Actions to Improve Cyber Resilience in Finance and Insurance Sector

Governments, businesses, and customers look to financial institutions as the backbone of the global economy.1 Because of the vital role it plays, the industry’s security is highly regulated and scrutinized. Emphasizing the need for cyber resilience, the U.S. Securities and Exchange Commission recently introduced a proposal to address cyber security risk. This would require all market entities to implement policies and procedures that are designed to address their cyber security risks. On top of this, financial and insurance organizations will need to, at least annually, review and assess the design and effectiveness of their cyber security policies and procedures —including whether they reflect changes in cyber security risk over the time period covered by the review.2 In the European Union financial institutions have two years to manage operational resilience and comply with the Digital Operation Resilience Act (DORA).3

New risks and vulnerabilities are detected daily, and finance and insurance industry leaders ranked the threat of a cyber-attack or data breach as the top risk in Aon’s most recent Global Risk Management Survey.

The sector faces a complex globally interconnected risk landscape and leaders should make decisions that demand rapid analysis and execution. Emerging technologies and new business models continually alter the terrain. For example, mobile wallets are one fundamental development. Offline or online payments conducted with a mobile device, smartphone, or wearable are commonplace, and FinTech is snowballing.   This new sector, Fintech, exponentially expands the attack footprint and introduces even more third-party vulnerability to larger financial institutions that connect to these smaller, less-sophisticated companies.  While Asia leads in prominence of FinTech companies by revenue, North America has the most FinTech start-ups, with statistics pointing to 8,775 currently operating. Europe, the Middle East, and Africa boast 7,385 FinTech start-ups4 and 4,765 in Asia-Pacific.5

Changes in cyber liability insurance have also been significant over the past two years. Incidents such as the 2021 ransomware attack on a U.S. pipeline system altered the marketplace, and insurers realized the tremendous risk of business interruption and interconnectivity. Carriers now require Financial Institutions to demonstrate cyber resilience to secure an affordable — or any — policy. During renewal discussions, some carriers bring independent technology professionals to question a financial institution’s chief information security officer.

This demonstrates the opportunity to use the insurance renewal process as a means to demonstrate the controls and systems they have in place. Such an approach helps ensure that the process becomes a compliment to their risk management process.

Aon Clients Report:  Finance and Insurance Industry and Cyber Risk

Aggregated data results from Aon’s Cyber Quotient (CyQu) show that clients reported overall risk score improvement from 2.7 to 2.9 (approaching “managed”) in 2022 across all finance and insurance companies. Small and medium-sized entities said their risk profile improved from “basic” to “managed”, and 64 percent reported risk scores of more than 2.5. This strong growth in maturity will likely continue as insurers retain their focus on these emerging organizations that are critical to the financial services ecosystem.

The median percent of the IT budget spent on security also rose globally, with finance and insurance companies reporting 8 percent of the IT budget dedicated to security in 2022.

We are currently seeing a resurgence of aggressive threat actor groups targeting financial services companies. And those attacks are succeeding in a majority of cases. Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023, even though revenue bands reported steady improvement in overall cyber risk profile. Finance and insurance companies improved information technology controls implementation between 2021 to 2022 and emphasized strengthening multifactor authentication (MFA) controls. US companies reported significant improvement in MFA critical controls, deploying 80 percent versus 65 percent in 2021. However, even with this improvement, Aon notes that many may have not yet deployed these solutions thoroughly and may factor into the rise we are currently experiencing.

Looking to the U.S., finance and insurance companies reported steady improvement in IT controls readiness between 2021 and 2022. Aon’s Ransomware Supplemental Applications red flag controls data shows that the most significant improvement was in MFA with a 15 percent improvement and business resilience with an 8 percent improvement in implementing essential underwriting controls. Compared to the healthcare and manufacturing sectors, the financial services industry appears to be much more mature regarding business resilience. However, backup security continues to be seen as an area of vulnerability, with organizations still reporting a need for almost 40 percent of IT controls. This control domain should be an area of focus moving throughout 2023 as ransomware threats again escalate.

While trend data is not yet available for the UK, in 2022, the country’s finance and insurance organizations reported the strongest maturity in access management, email security, and patch management, registering 20 percent or fewer gaps in each control area. Clients reported significant software management gaps and network and data security controls. Like their counterparts in the U.S., backup protection also appears to need attention.