2023 Cyber Resilience Report
This is article 16 of 18 in this Report.
November 03, 2023 / 4 min Read
The CSO as an Essential and Strategic Cyber Security Partner
Joe Martinez, Aon’s chief security officer (CSO) explores his role and the risks facing Aon. He discusses the evolution of the cyber insurance marketplace and the cyber regulatory environment and offers advice on how to demonstrate business resiliency to clients and insurers alike.
- Cyber risk is more than data privacy. It is about resiliency, governance, and oversight.
- Today’s relationships are transparent. Clients and insurers need to see that you are meeting and exceeding security and risk management expectations.
- Practice and measure. Gather evidence to prove that the business can sustain an impact from a cyber breach and elevate questions you haven't thought of before.
This Report focuses on six themes: Cyber risk, operational risk, supply chain risk, reputational risk, and systemic risk. For Aon specifically, what risks are paramount?
Joe Martinez: Access, data, and business continuity are three top-five risks Aon must manage globally. Because we are a data-driven entity, protecting our client’s data and Aon’s insights on this data is essential. Of course, all risk themes are pertinent and linked. For example, if we are unable to demonstrate business continuity in the wake of a significant cyber event, then operational risk, supply chain risk and reputation risk are all heightened.
In three to four sentences, describe your role as CSO.
Joe Martinez: Our job is to identify bad things that might happen, stop what we can and respond appropriately to manage material risk. Every threat must be identified to determine the most prescient risks and those that are material for the firm to manage. We align the organization around control practices, including the National Institute of Standards and Technology1 and the Center for Internet Security2. We structure our controls to ensure we are effective across preventative and response capabilities, and we constantly self-evaluate to test this.
How has the evolution of cyber insurance as a key risk transfer solution changed the role of the CSO?
Joe Martinez: Many of our clients come from the financial services and healthcare industries. The drive towards rigorous compliance and the need for these clients to demonstrate resilience to the insurance marketplace transfers to us as a third-party partner. Today’s relationships are transparent, and clients and insurers want to see that we are meeting and exceeding security and risk management expectations. Multi-factor authentication and encryption are the areas in which clients want to see significant maturity. But it doesn’t stop there. Clients need evidence to show their insurers that its risk is identified and quantified.
How do you demonstrate cyber resiliency to clients?
Joe Martinez: There isn’t yet a common language for how organizations talk to each other about risk and resiliency, but there are some traditional and well-established frameworks. Some clients have quite an intense process to vet resiliency. The right to audit is written into many contracts, and some clients will come onsite to conduct testing. Visibility into controls is paramount. Most of what is being asked isn’t new. We just need to prove what we can do and that the business process can sustain an impact from a cyber breach. Aon’s Cyber Quotient3 helps us to better understand and measure our risk. It enables us to identify gaps in our control effectiveness. Then it is our responsibility to close the gaps and ensure controls are configured correctly and evaluated promptly.
What is on the horizon from a cyber security regulatory standpoint?
Joe Martinez: Today, regulatory regimes are overlaying each other. The General Data Protection Regulation4 has matured into the Digital Operation Resilience Act5. New York State Department of Financial Services6 is spreading into mini-versions in almost mini-domiciles, creating micro regulatory environments that organizations need to respond to. Cyber risk is more than data privacy. It is about how an organization manages controls – wholesale. It is about resiliency, governance, and oversight.
What is your advice, CSO to CSO?
Joe Martinez: Practice and measure. Practice not only at a technical or operational level but also at a leadership level. It’s not a matter of if but of when you will experience a significant cyber event. You can’t spend your way out of an attack. Ensure you have the level of investment in security to get the organization’s risk profile to a place where you feel comfortable.
Measure and remeasure everything you can. Elevate questions you haven’t thought of before, and do not fear asking uncomfortable questions. For example, if we must shut down an office, who decides? How do we support and sustain our business process if a third-party vendor suffers an attack and does not survive? If our environment goes down, how do we keep our clients whole, even at the cost of business opportunity? How much is too much in terms of a ransom payment?
Partner with your executive leadership team and build working relationships with CSOs across your industry. Knowledge sharing is essential.
1 Retrieved from https://www.nist.gov/
2 Retrieved from https://www.cisecurity.org/
4 Retrieved from https://gdpr-info.eu/
5 Retrieved from https://www.digital-operational-resilience-act.com/
6 Retrieved from https://www.dfs.ny.gov/industry_guidance/cybersecurity
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
Steps to Minimize Cyber’s Impact on Systemic Risk
The task of managing systemic risk has catapulted to the top of the priority list for the insurance industry as significant cyber events rang the alarm bell that systemic risk is considerable, and can cause widespread impact.
Cyber Attacks on Supply Chains Are Causing a Widespread Impact
Cyber threats add a layer of complexity to supply chain risk. Third-party risk management, central to protecting the organization, received the lowest CyQu score of all nine scored domains.
Build a Plan to Address the Perils of Reputational Risk
Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.
Take These Steps to Mitigate Operational Risks
Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.
Cyber Insider Threats are a Growing Business Risk
Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.