CyQu

Retail business shops for help in managing its cyber unknowns

The situation

A UK retailer struggled to have a clear insight into its cyber exposure. There were constraints for key stakeholders from the IT and cyber security functions. And the insurance manager who sat on the audit committee, that supervised risk mitigation activity, did not understand cyber risk.

The challenge

The retailer wanted to understand its current cyber exposure – gaining an external opinion on its current cyber risk maturity position – while identifying methods that could help mitigate its exposures and underpin its insurance-placing process with data insights.

Our solution

Aon provided the retailer with access to its online cyber risk assessment (CyQu) and received a first cyber risk maturity score within 90 minutes of completion. Within 10 days, our cyber risk consultants compiled a custom CyQu report with prioritized recommendations and risk transfer strategies for the business based upon the retailer’s responses, and retailer was then able to complete our short insurance proposal form and receive a competitive cyber insurance quote.

Results

• Gained a clearer understanding of the overall cyber risk exposures supported by data and analytics
• Activated a cyber insurance solution with broad coverage
• Implemented a series of crisis management simulation trainings to help improve control areas that had a low maturity rating

Facilitating a facilities business understanding of its cyber risk

The situation

With multiple geographies and business units, a global facilities services company needed to better understand and manage its cyber risk, which had become a top priority for its Board.

The challenge

Not only did the business want to better understand its core cyber risk as it evolved its core business model, it wanted to align its IT, information security and business strategy while informing decision-making across its cyber risk management.

Our solution

Working with our CyQu product, Aon delivered a combined Cyber Impact Analysis and Security Maturity Review, which allowed our client to baseline their current cyber risk posture, and to provide a yardstick to measure progress as they improved their cyber posture.

Results

• Achieved a better understanding of their cyber risk , which could then be more effectively communicated within their business model
• Gained the ability to make more balanced decisions on how best to mitigate cyber risk through a blend of risk transfer and prioritized investment on improving cyber security controls across key business functions

Hotel group looks for room to improve its cyber security

The situation

A hotel group wanted to evaluate its cyber security posture against the evolving technology and threat landscape. Alarmed by a series of high-profile attacks in its sector, the hotelier felt compelled to consider their own situation and develop a data-driven risk management strategy across its subsidiaries.

The challenge

First, it was important that the hotelier could understand the wider picture by looking at the cyber threats impacting the hospitality and entertainment sector. Secondly, it wanted to evaluate the performance of cyber security controls for each of the its major subsidiaries. It was important that the hotelier could then compare its subsidiaries’ respective cyber risk maturity scores against Aon’s industry benchmark. Finally, the business needed to establish a practical remediation plan across its subsidiaries to protect its corporate balance sheet.

Our solution

We asked the hotel group’s subsidiaries to complete our online cyber risk assessment (CyQu). Respondents took an average of 90 minutes to complete the assessment, after which they received an immediate cyber maturity snapshot and visibility into which control areas represented the greatest points of vulnerability based upon their submitted responses.

Using our proprietary scoring system, we were able to use the CyQu outputs to tailor a detailed management report, enabling comparison across the various operating entities and recommending actionable improvements. We also produced a prioritized risk mitigation strategy customized to the organization’s unique maturity scores and best practices within the hospitality industry.

Results

• Identified a consistent approach for cyber risk and baselining control maturity at both the enterprise and asset portfolio level
• Developed stronger collaboration between the respective IT and risk teams across the company’s various operations; helping to inform decisions around risk treatment and transfer options
• Empowered by Aon analytics and the risk mitigation strategy document, the hotel group devised a cyber security roadmap designed to help deliver the greatest risk reduction and improvement to cyber security posture

Prevention is better than cure for pharma business

The situation

While undergoing significant change in their business processes and practices (specifically from an IT perspective), a UK-based pharmaceutical business was concerned about rapid developments to the cyber threat landscape / environment and where its vulnerabilities might lie within their current cyber security posture.

The challenge

It was important for the business to understand the key cyber threats they faced across the organization and in its key business functions. The company wanted to gain support in analyzing their security control posture and learn which areas represented the greatest points of vulnerability while identifying the different possible cyber scenarios that could materialize.

Our solution

A completion of our online cyber risk assessment tool – CyQu – allowed the pharma business to better understand its cyber exposure and most critical vulnerabilities based upon their responses. Using tailored best-practice controls and mandatory controls required by regulation, CyQu helped the business rapidly evaluate its cybersecurity posture. And, by highlighting specific areas of weakness, the CyQu tool facilitated a future exercise to develop credible cyber risk scenarios.

Results

• Developed a deeper understanding of the prioritized cyber threats across key business units / geographies
• Identified strengths and weaknesses and an appropriate roadmap for cyber security improvement
• Established attack-paths of potential attackers and developed credible cyber scenarios to further understand their risk profile

Piecing the data jigsaw together

The situation

A global organization, which had recently undertaken a major strategic acquisition, wanted to develop its cyber resilience strategy and buy specific standalone cyber risk insurance coverage. Due to the integration process with the new business, data sets were fragmented, and internal stakeholders were still getting to know one another. As a result, the business was finding it difficult to pull together the information needed for an underwriting submission and market presentation while being under significant time pressure to achieve the insurance placement.

The challenge

Disparate data sets needed to be quickly gathered together while also engaging stakeholders from across the organization that had limited prior knowledge of each another. There also needed to be a minimal impact on client resources, which were currently focused on critical integration activities. In addition, the business needed to develop a compelling and complete underwriting submission and market presentation that established them as a “good risk” to the insurance market to help achieve favorable coverage terms and premium pricing.

Our solution

Aon began by working with a senior IT stakeholder from the business who was asked to complete our online cyber risk assessment (CyQu), to gather high-level information on the organization’s control environment. By leveraging that information, we were able to develop an underwriting submission and market presentation; identifying information gaps and using targeted calls with stakeholders to help close them. We then developed a strong narrative to present the risk to the insurance market.

Results

• Delivered a successful market submission and presentation leading to improved coverage terms and premium pricing
• Enabled clear articulation of the value of cyber insurance to the company’s C-suite
• Enabled the Group Risk and Insurance Managers to be more involved in the process of presenting the cyber risk management approach to underwriters, including providing additional insights and clarity
• • Established stronger collaboration across the company’s operations – helping to inform decisions around risk treatment and transfer options

Tech business looks for plug-in protection

The situation

A global high-tech business, that wanted to pursue a new corporate strategy through the provision of software services to high-value clients and new contracts, found itself encountering greater cyber threat complexity within an intricate network infrastructure that had systems directly interfacing with major clients.

The challenge

The software business needed to understand the key cyber threats facing the organization and its key business functions, while evaluating the security readiness of distinct business functions when interfacing with third-party networks. By analyzing their security control posture, they would be able to learn which areas represent the greatest points of vulnerability to the business and be in a position to prioritize their future security investment strategy.

Our solution

Using our dynamic cyber risk management portal – CyQu – Aon helped the business evaluate their readiness to execute new client strategies across their numerous business units; highlighting priority areas for remediation and helping to safeguard their environment and clients’ environments. The CyQu reports were also utilized to help provide the business’s clients with assurances as to the maturity levels of cyber security controls within the organization.

Results

• Gained insights into the critical remediations required to help safeguard the network infrastructure
• Helped the organisation’s C-Suite understand the importance of further security investments enabling greater commercial growth
• Established the process for consistent evaluation complementing the less regular, more in- depth security audits