2023 Cyber Resilience Report
This is article 5 of 17 in this Report.
August 01, 2023 / 4 min Read
Steps to Minimize Cyber’s Impact on Systemic Risk
Systemic risk arises internally and externally to the organization and represents a multiplier effect on the scale and scope of a cyber incident.
- The task of managing systemic risk has catapulted to the top of the priority list for the insurance industry.
- Aon predicts that a single significant and successful cyber attack could potentially affect up to 20 percent of organizations worldwide.
- Modeling extreme cyber events can expose aggregate risk and predict the likelihood of an attack.
The SolarWinds (2020) and Kronos (2021) attacks rang the alarm bell that systemic risk is considerable. Thousands of companies across sectors felt the impact when a ransomware attack compromised Kronos’ private cloud. This widespread fallout raised the vital question of vendor liability and who was responsible for the loss after this incident.
Systemic risk is far-reaching and comes primarily from two sources, the pervasive use of standard technologies and the integrated nature of our global economies. Prudent regulators are concerned about the systemic risks associated with aggregation and accumulation.1 Aggregate risk arises when there’s an industry-wide dependency on a limited number of technology providers, leading to a scenario where a single outage can simultaneously cripple multiple entities. For instance, if a critical technology goes offline, numerous banks relying on it could be paralyzed. On the other hand, accumulation risk refers to shared systemic vulnerabilities due to common technology adoption within an industry. An example would be multiple banks exposed to the same zero-day vulnerability, which, if exploited, could cause widespread damage.
Systemic risk arises internally and externally to the organization and represents a multiplier effect on the scale and scope of a cyber incident. This means that individual organizations can suffer significant financial losses if systemic risks are not effectively managed.2 It’s no wonder then that the task of managing systemic risk has catapulted to the top of the priority list for the insurance industry. As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organization’s risk profile. This informs the extent of cyber insurance coverage required to safeguard against potential losses from systemic risks. Like tracking the path of a storm, modeling extreme cyber events can expose aggregate risk and predict the likelihood of an attack. Data intelligence, including a detailed map of the organization’s tech stack (internal and third-party vendor tech stacks), helps to deliver insight into the level of connectivity, the sophistication of the threat actors, and consideration of standard security mechanisms form the basis of risk models.
Aon’s Cyber Reinsurance Practice group’s research indicates that the impact of the NotPetya attack in 2017, a prime example of an accumulation scenario, represents only a small fraction of the potential devastation that could be wrought by similar but larger-scale cyber attacks. Imagine the potential fallout: Aon predicts that a single significant and successful cyber attack could potentially affect up to 20 percent of organizations worldwide. It’s a chilling thought. Predictably, insurers are more thoughtful about issuing policies and cognizant of the potential of paying out down the line. Although the average industry loss ratio experienced a minor decrease from 67 percent to 66 percent, three-quarters of the top 20 insurers saw their loss ratios shift by more than 5 percent, either upwards or downwards. In response to the increased frequency of claims in previous years, insurance providers in 2022 began to mandate enhanced security controls for insured companies.3 Driven by increased claims frequency in previous years, insurance providers mandated improved security controls for companies in 2022. Companies that did not invest and improve their security landscape saw restricted covenants or increased declinatures.
More exclusions exist in cyber risk, and aggregate risk drives hardening or additional underwriting. Loss frequency continues to decline from its peak in 2021 but remains higher than 2019. On a concerning note, the frequency of ransomware attacks saw a sharp increase, rising by 49 percent in the first quarter of 2023. With an improved claim frequency and the unprecedented rate environment that emerged in 2022, we anticipate robust market growth. This suggests that cyber insurance could become a highly profitable product segment in the coming years.4
1 “Systemic Cyber Risk.” European Systemic Risk Board (ESRB). Report. February 2020.
2 “Cyber Risk Aggregation.” DeNexus. Blog. 29 November 2021 https://blog.denexus.io/cyber-risk-aggregation | Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon
3 2021 & 2022 Cyber Insurance Report by National Association of Insurance Commissioners (NAIC).
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Managing cyber across six featured risk themes.
This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.
Cyber Attacks on Supply Chains Are Causing a Widespread Impact
Cyber threats add a layer of complexity to supply chain risk. Third-party risk management, central to protecting the organization, received the lowest CyQu score of all nine scored domains.
Build a Plan to Address the Perils of Reputational Risk
Cyber attacks can be damaging to shareholder value. But not all companies lose value because of an attack. Research revealed 17 companies that realized an average value impact, over and above the market, of +18 percent post-event, or a total value impact of $445bn following an incident.
Take These Steps to Mitigate Operational Risks
Insurance carriers prioritized controls related to operational risk in 2022, and clients responded. While ransomware data breaches dipped down for short period, there was an uptick in Q1 2023 and phishing and spear phishing schemes present great risk.
Cyber Insider Threats are a Growing Business Risk
Malicious actors know that humans are fallible. In 2022, two in five companies reported a lack of security operations center (SOC) controls, intensifying insider risk.