Aon | Professional Services Practice
Cyber October 2025 – Good News Tempered by a Dynamic Threat Environment for Professional Service Firms
Release Date: October 2025Cyber Awareness Month is a time to consider the cyber landscape and how professional service firms can build resilience, plan and practice responses to attacks and make their contribution to securing our world.
In our Cyber October 2024 – Securing Our World we highlighted how ransomware was continuing its relentless rise and that professional service firms continue to be a favored target.
Since then, much of the news in the cyber world has been good:
- The premium corrections of 2020 through 2022 proved to be sufficient to put insurers back into profitability and premiums have continued to moderate against a background of plentiful capacity
- Several major threat actor groups have been disrupted. Lockbit and more recently BlackSuit were taken down by international law enforcement collaboration and BlackCat (aka AlphV) disbanded
- Ransomware payments have reportedly been declining with fewer victims opting to pay
The challenge, as always with everything in cyber, is that the entire environment is dynamic. Threat actors are endlessly creative and determined. It is increasingly difficult to read the signals and identify reliable trends in the insurance market and in the threat environment:
- Despite the reports of declining payments, ransomware is still on an upward trend with many new groups emerging, some suspected to be operatives reforming from groups that have dissolved
- Extortion based on data exfiltration is on the rise, with one group publicly announcing that it has moved from ransomware to a data extortion model
- Breaches of regulated data (PII & PHI) are generating more and more class action lawsuits
- Business Email Compromise (BEC) and Social Engineering Fraud are growing rapidly
- Software supply chain attacks, cloud compromises and third-party vendor vectors are all on the rise
- The political, economic and geopolitical environments are fueling Hacktivism and Insider Threats
- Premium rates, particularly on the primary layer, are leveling off
- Insurer loss ratios continue to deteriorate as claims continue to increase
Against this background, we have brought together four Insights that address facets of the major trends in the current environment and discuss the implications for professional service firms.
- Aon Global 2025 Cyber Risk Report – Based on Aon’s extensive data and analytics from our client base, this report reviews the trends shaping the current cyber insurance market, from claims to the impact of security controls to insurer competition.
- Insider Threat – The professional service sector is in a maelstrom of forces that is creating a great deal of uncertainty for employees. Mergers & Acquisitions and Private Equity Investments, deployment of advanced AI tools, domestic and international political tensions and regulatory scrutiny are all creating an environment that can exacerbate the insider threat. From employees who are worried about job security, through “bad leavers”, to those who profoundly disagree with the actions of leadership, the dynamics of uncertainty can drive employees into taking advantage of their trusted position and cause harm to the firm.
- Social Engineering Attacks – Threat actors are increasingly expanding their activities into Social Engineering Fraud and Business Email Compromise, often leveraging sophisticated AI tools, to directly steal money from their victims. This activity is one of the most difficult risks to insure. Options and coverage are limited so it is important to understand what coverage is available for these types of fraud.
- Data Governance – Data is the lifeblood of professional service firms and any compromise of confidential or regulated data exposes the firm to reputational harm, legal action from clients, costs of issuing statutory notifications, regulatory fines and penalties and, of course, potential ransom payments to hackers threatening to release the data. Managing data to minimize the risks starts with the ability to identify and quantify what you have. This is just the first step, albeit one of the more challenging ones, of a governance process to manage the risks associated with all types of sensitive data.
Contact
The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this insight, please contact Brendan Groarke.
Brendan GroarkeManaging Director
New York
About Aon
Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.
Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.
©2025 Aon plc. All rights reserved.
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.
Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.