EMEA: Building Resilience to Navigate Rising Cyber Risk

It is impossible to stop all cyber events, but it is possible to manage them. Governance, geopolitical tensions and a rise in cyber incidents across Europe, the Middle East and Africa (EMEA) drove a slight uptick in cyber security maturity in 2022. According to Aon’s Cyber Quotient1 (CyQu) data, clients, on average, reported movement from basic maturity (2.17 out of 4.0) towards managed security (2.45 out of 4.0) between 2020 and 2022. Though incremental, this forward movement is encouraging and demonstrates the shifting mindset away from the belief that “it won’t happen to us.”

Clients focused on improving data security and safeguarding organizational data in 2022, in part driven by the Ukraine-Russia conflict. Many prominent European and multinational companies are heavily impacted by this situation and are deeply concerned about how their activities might be subsequently affected by attacks emanating from the region. Organizations worked to achieve the right level of visibility into security operational controls (SOCs) and shore up access controls, with increased emphasis on preventing attackers from entering and moving laterally through the network. Aon’s CyQu data validated this focus, as clients reported a slight yet noticeable increase in maturity across key control groups, including endpoint security, access control, and remote working.

On an opposing note, clients, on average, did not report profound improvement in either application security (score of 1.8 to 2.1) or business resilience (score of 1.9 to 2.2) and still sit at a “basic” level of maturity and far from “managed.“ It is important to note that while U.S. companies outperformed their EMEA counterparts across endpoint and network security, both regions struggle with business resilience, particularly third-party risk management. Organizations should place increased attention on remediating this weakness, specifically as systemic risk has catapulted to the top of the priority list for the insurance industry2 and third-party security lies at the center of this risk.

Insurers and regulators also drove security maturity across the region, and regulatory change is anticipated to be a continued force of change. The European Union’s Network and Information Security (NIS2) Directive measures take effect in October 2024, and many more businesses will come under the scope.3 The effects of NIS2, its expansion of critical infrastructure requirements4 most remarkably, are already visible within CyQu industry scores. Mining, quarrying, oil and gas extraction moved from the lowest-performing industry in 2020 (1.8 maturity score) to one of the highest-performing industries in 2022, with clients reporting a maturity score of 2.8 and approaching “managed.” This score brings the energy sector on par with historically higher-performing industries of insurance and finance and utilities, already heavily regulated industries. Beyond increased demands on sectors, NIS2 expands cyber security risk management to include supply chain security. Thus, third-party management will become increasingly crucial to business road mapping and overall security.

Regulators may more closely scrutinize the escalating reliance on digital technologies and the broadening adoption of artificial intelligence (AI). How businesses harness, process, and use data may rapidly change in the next twelve months, and leaders are encouraged to take a risk-based focus. As new business models emerge, it is crucial that data is safeguarded, and organizations maintain an enterprise-wide risk management focus.

Finally, consider the impact of ransomware. Ransomware is still on the agenda and is a material focus, notably for the insurance buyer. We saw a material increase in ransomware incidents across the globe in the first quarter of 2023, rising by 63 percent. This number peaked in the second quarter.5 Attackers will continue to exploit the weakest link — people. Organizations are encouraged to put a microscope on business resilience maturity.

Industries in Perspective

As reported above, most striking in the CyQu industry data was the forward movement of the energy sector. A second and equally notable change was the overall average maturity improvement reported for the construction industry (score of 1.9 to 2.4). This score aligns with the shift in how we are today constructing or moving from a very physical environment to an increasingly digitized one.  Given the complexity of business interruption events for the construction industry we can expect insurers will also take note of this change. The industry will continue to fortify third-party management and connect tier-one and tier-two suppliers into the organization’s risk management plan.

In our 2023 Cyber Resilience Report,6  Aon examined three industries in more depth: manufacturing, finance and insurance and healthcare. Across EMEA, companies across all three sectors approached – but did not yet achieve – a state of “managed” overall security or a score of 3.0. The finance and insurance sector reported the strongest maturity (2.8), followed by manufacturing (2.5) and healthcare and social services (2.4). The impact of the Digital Operational Resilience Act (DORA)7 on finance and insurance will be a noted driver of maturity as we approach the date of applicability (January 17, 2025).

Within the healthcare sector, the European Medical Device Regulation (EU MDR)8 came into force in 2021. Since its implementation, we’ve seen a growth in cyber maturity, specifically in MedTech. Safeguarding the environment is also of prime concern within life science sub-segment, specifically for pharmaceutical companies. With businesses investing billions into the research and development of new drugs, the cost of intellectual property (IP) leaks can be devastating, with companies fearful of being forced to discard product development cycles, losing substantial sums invested.

Looking at the manufacturing industry, insurers have long put cyber security demands on this sector (particularly in OT (Operational Technology)); thus, it is no surprise that clients reported a continued increase in overall maturity. As supply chains continue to expand in size and complexity, manufacturers will need to focus on strengthening third-party management and business resilience —two of the more complex control areas to manage.

Next Steps: Suggested Actions for EMEA Leaders

While we have seen an increase in the overall cyber security maturity levels across EMEA, we expect that future increases will be more pronounced.  As industries continue to invest in innovation and new technologies, increased risk complexity will likely result in a more dynamic and challenging cyber threat environment. With this in mind, we recommend organizations should continue to examine and challenge their approach by following these three steps:

1. Maintain focus on cyber resilience.
   Attacks on infrastructure and technology are inevitable and it will remain exceedingly important that the ability of organizations to appropriately deal with events will determine how well equipped they are to manage incidents and material events. A combination of a clear enterprise risk management strategy, cyber security strategy and insurance strategy working in tandem will go some way to achieving this goal.
   
2. Embed new regulatory requirements into business as usual processes.
   New regulations such as NIS29 and DORA10 are intended to create systemic resilience and protection. Incorporating the new rules into your day-to-day operations will help create a more secure environment for enterprises and potentially a competitive advantage.
3. Conduct risk-based analysis of evolving profile.
   It is important that we maintain pace with the cyber threat environment. With the evolution and digitization of businesses, notably with the impact of Artificial Intelligence, organizations should continue to question whether risk management and security practices remain fit for purpose. At least once a year, companies should check that they have appropriate and proportionate controls in place to manage an evolving risk and opportunity profile.