Skip to main content
Opens in a new tab External site

October 2022 / 5 Min Read

Achieve Sustained Cyber Resilience with Cyclical Strategy


Cyber Security is not Linear, but a Continuous Loop


Key Takeaways

  1. Addressing the need to achieve sustained cyber resilience and mitigate a business’s cyber exposure requires a holistic cyber security strategy that is circular, rather than linear.
  2. Guided by data, businesses using that strategy will continually cycle through the four stages of Assess, Mitigate, Transfer and Recover.
  3. As a result, businesses become informed participants in managing risk, engaged in continuous review, improvement, and investment in security.

As cyber threat actors continue to escalate their crimes and deliver staggering blows to global businesses, the risk of cyber attacks and data breaches ranks number one in Aon’s Global Risk Management Survey and is also projected to be a top risk in 2024.In fact, cyber security is perceived as a top-10 risk by every surveyed sector and job roles, including CFOs, CEOs and chief people officers.

These are all roles that risk leaders must partner with to achieve cyber resilience beyond the loss of data. It includes mitigating business interruption and associated unexpected costs, potential computer forensic costs, defense costs, privacy breach notification costs, fines and penalties, and harm to a business’s reputation. Rapid scaling of technology all along the value chain has created an eco-system of interdependencies that can be easily exploited, and businesses are ill-prepared to manage the risk. Combine that with the challenges of reduced revenues and constrained budgets and it is hardly surprising that many organizations are finding themselves underprepared to achieve cyber resilience:

  • Just two in five organizations are ready to navigate new exposures arising from rapid digital evolution.
  • Only 17 percent of organizations report having adequate application security measures in place.
  • Positively, however, 60 percent of organizations report having sufficient network security measures to manage new digital connectivity.2

Achieving sustained cyber resilience will require a continuous cyclical strategy.

Building Cyber Resilience Through the Cyber Loop

To achieve sustained cyber resilience and mitigate exposure, a cyber security strategy must be circular rather than linear. Guided by data, businesses using that strategy will continually loop through four stages: Assess, Mitigate, Transfer and Recover 3, becoming an informed participant in managing risk, engaged in continuous review, improvement, and investment in security.

Organizations may enter the loop at any of the four points depending on where they are in their current cyber security journey.

Cyber Loop


There are two broad pillars within security assessment: control efficacy and impact quantification. When examined in tandem, organizations can gather targeted insight into how their control environment impacts risk profile. Throughout an assessment, data and insight are collected and examined to understand how security controls directly impact balance sheet exposure.

Backed by an assessment, strategic decisions on what risk to avoid, mitigate or transfer can be made in the context of an organization’s mission, culture and risk appetite.


A gap often exists between understanding the technical risk of an identified vulnerability and the related financial exposure. A cyclical approach to risk mitigation bridges this gap, enabling organizations to make risk-informed decisions and implement changes (or fixes) that can enhance security maturity and maximize return on security investment (ROSI). It answers two important questions: Is risk proportionately managed? If not, what security technical controls need to be implemented or enhanced accordingly?

Most organizations today have a strong integrated technology ecosystem that is central to how they operate, which increases the attack surface. Understanding the interdependencies in this ecosystem makes collaboration across stakeholders key to a successful mitigation plan that covers how the full business, including operations and strategy, is being protected. Collaboration across stakeholders is key, as is the need to focus not only on the present moment but the future roadmap — or vision — for the business.


Genuine risk transfer and risk acceptance that safeguards the balance sheet is a cyclical, objective exercise that engages stakeholders from across the organization. Quantifying maximum probable cyber losses enables senior stakeholders to understand the magnitude of potential losses and what those losses might constitute.

Armed with this knowledge, businesses can make decisions around risk-bearing appetite and the appropriate levels of risk transfer. It is also vital that organizations are aware of the many varied risk transfer mechanisms available, beyond traditional insurance, including global capital markets, security or unharnessed capital for insurance or reinsurance.


While a cyber attack itself might be short-lived, its impact can last much longer, and the road to recovery is often complex. Advance preparation is critical for businesses to quickly and successfully activate a response.

A full recovery needs to quantify impact and manage third-party and insurance claims to ensure maximum recovery of costs and get to a cashflow neutral position. Immediate response, containment, and investigation needs to be combined with assessing operational and financial impact, presenting insurable losses to advance the claims process and support third-party and regulatory claims − all measured and aligned to business objectives.

Businesses properly managing cyber risk through the loop strategy will have gathered valuable insights via continuous assessment and be in a better position to recover quickly.


Learn more about how the Cyber Loop can help you achieve cyber resilience and mitigate cyber exposure.


This material has been prepared for informational purposes only and should not be relied upon for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.

Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.