilience is still needed. These eight steps can help build that resilience.
Behind the Data: Research Methodology
2023 Cyber Resilience Report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu) and Aon’s Ransomware Supplemental Application and Operational Technology Supplemental.