2023 Cyber Resilience Report

This is article 18 of 18 in this Report.

August 01, 2023 / 5 min Read

Behind the Data: Research Methodology

This report is based on Aon Cyber Quotient (CyQu) assessment scores collected from 2,946 unique Aon client organizations across Australia, Canada, Latin America, the United States, EMEA, and the United Kingdom and complemented by supplemental assessments data collected from 1,933 unique Aon U.S. and UK client organizations.

Key Takeaways

Aon’s CyQu self-reported assessment scores risk in 35 critical controls across nine security domains.
The Ransomware Supplemental Application identifies 33 potential gaps in critical security controls that may limit cyber insurance coverage or trigger a red flag.
The Operational Technology Supplemental gives expanded visibility into 22 operational technology security controls prioritized by insurance carriers.

2023 Cyber Resilience Report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu) and Aon’s Ransomware Supplemental Application and Operational Technology Supplemental.

CyQu is a global eSubmission and risk assessment platform that helps organizations better manage cyber risk by providing visibility into cyber exposures and insurability drivers. CyQu features patent-pending analytics methodology and is rooted in both ISO standards and the National Institute of Standards and Technology framework. The framework is regularly adjusted to contemplate feedback from the cyber insurance underwriting community. Accepted by all major U.S. markets, CyQu and its Supplementals help align over 65 cyber insurers around a single client insurance submission process.

The CyQu self-reported assessment scores risk in 35 critical controls across nine security domains to offer greater insight into an organization’s most significant risks and control effectiveness.

This Report is based on CyQu assessment scores collected from 2,946 unique Aon client organizations across Australia, Canada, Latin America, the United States, EMEA, and the United Kingdom. Representation across industries and revenue bands is present. Clients’ self-reported responses are scored on a scale of 1 to 4 (4 being the best). Trend insights within this Report were derived from comparing changes between 2020 and 2022 CyQu data.

CyQu Global Industry Distribution

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client

CyQu Global Client Segment Distribution

Client Revenue segments:
Global: >$5B
Enterprise: $5B-$2B
Mid-Market: $100M-$2B
SME: <$100M

Regional Distribution

America: United States, Canada

United Kingdom and EMEA: Austria, Belgium, Denmark, Finland, France, Germany, Ireland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Spain, Sweden, Switzerland, Turkey, United Kingdom

Latin America: Argentina, Brazil, Chile, Columbia, Ecuador, Mexico, Peru, Puerto Rico

Asia Pacific: Australia

Augmenting this data are proprietary insights from Aon’s Ransomware Supplemental Application and Operational Technology Supplemental. Aon’s Ransomware Supplemental Application identifies 33 potential gaps in critical security controls that may limit cyber insurance coverage or trigger a red flag. The Operational Technology Supplemental gives expanded visibility into 22 operational technology security controls prioritized by insurance carriers. This Report is based on Supplemental assessments flags collected from 1,933 unique Aon U.S. and UK client organizations across industries and revenue bands. Guided by Aon’s key underwriting controls, and its’ red flag analysis developed through broker and underwriter input, this report demonstrates how clients can use data to help prioritize their security investments. Trend insights within this Report were derived from comparing changes between 2021 and 2022 for Ransomware Supplemental Application and for 2022 for Operational Technology Supplemental.

US Ransomware Supplemental Application Industry Distribution

** ‘Other Services’ category is self-selected by the client.

US Ransomware Supplemental Application Client Segment Distribution

US Operational Technology Supplemental Industry Distribution

EMEA and UK Ransomware Supplemental Application Client Segment Distribution

EMEA and UK Ransomware Supplemental Application Industry Distribution

** ‘Other Services’ category is self-selected by the client.

Data Methodology Team

Arshi Ahmed
Data & Analytics Leader, Cyber Solutions

Nancy Eaves
SVP, Product Leader, Cyber Solutions

Annie Fishbain
VP, Product Management, Cyber Solutions.

Explore Our Cyber Offerings

Glossary

Risk Themes and Controls Definitions

Cyber Risk

Cyber risk is the risk of financial loss, business interruption, or damage to an organization from some failure connected to its information or operational technology systems. But cyber risk goes far beyond technology. Cyber is, among others, a holistic and enterprise risk that poses a financial, operational, people, regulatory, and even catastrophic threat to all organizations, regardless of size or sector. As such, understanding an organization’s business drivers and the daily decisions related to them often proves the critical link towards managing the journey to achieving holistic and sustainable cyber resilience.

Aon’s Cyber Quotient Evaluation (CyQu) provides insight into an organization’s cyber maturity across 35 critical controls across nine security domains.

Domain	Definition
Data Security	Manages safeguards to protect the confidentiality, integrity, and availability of information.
Access Control	Grants authorized users the right to use a service while preventing access to non-authorized users.
Endpoint and Systems Security	Delivery and administration of infrastructure services, systems monitoring, endpoint protection, configuration management, storage management, infrastructure operations.
Network Security	Delivers infrastructure services including enterprise defense for network, computer, physical presence, cloud, storage management, and operations.
Physical Security	Protects facilities, equipment, resources, and personnel from unauthorized access, damage, or harm.
Application Security	Protects applications from threats by requiring measures or checks during each stage of the application development life cycle.
Third Party	Monitors relationships with third parties to ensure provided services adhere to defined security policies.
Business Resilience	Plans for prompt and effective continuation of business-critical services in the event of a disruption.
Remote Work	Enables users to securely access corporate systems and data to deliver on their roles and responsibilities when outside of corporate working environments.

Aon’s Ransomware Supplemental Application provides visibility into an organization’s Information Technology (IT) controls to evaluate the vulnerability of a ransomware attack.

Ransomware red flags focus on control gaps based on key technical underwriting concerns.

As risks continue to evolve, so do Aon’s key underwriting controls and risk weightings. The below list reflects a year-over-year control comparison but is a subset of the key underwriting categories and red flags Aon helps clients prioritize today.

Information Technology (IT)	Definition
Backup Security	Backup capabilities of the clients for its robustness, frequency, storage location and recovery.
Business Resilience	Plans for prompt and effective continuation of business-critical services in the event of a disruption.
Network and Data Security	Measures taken to protect network and data integrity and privacy from attack and infiltration.
Multi-factor Authentication (MFA)	Controls around authentication for remote access, critical networks, and privileged access accounts before accessing organizational data.
Access Control	Grants authorized users the right to use a service while preventing access to non-authorized users.
Endpoint Security	Delivery and administration of infrastructure services, systems monitoring, endpoint detection, configuration management, storage management, and infrastructure operations.
Email Security	Business email security that protects from phishing attacks and prevents data exfiltration.
Patch Management	Vulnerability management by improving, fixing, and updating application systems.
Software Management	Optimization of software licenses, hardware assets, cloud platform.
Operational Technology (OT)	Hardware and software that detects or causes a change in physical processes or events through the direct monitoring and/or control of physical devices (e.g., industrial equipment) in the enterprise.

Research Source: this definition is derived from Gartner publication on ‘Market Guide for Insider Risk Management Solutions’

Insider risk identifies threats to trusted accounts within organization, malicious or unintentional. This risk is also intensified by national state attacks and corporate espionage. Insider risk management focuses on controls around endpoint detection and response, SOC monitoring, data security, and user awareness training.

Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Data Methodology Team

Arshi Ahmed
Data & Analytics Leader, Cyber Solutions

Nancy Eaves
SVP, Product Leader, Cyber Solutions

Annie Fishbain
VP, Product Management, Cyber Solutions.

Explore Our Cyber Offerings

Managing cyber across six featured risk themes.

This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.

Steps to Minimize Cyber’s Impact on Systemic Risk

The task of managing systemic risk has catapulted to the top of the priority list for the insurance industry as significant cyber events rang the alarm bell that systemic risk is considerable, and can cause widespread impact.

Learn more

Cyber Attacks on Supply Chains Are Causing a Widespread Impact

Cyber threats add a layer of complexity to supply chain risk. Third-party risk management, central to protecting the organization, received the lowest CyQu score of all nine scored domains.

Learn more

Build a Plan to Address the Perils of Reputational Risk

Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.

Learn more

Take These Steps to Mitigate Operational Risks

Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.

Learn more

Cyber Insider Threats are a Growing Business Risk

Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.

Learn more

How Cyber Risk Touches Nearly all Aspects of Business Risk

Increased underwriting rigor in the cyber and E&O insurance market helped drive growth in cyber risk maturity across industries and revenue bands in 2022.

Learn more

Behind the Data: Research Methodology

Data Methodology Team

Explore Our Cyber Offerings

Glossary

Risk Themes and Controls Definitions

Data Methodology Team

Explore Our Cyber Offerings

Managing cyber across six featured risk themes.

Steps to Minimize Cyber’s Impact on Systemic Risk

Cyber Attacks on Supply Chains Are Causing a Widespread Impact

Build a Plan to Address the Perils of Reputational Risk

Take These Steps to Mitigate Operational Risks

Cyber Insider Threats are a Growing Business Risk

How Cyber Risk Touches Nearly all Aspects of Business Risk

Talk to Our Team