Aon published its 2023 Cyber Resilience Report, revealing that, on average, a significant cyber incident resulted in a 9% decrease in shareholder value – over and above the market – in the year following the event. The report serves as a guide to help business leaders benchmark their organisation’s cyber risk maturity against peers and make better decisions when managing cyber across six risk areas: cyber, operational, supply chain, insider, reputational and systemic.
Aon’s global report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu), Aon’s Ransomware Supplemental Application and Aon’s Operational Technology Application. CyQu is a global eSubmission and risk assessment platform that helps organisations better manage cyber risk by providing visibility into cyber exposures and insurability drivers.
“Companies have experienced new forms of volatility over the last four years, experiencing a rise in the frequency and severity of cyber threats and ransomware events, followed by a cyber insurance market with rising premiums and retentions with significant underwriting scrutiny,” said Christian Hoffman, Global Cyber Leader for Aon. “We observe that the C-suite increasingly sees that cyber events have the potential to impact all areas of their business. Achieving cyber resilience is a recurring theme in board room discussions, and the threat is now being addressed from a holistic risk perspective.”
Additional highlights from the global report include:
• Cyber risk: Five domains – endpoint and systems security, remote work, application security, access control and data security – demonstrated the most improvement on changes to CyQu risk profiles, providing greater insight into an organisation’s most significant risks and control effectiveness.
• Operational risk: Ransomware events decreased 16% from Q3 2022 to Q4 2022, but data from the cyber and errors and omissions insurance marketplace show an uptick in Q1 2023.
• Insider risk: Two in five companies reported a lack of security operations centre controls, highlighting the need for improved cyber security measures to prevent phishing, the most common vector for initial network access.
• Systemic risk: Managing systemic risk is a high priority, stemming from the use of technology in an interconnected world. As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organisation’s risk profile and inform the extent of cyber insurance coverage required.
Aon also published key insights by industry, including:
• Finance and insurance: Insurance claims are rising, with a 38% increase in ransomware claims from Q4 2022 to Q1 2023.
• Healthcare: The overall cyber risk score for healthcare clients improved from 2,6 to 2,8, on a scale of 1 to 4. In 2022, for enterprise and global clients in healthcare, the overall risk profile improved from ‘basic’ to ‘managed’ with more than 80% of the companies reporting scores of 2,5 or higher.
• Manufacturing: Aon’s CyQu data shows that the overall risk score improved from 2,2 to 2,5 – on a scale of 1 to 4 – in 2022 for mid-market clients in the manufacturing industry; however, 56% of the companies reported risk scores lower than 2,5 in 2022. The median percent of IT budget reportedly spent on security also rose globally, with companies reporting 8,5% of the IT budget dedicated to security.
“Achieving cyber and business resilience is a challenging endeavour for any organisation. Through Aon’s broking and consulting capabilities, we help organisations navigate volatility and minimise financial, operational and reputational risk more appropriately,” Hoffman added.
