2023 Cyber Resilience Report

This is article 17 of 18 in this Report.

August 01, 2023 / 5 min Read

Behind the Data: Research Methodology

This report is based on Aon Cyber Quotient (CyQu) assessment scores collected from 2,946 unique Aon client organizations across Australia, Canada, Latin America, the United States, EMEA, and the United Kingdom and complemented by supplemental assessments data collected from 1,933 unique Aon U.S. and UK client organizations.

Key Takeaways

  1. Aon’s CyQu self-reported assessment scores risk in 35 critical controls across nine security domains.
  2. The Ransomware Supplemental Application identifies 33 potential gaps in critical security controls that may limit cyber insurance coverage or trigger a red flag.
  3. The Operational Technology Supplemental gives expanded visibility into 22 operational technology security controls prioritized by insurance carriers.

2023 Cyber Resilience Report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu) and Aon’s Ransomware Supplemental Application and Operational Technology Supplemental.

CyQu is a global eSubmission and risk assessment platform that helps organizations better manage cyber risk by providing visibility into cyber exposures and insurability drivers. CyQu features patent-pending analytics methodology and is rooted in both ISO standards and the National Institute of Standards and Technology framework. The framework is regularly adjusted to contemplate feedback from the cyber insurance underwriting community. Accepted by all major U.S. markets, CyQu and its Supplementals help align over 65 cyber insurers around a single client insurance submission process.

The CyQu self-reported assessment scores risk in 35 critical controls across nine security domains to offer greater insight into an organization’s most significant risks and control effectiveness.

This Report is based on CyQu assessment scores collected from 2,946 unique Aon client organizations across Australia, Canada, Latin America, the United States, EMEA, and the United Kingdom. Representation across industries and revenue bands is present. Clients’ self-reported responses are scored on a scale of 1 to 4 (4 being the best). Trend insights within this Report were derived from comparing changes between 2020 and 2022 CyQu data.


CyQu Global Industry Distribution

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client


CyQu Global Client Segment Distribution

Client Revenue segments:
Global: >$5B
Enterprise: $5B-$2B
Mid-Market: $100M-$2B
SME: <$100M


Regional Distribution

America: United States, Canada

United Kingdom and EMEA: Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Spain, Sweden, Switzerland, Turkey, United Kingdom

Latin America: Argentina, Brazil, Chile, Columbia, Ecuador, Mexico, Peru, Puerto Rico

Asia Pacific: Australia


Augmenting this data are proprietary insights from Aon’s Ransomware Supplemental Application and Operational Technology Supplemental. Aon’s Ransomware Supplemental Application identifies 33 potential gaps in critical security controls that may limit cyber insurance coverage or trigger a red flag. The Operational Technology Supplemental gives expanded visibility into 22 operational technology  security controls prioritized by insurance carriers. This Report is based on Supplemental assessments flags collected from 1,933 unique Aon U.S. and UK client organizations across industries and revenue bands. Guided by Aon’s key underwriting controls, and its’ red flag analysis developed through broker and underwriter input, this report demonstrates how clients can use data to help prioritize their security investments. Trend insights within this Report were derived from comparing changes between 2021 and 2022 for Ransomware Supplemental Application and for 2022 for Operational Technology Supplemental.


US Ransomware Supplemental Application Industry Distribution

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client.


US Ransomware Supplemental Application Client Segment Distribution


US Operational Technology Supplemental Industry Distribution


EMEA and UK Ransomware Supplemental Application Client Segment Distribution


EMEA and UK Ransomware Supplemental Application Industry Distribution

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client.


Glossary

Risk Themes and Controls Definitions


Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Managing cyber across six featured risk themes.

This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.