Take These Steps to Mitigate Operational Risks

Operational risk, defined as the risk of losses caused by disruption to an organization’s operations or failure across people, processes, or technology, is a top concern for global security teams and insurance carriers. Ransomware and phishing schemes continue to present significant risk. While ransomware data breaches were down 16 percent from Q3 2022 to Q4 20221, the cyber and errors and omissions (E&O) insurance marketplace data show that in Q1 2023, there was an uptick in ransomware and the frequency of events increased by 49 percent.2 Phishing and spear phishing also ramped up significantly at the start of 2023, according to Aon’s cyber security team. The sophistication of these techniques makes it easier for attackers to masquerade and more challenging for victims to discern between what is legitimate and illegitimate.

Organizations must plan for the worst-case attack. For example, what happens if the company’s network goes down completely? How will the business be supported and sustained? Does the company have a resiliency model that can manage this process? How will the company keep clients whole, even at the cost of business opportunity? These questions are critical components of business continuity planning (BCP) and business continuity management (BCM). Aon’s CyQu data revealed that across regions, clients’ level of BCM remained flat between 2020 and 2022 and sits at a basic level. More focus on scenario-planning operational disruptions is needed. While it is imperative to layer technical controls on the enterprise to prevent ransomware, equally important is the need for disruption preparedness across business operations.

Insurers and the marketplace are increasingly expecting this operational risk planning level. While market conditions for cyber and E&O insurance have stabilized, and substantial new capacity and lower loss ratios helped decrease rates in cyber and E&O in early 2023,2 the underwriting process remains rigorous.3 Critical controls perceived to reduce the probability or severity of a ransomware event with the potential to disrupt operations are the focus of insurers. These priority controls include access management, business resilience, and data security/patch management.4

Ransomware Supplemental Red Flag Controls Data Findings: Aon Clients Report

Clients reported an aggregate improvement in critical controls implementation in 2022 over 2021 across those controls prioritized by insurance carriers. In the U.S., the industries that reported the most remarkable progress in critical IT controls were construction (+10 percent), manufacturing (+9 percent), and finance and insurance (+7 percent). To stay globally competitive, manufacturing companies are shifting toward more digitized and integrated Internet of Things (IoT) processes both within the factory walls and out into their supply chains,5 which correlates with this dedication to operational risk maturity. The construction industry is similar. Many firms have started using IoT technologies to enhance worksite safety and manage progress.6 This digitization expands the attack surface. Construction teams have also moved from paper workflows to the cloud, introducing new vulnerabilities and providing an excellent opportunity for ransomware and phishing schemes. In EMEA and the UK, 2022 data showed that the manufacturing and construction industries are less sophisticated in critical IT controls maturity, with construction reporting deficiencies in more than half of these controls.

Organizations focused on shoring up critical backup controls in 2022, with 61 percent of controls implemented in 2022 compared to 55 percent in 2021. However, looking at the data more granularly, a gap is revealed. Almost 90 percent of companies in U.S. reported not storing backups in the cloud, and 70 percent do not store backups offsite or have immutable backups. Backup security remains a top concern, and rightly so. Ransomware has evolved to attack backups themselves, putting data at increased risk. Immutable backups are critical for businesses that depend on the safety and security of the data they are responsible for. Only immutable backups provide a clean, recent copy of data that supports quick recovery and efficient protection.

Business resilience continued to pose a top concern for clients in 2022. Insurers have moved from simplistic check-box questions, for example, asking if the organization has backups, to asking how resilient you are. Companies must prove that the business process can sustain an impact from a cyber breach. Clients in manufacturing (67 percent vs. 59 percent in 2021) and construction (66 percent vs. 55 percent in 2021) industries reported the most significant improvement in critical controls connected to resilience. When examining differences across company size, mid-market and small to medium-sized enterprises reported an essential lack of business resilience controls more frequently than enterprise and global companies. However, this trend was reversed for endpoint security, where endpoint detection and response tools do not cover all of the technology endpoints of the enterprise and multinational companies. Alarmingly, over half of all client organizations reported a lack of tabletop exercises as part of business continuity planning, and more than one-third reported a lack of incident response planning.