Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
Will cyber continue to be a major risk for professional service firms?

Release Date: December 2019

Professional service firms ranked ‘cybercrime and data breaches’ as the second most critical risk to the industry, climbing five places in only two years according to Aon’s Global Risk Management Survey 2019.

Why is cyber a key risk to professional services firms?

Access to sensitive data and commitments to client confidentiality put professional service firms at particular risk from cyber-related exposures. While safety measures and risk management strategies can eliminate a substantial portion of cyber risks, new technologies, changing regulations and the increasing sophistication of cyber-criminal tactics mean exposures are manifesting in new ways.

Why are professional service firms focusing on cyber risk?

Trust and reputation are vital in establishing and maintaining professional relationships, but the reputational damage caused by a cyber incident can quickly and decisively remove client confidence. While a cyber incident may cause immediate disruption to service delivery, the reputational damage can cause long-term losses that are more difficult to address.

How are firms tackling cyber risks?

Direct revenue loss from reputational damage is not typically covered specifically under an insurance policy. However, insurers are now working to provide coverage for this evolving risk.

Professional service firms are investing heavily in technological defences, ISO 27001 certification, preparing detailed incident response plans and testing them with “tabletop” exercises. Firms are also using cyber forensics consultants, and legal services, and bolstering incident response plans with public relations and crisis management resources. Investing in cyber insurance is becoming an integral part of firms’ risk management strategies, with more firms buying it every year and those that already have the coverage purchasing higher limits.

How can insurance be used to manage cyber risks?

As cyber threats have evolved, the insurance market has responded with increased underwriting appetite, updated and responsive policy wordings, and increased sophistication in supporting services and risk analysis. Insurers are continually reviewing and updating their cyber products to align the cover to changing cyber risks. The competition among insurers is forcing insurers to improve the overall quality of policy wordings. They are also working to clarify where cover for cyber incidents reside in instances, for example, where property damage may be involved.

Since an optimal approach to cyber risk management requires careful consideration of both preventative and responsive measures, demand for insurance is increasingly driven by the support services supplied as part of the policy.

Breach response services have become a vital component of the insurers’ offerings and insurers offer immediate access to breach responders without the need to construct individual retainer arrangements.

Cyber insurance – now and the future

In today’s economy, an expected continued increase in the number and severity of incidents and increasingly stringent regulations make cyber insurance an important part of any insurance portfolio. The uptake of cyber insurance however, remains surprisingly low. Despite the growing threat, widespread misconceptions about the adequacy of cyber cover continue to influence views on the cover.

Some coverage may exist in other policies, such as crime and professional liability and even property insurance. Working with a specialist broker who can perform the required ‘gap’ analysis is crucial a key way that firms can ensure that gaps and overlaps are addressed.

The threat levels and consequences of sophisticated attacks on professional service firms are increasing in complexity. There have been publicised incidents involving data theft, ransomware that interrupted operations and business email compromises. The risks encompassed by cyber insurance are likely to grow in significance in the digital economy. Insurance products will continue to develop in response to changing risks, and the challenge will be to identify emerging risks and relevant insurance cover.


To discuss any of the topics raised in this article, please contact Tom Ricketts.

Tom Ricketts
Senior Vice President and Cyber Risk Leader
New York