Aon plc (NYSE: AON), a leading global professional services firm, published its 2023 Cyber Resilience Report, revealing that, on average, a major cyber incident resulted in a 9 percent decrease in shareholder value – over and above the market – in the year following the event. The report serves as a guide to help business leaders benchmark their organisation’s cyber risk maturity against peers and make better decisions when managing cyber across six risk areas: cyber, operational, supply chain, insider, reputational and systemic.
Aon’s global report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu), Aon’s Ransomware Supplemental Application and Aon’s Operational Technology Application. CyQu is a global eSubmission and risk assessment platform that helps organisations better manage cyber risk by providing visibility into cyber exposures and insurability drivers.
“Companies have experienced new forms of volatility over the last four years, experiencing a rise in the frequency and severity of cyber threats and ransomware events, followed by a cyber insurance market with rising premiums and retentions with significant underwriting scrutiny,” said Christian Hoffman, global cyber leader for Aon. “We observe that the C-suite increasingly sees that cyber events have the potential to impact all areas of their business. Achieving cyber resilience is a recurring theme in board room discussions and the threat is now being addressed from a holistic risk perspective.”
Additional highlights from the global report include:
- Cyber risk: Five domains – endpoint and systems security, remote work, application security, access control and data security – demonstrated the most improvement on changes to CyQu risk profiles, providing greater insight into an organisation’s most significant risks and control effectiveness.
- Operational risk: Ransomware events decreased 16 percent from Q3 2022 to Q4 2022, but data from the cyber and errors and omissions insurance marketplace show an uptick in Q1 2023.
- Insider risk: Two in five companies reported a lack of security operations centre controls, which highlights the need for improved cyber security measures to prevent phishing, the most common vector for initial network access.
- Systemic risk: Managing systemic risk is a high priority, stemming from the use of technology in an interconnected world. As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organisation’s risk profile and inform the extent of cyber insurance coverage required.
Aon also published key insights by industry, including:
- Finance and insurance: Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023.
- Healthcare: The overall cyber risk score for healthcare clients improved from 2.6 to 2.8, on a scale of 1 to 4. In 2022, for enterprise and global clients in healthcare, the overall risk profile improved from “basic” to “managed” with more than 80 percent of the companies reporting scores of 2.5 or higher.
- Manufacturing: Aon’s CyQu data shows that the overall risk score improved from 2.2 to 2.5 – on a scale of 1 to 4 – in 2022 for mid-market clients in the manufacturing industry; however, 56 percent of the companies reported risk scores lower than 2.5 in 2022. The median percent of IT budget reportedly spent on security also rose globally, with companies reporting 8.5 percent of the IT budget dedicated to security.
“Achieving cyber and business resilience is a challenging endeavour for any organisation. Through Aon’s broking and consulting capabilities, we help organisations navigate volatility and minimise financial, operational and reputational risk more appropriately,” Hoffman added.
Aon collected CyQu self-assessment scores from 2,946 client organisations in Asia Pacific, EMEA, Latin America, North America and the UK in 2020 and 2022. The study focused on six areas of risk – cyber, insider, operational, reputational, supply chain and systemic – in the finance and insurance, healthcare and manufacturing industries. Aon plans to release additional data and insights, including regional findings, later this year.
Methodology
Aon’s CyQu evaluation features patent-pending analytics methodology and is rooted in both ISO standards and the National Institute of Standards and Technology framework. The framework is regularly adjusted to contemplate feedback from the cyber insurance underwriting community. Accepted by all major U.S. markets, CyQu and its Supplemental applications help align over 65 cyber insurers around a single client insurance submission process. The CyQu self-reported assessment scores risk in 35 critical controls across nine security domains to offer greater insight into an organisation’s most significant risks and control effectiveness.
View the 2023 Cyber Resilience Report here.