2023 Cyber Resilience Report
This is article 17 of 18 in this Report.
August 01, 2023 / 5 min Read
How Aon’s Cyber Quotient Evaluation (CyQu) platform and our data and analytics can support cyber insurance submissions.
Aon’s proprietary Cyber Quotient Evaluation (CyQu,) can help organizations assess their cyber risk maturity.
- Our client research in 2020 unearthed a concerning trend: Organizations across different regions and industries were only maintaining a “basic” level of cyber readiness.
- Because our clients were operating in independent silos, a traditional approach of technology firms, professional services and brokers had not translated into holistic client solutions.
- Using these findings, we redesigned CyQu to better streamline the complex process of gathering underwriting information year over year and investment in risk modeling to help clients understand the impact of enterprise-wide investments and capital throughout the cyber life cycle.
In April of 2021, Aon published its Cyber Risk Report1 highlighting findings from our proprietary Cyber Quotient Evaluation (CyQu,) a comprehensive assessment of cyber risk maturity. The 2020 data revealed a concerning trend: organizations across different regions and industries were only maintaining a basic level of cyber readiness. Specifically, only one in five organizations reported they were prepared to navigate new exposures, and only 17 percent reported having adequate application security measures in place.
It was clear that, because our clients were operating in independent silos, the traditional approach of technology firms, professional services and brokers had not translated into the most appropriate client solutions. With the persistent rise of ransomware attacks, twenty-four months of a hard cyber insurance market and the consistent trend of under-preparedness, it was clear that a new narrative and solution were urgently needed.
Driven by a commitment to provide an integrated and strategic approach to risk management, Aon’s Cyber Solutions underwent our own evolution. CyQu was redesigned to better streamline the complex process of gathering underwriting information year over year. Successfully aligning a market of 65-plus insurers around a single information intake process, the redesign led to greater efficiency and collaboration.
As we enhanced our CyQu platform to support cyber insurance submissions, we were guided by two influential market factors:
- Significant shifts in cyber loss events — both in frequency and severity2. This escalation prompted insurers to evaluate causality and the readiness of core controls. As a result, we reported a paradigm shift in underwriting guidelines, pricing models and the information required to underwrite. As insurers’ appetite for risk shifted, many organizations found themselves ill-prepared3.
- The additional scrutiny and information requirements caused a major inefficiency problem for insureds. The ad hoc approach varied based on market interest, leading to redundant information requests from various insurance companies.
By embedding a risk assessment, benchmarking and our red flag methodology into the placement process, with the support of our brokers and account team, our clients may now gain a clearer understanding of their control gaps, the impact on insurability and their balance sheet risk. The CyQu framework remains dynamic, regularly incorporating feedback from the cyber underwriting community, our proprietary broking insights and claims data. Its primary purpose is not just to prepare clients for risk transfer, but to help clients reduce their overall risk.
Managing cyber risk in today’s dynamic and interconnected environment remains a formidable challenge for our clients, highlighting the need for a more well-informed, strategic and data-driven approach. Aon’s integrated approach to risk transfer continues to evolve, with the CyQu Broking-enabled submission process continually enhanced by our analytics and proprietary insights.
Today, thanks to the lessons learned in the 2021 report, Aon’s CyQu platform and its proprietary data underpin this 2023 report. This year’s data demonstrates an encouraging shift, with clients across regions and industries reporting a “managed” level of cyber readiness. Notably, 70 percent of the organizations report they are prepared to navigate new exposures and 36 percent report having adequate application security measures in place. Achieving cyber resilience is now a recurring theme in boardroom discussions and is finally being considered from a 360-degree, collaborative risk perspective4.
This report is the result of Cyber Solutions’ Data and Analytics teams’ efforts to unite stakeholders through data-informed decisions and address cyber risk with confidence. At Aon, we hold ourselves to the same standards as our clients. Achieving this requires breaking down data silos and leveraging the connections among security controls, attack surfaces, insurance pricing and covered claims. Our focus is on providing clients with more comprehensive data and risk modeling to help them understand the impact of enterprise-wide investments and capital throughout the cyber life cycle.
Producing this report involved collecting feedback from our global subject matter professionals, who offer unique perspectives on addressing cyber risk. Leveraging insights from our professionals across various business lines, including Human Capital, Reinsurance, Aon Global Risk Consulting, and our esteemed Stroz Friedberg Incident Response team (with 20 years of experience responding to high profile breaches), our Security Advisory team and our brokerage team (which annually places over $2 billion in Cyber and E&0 premiums), we help ensure that our products and solutions better maximize the talents of each group to help support effective client decision-making. Our Data and Analytics team uses all these insights to better prevent data silos and provide a more comprehensive understanding of cyber risk.
This report is a testament to the power of collaboration and a global approach. By bringing together security professionals, consultants, and brokers, united by a shared goal, we have achieved the CyQu platform’s adoption, increased cyber maturity for our clients, and improved year-over-year insights. The result? An integrated response to cyber risk management. After all, we are in the business of better decisions.
SVP, Product Leader, Cyber Solutions
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
Steps to Minimize Cyber’s Impact on Systemic Risk
The task of managing systemic risk has catapulted to the top of the priority list for the insurance industry as significant cyber events rang the alarm bell that systemic risk is considerable, and can cause widespread impact.
Cyber Attacks on Supply Chains Are Causing a Widespread Impact
Cyber threats add a layer of complexity to supply chain risk. Third-party risk management, central to protecting the organization, received the lowest CyQu score of all nine scored domains.
Build a Plan to Address the Perils of Reputational Risk
Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.
Take These Steps to Mitigate Operational Risks
Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.
Cyber Insider Threats are a Growing Business Risk
Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.