North America: Investment Leads to Enhanced Cyber Resiliency

Business leaders in North America (NA) continue to address cyber attacks through investment in tools, technologies, and procedures. Data pulled from Aon highlights this trend.  On average, Aon data revealed that10 out of 33 critical controls in 2022 were failed — down from 12 out of 33 in 2021.  We’ve also seen marked improvement in the areas of Access Management (7.19 percent decrease in failure rate), Multi Factor Authentication  (MFA) (11.29 percent decrease in failure rate), and business resilience (6.08 percent decrease in failure rate). Claims frequency reduced in 2022 and loss ratio’s improved as a result.  When paired with reduction in claims frequency and improvement in insurer loss ratios, these investments are expected to help push cyber premiums lower in 2023 while simultaneously enhancing the organization’s overall cyber resiliency.

Despite the average improvements for all companies in the NA region, there remain key areas where additional investment could be targeted and there’s a marked difference in resilience between Enterprise and Global clients from mid-market and small and medium-sized clients.  Ransomware Supplemental application data shows that on average backup security controls improved by 6 percent across all industries.  However, 90 percent of companies reported that they did not store backups in the cloud, and backups are neither stored offsite nor immutable for 70 percent of companies.  Overall 2022 data shows that mid-market and small and medium-sized clients’ control deficiencies in business resilience were 10 percent higher than that of enterprise and global clients.  Organizations under $2 billion in revenue continue to report greater deficiencies around MFA than other organizations, which remains a top concern for cyber insurance underwriters.

Following several quarters of decreased activity, there has been an uptick in the frequency of global ransomware attacks in Q1 and 20231, reminding organizations why ransomware remains a top concern with respect to cyber resiliency.  In addition, the use of AI tools to create and refine attack patterns is a growing concern both for businesses and the cyber insurance underwriting community.  The power and ease of use of these AI tools means we can expect an increase in phishing and spear phishing. Privacy is also coming back into focus in a big way, particularly in the healthcare space2.  Lawsuits alleging privacy violations (such as  California Invasion of Privacy Act(CIPA) and Video Privacy Protection Act (VPPA)) resulting from the use of pixel tracking technology became a popular tool of the plaintiffs’ bar at the end of 2022 and that trend continues in 2023.

Industries in Perspective

This year, we examined three industries in more depth: manufacturing, healthcare and finance and insurance. While companies across all three sectors generally tracked with the average improvements seen across all industries, nuances specific to each industry’s needs and operations show departures from the averages in key areas.

Manufacturing clients made significant improvements in the areas of MFA and access management.  However, backup security, business resilience and data security showed the highest percentage of average deficiencies3 and so remain the top areas of concern.  The prevalence of legacy tools and increased mergers and acquisitions activity in this sector are both factors in the increasing exposure related to information technology (IT) and operational technology (OT) vulnerabilities.  Companies in this industry continue to show an average failure rate of 40 percent specific to OT controls4. We see these results being driven by a lack of ransomware coverage in tabletop exercises, not having current or tested business continuity plans and/or deficient monitoring and patching capabilities in the OT environment.

Healthcare clients appear to have made significant improvements in 2022 when compared to 2021 in the domains of MFA and business resilience5.  This is partly driven by the insurers focus on key controls that help limit the probability and severity of a ransomware event.  However, data security, software management and endpoint security saw a reported increase in deficiencies over this same time period.  Due to increased digitization and the push within the healthcare industry to automate certain processes, data shows many companies outsourced IT operations in 2022 or hired mature security talent. However, this increase in deficiencies may not reflect an actual regression of cyber resiliency but instead an improvement in the accuracy of reporting.

Finance and insurance clients made significant improvements in MFA, access management and business resilience6.  Claims and cyber intelligence trends indicate that bad actors are still able to bypass MFA and use remote desktop controls to compromise the network environment in this industry.  Aon’s ransomware supplemental application data suggests that finance and insurance clients are increasing their focus on stricter MFA rules and patch management capabilities to combat these trends.  Data security and endpoint security domains remain particularly relevant for the finance and insurance industry given the higher nature of third party and insider risk facing these organizations.  Finally, new SEC rules regarding reporting on tabletop exercises as a part of business continuity and disaster recovery planning is likely to see a rise in penetrating testing and proactive remediation controls7.

Now What? Some suggested actions for North American Leaders

1. Update and strengthen governance frameworks and risk management strategies concerning cyber risk. Privacy regulations across the region continue to go beyond data breach notification laws and contemplate new types of information (e.g. biometrics) as well as the concepts of informed consent at the time of data capture. As such, it is paramount that senior business leaders properly record and disclose their adoption of good governance and risk management of cyber threats per best practices and regulatory requirements. This action will not only improve the business’s risk profile but will mitigate potential regulatory and shareholder actions in the event of a cyber or privacy event.
2. Keep vigilant on ransomware threats. While companies in the region have performed well in combating ransomware threats, global trends indicate that ransomware attacks are on the increase (up 38 percent Q1 2023 over Q4 2022)8. Continue to focus on security controls that mitigate ransomware attacks, particularly those controls that are a critical part of the insurance underwriting process.
3. Continue to be forward-looking with respect to cyber risk mitigation and resilience strategies.  Reviewing the tools, technologies, and procedures necessary to combat cyber threats as they are influenced by geopolitical tensions and emerging attack vectors is critical for all organizations.  Ensuring business continuity and disaster recovery plans are updated and tested based on changes to tools, technologies and procedures as well as current business operations is a critical aspect of a crisis management strategy.  Testing insurance limits and coverage through periodic risk quantification and risk-based heat mapping will ensure that any insurance purchase remains a valuable aspect of a company’s overall cyber risk mitigation strategy.