United Kingdom

Cyber Risk: Businesses must focus on the right controls

May 2021


New Aon cyber security report highlights the growing vulnerability of businesses to cyber risks and the need to get the basics in place

In her first speech as the National Cyber Security Centre’s (NCSC) new CEO, Lindy Cameron OBE recently warned that boardrooms need to do more about recognising the cyber threat that their businesses face: “Cybersecurity is still not taken as seriously as it should be, and simply is not embedded in UK boardrooms. The pace of change is no excuse — in boardrooms, digital literacy is as non-negotiable as financial or legal literacy.”

Backing up her conclusion, Aon’s latest 2021 Cyber Security Risk Report – based on real client data from its CyQu platform – found that only two in five organisations report that they are prepared to navigate the new exposures arising from rapid digital evolution, and only 17% have adequate application security measures in place.

From a leadership perspective, understanding cyber risk and how it can impact an organisation, and what mitigations – particularly around the right controls – should be put in place both from an insurance and a non-insurable perspective are key.

Ransomware up 400%

The last 12 months have seen a marked increase in the frequency and severity of cyber incidents. According to Aon’s report, ransomware attacks were up 400% from the first quarter of 2018 to the fourth quarter of 2020. High-profile attacks on SolarWinds, Microsoft Exchange, and Accellion highlighted how exposed businesses are to attacks on third-party suppliers.

Given the threat, Aon has identified four key risk themes that every business should focus on: navigate new exposures (rapid digital evolution); know your partners (third party risk); perfect the basics (regulation); and, concentrate on controls (good cyber hygiene). All of these are critical, but it’s worth zeroing in on the value of getting the recommended controls in place.

Known vulnerabilities

Most cyber incidents come through known vulnerabilities, with many organisations not focusing on the controls to help effectively prevent, detect and respond to ransomware attacks. For example, less than half (44%) of the organisations in Aon’s report have adequate access management measures. In light of these current low levels of cyber hygiene, and with the cyber insurance market seeing an increase in the frequency and severity of losses, cyber insurance underwriters are now asking their clients very specific and technical questions around controls. It’s no surprise that some 62% of insurers cite access control as a critical underwriting criteria.

There’s still a sense of inevitability that a successful cyber attack will happen to every organisation at some point, but if an organisation can demonstrate it is managing its cyber risk better, then it can reduce the likelihood of an event happening but also with the controls in place, help reduce the impact of an attack when it does happen, and present themselves as a better risk to insurers.

It could well be that the insurance market will play an important role in driving up these cyber hygiene standards. A recent study from the UK government’s Department for Digital, Culture, Media and Sport (DCMS) found that more than one in five large businesses (21%) say they have a specific cyber risks insurance policy. It means a growing proportion of businesses are now having to satisfy underwriters that they have taken care of their cyber security basics.

That same DCMS report however, warns that only 34% of businesses have carried out a risk assessment covering cyber security risks. Aon’s report underlines this finding further by revealing that only 40% of organisations are prepared to navigate new exposures arising from digital evolution and for third party risk, just over a fifth (21%) have baseline measures to oversee critical suppliers and vendors.

Get a handle on the risk

It provides further evidence of the need for businesses to up their game on the basics when it comes to cyber security, particularly given the shifting nature of the risk and the likelihood of new threats coming from developments such as the use of artificial intelligence, alternative payments, the technology supply chain, and the dark web. A good place to start is by getting a handle on where the risks are coming from, how they’re managed and focusing on the basics such as good cyber hygiene, and the use of standalone cyber insurance to help protect the business both operationally and financially, as well as limiting any potential brand damage from a successful attack.

Businesses can get a valuable snapshot of their current cyber maturity and insight into the greatest areas of cyber risk to their organisation through Aon’s CyQu risk assessment platform *

For more on Aon’s 2021 Cyber Security Risk Report.

For more information or any questions you may have surrounding the topics discussed in this article, please contact Mark Brannigan

Aon UK Limited is authorised and regulated by the Financial Conduct Authority. FPNAT552. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.

*The following products or services are not regulated by the Financial Conduct Authority:
- Cyber risk services provided by Aon UK Limited and its affiliates
- Cyber security services provided by Stroz Friedberg Limited and its affiliates

Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 12/05/21.


Mark Brannigan
Vice President, UK Head of Cyber Solutions
+44 7786 545 169