Cyber Attack or Data Breach

What Is a Cyber Attack or Data Breach?

Cyber threats, cyber attacks and data breaches are distinct but closely related risks:

• A cyber threat is a possibility that a specific type of attack, damage or harm may occur. 
• A cyber attack (or cyber event) is a bad actor’s attempt to compromise a system.
• A data breach can result from a successful cyber attack that exposes confidential, sensitive or proprietary information to an unauthorized person. Files and other information involved in a data breach may be accessed, viewed and shared without permission.

Why Is a Cyber Attack or Data Breach a Top Risk for Organizations Today?

Cyber threats and ransomware attacks have become more frequent, sophisticated and severe in the past four years, with impacts ranging from reputational and financial damage to critical operations being compromised.

After peaking in 2021, the number of ransomware attacks declined in 2022 amid a period of decreased funding for and activity among threat actors, together with improved risk mitigation (including more rigorous cyber-insurance underwriting). Unfortunately, ransomware attacks jumped 176 percent in the first half of 2023, signaling a need to remain vigilant in managing this threat through strategies such as focused risk assessments, investment in appropriate controls and insurance.

Addressing and recovering from cyber events has become increasingly complex and will continue to be so. Cyber events can have an impact on all areas of an organization, and regulatory bodies are tightening cyber-security requirements; consequently, cyber resilience is a key topic of discussion in boardrooms worldwide. Organizations must continuously block and respond to threats, patch vulnerable systems, and evaluate connection points across highly integrated technology stacks — all while maintaining up-to-the-minute insights into potential impacts from emerging threats and changing regulatory requirements, which may impose rigid guidelines. The use of artificial intelligence (AI) for cyber attacks and malware creation is an area of particularly weighty and growing concern.

In addition to the rise in emerging threats, the link between individual employees and organizational cyber-security risks cannot be overstated. Half of the digital forensics and incident response (DFIR) matters handled by Aon in 2022 were related to social engineering and phishing. According to Aon’s 2023 Cyber Resilience Report, more than half of cyber events will be caused by human factors by 2025. Another report from 2023 noted a human element in 74 percent of all breaches — from simple human error and social engineering to misuse of privileges and stolen credentials.¹  These actions expose employers to a range of other potential risks, including loss of intellectual property, punitive regulatory action and reputational harm.

The cost of a single enterprise data breach rose to a historic high of nearly $4.5 million among companies that experienced breaches from March 2022 to March 2023. The per-breach cost was even higher (approximately $5.4 million) for companies that reported they did not use AI and automation as part of their security efforts. And 67 percent of data breaches among surveyed companies were discovered by an external third party or divulged by the attacker.² Our own survey results reflect this grim reality: One in five respondents reported that their organizations had lost income from cyber attacks and data breaches in the prior 12 months.

How Can Organizations Mitigate the Impact of a Cyber Attack or Data Breach?

Navigating the path to cyber resilience — and, ultimately, operational resilience — is challenging. But forward-looking resilience strategies are essential to help minimize financial, operational and reputational risks. Every cyber-resilience journey requires a holistic, proactive approach that combines risk identification and assessment, risk mitigation, response preparation and recovery, and risk transfer mechanisms.

Identify and assess cyber risk. Organizations should collect and examine data and insights to understand the full range of impacts from cybersecurity and exposures, including how security controls affect balance sheet exposures. These findings can then inform leaders’ strategic decisions about how to avoid, mitigate or transfer cyber risk in alignment with the organization’s overall mission and objectives.

Mitigate cyber risk. A critical aspect of any cyber-resilience journey is testing and updating business-continuity and disaster-recovery plans based on changes to tools, technologies and procedures, as well as current business operations. 

To help mitigate cyber threats and prepare for more-rigorous insurance underwriting, organizations’ security and technology teams should continuously evaluate evolving threats and provide quantifiable evidence of the effectiveness of current controls to insurers and the marketplace. Teams should focus on security controls that mitigate ransomware attacks, particularly controls that are a critical part of the insurance underwriting process. Aligning with best-practice control standards, such as those from the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS), can further aid organizations in shoring up cyber security while supporting compliance with evolving regulatory requirements. Periodic risk quantification and risk-based heat mapping are other ways to help ensure that any insurance purchase retains its value as part of a company’s overall strategy for mitigating cyber risk, while scenario and attack-path analyses help identify the security domains and core controls with the greatest capacity to mitigate damage from a cyber incident.

Organization-wide cyber-defense training is a critical component in mitigating risks. The importance of complying with cybersecurity measures should be clearly communicated from the top levels of an organization and reinforced with regular messaging, training and support. Establishing a robust cyber culture can be one of the best ways to help mitigate cyber risks. It hinges on building awareness at the individual employee level so that everyone understands both the organization’s policies and strategies and the role each person plays in upholding and advancing them.

Finally, while arming employees with best practices to guard against falling prey to fraudulent acts is imperative, supporting employee wellbeing is also vital. Stressed and disengaged employees are often more likely to make mistakes or to deliberately circumvent cyber-security measures. And employee stress remains high. For example, one-third of respondents to the American Psychological Association’s 2023 Workplace Wellness Survey expressed fears that AI would render their job duties or roles obsolete. Further, half of the respondents who expressed fears about AI reported symptoms of burnout such as irritability and lack of motivation.

Prepare cyber-incident response and recovery. Recovering from a cyber incident is often a complex, protracted process. Preparing in advance can allow organizations to initiate this process much more quickly and with greater success. Incident response, containment and investigation efforts should be undertaken alongside an assessment of financial and operational impacts, including third-party and insurance claims. With advance planning, these efforts can be measured against and aligned to business objectives while helping to expedite claims processing and work to achieve cash-flow neutrality.

Transfer cyber risk. Once an organization has quantified its maximum possible cyber losses, it can regularly assess and adapt its cyber-risk acceptance and transfer strategies with informed input from all stakeholders. Risk transfer is important to deliver financial resilience, and transfer options are not limited to traditional insurance placement — captive insurance and alternative capital are also viable approaches to support balance sheet protection. 

¹ 2023 Data Breach Investigation Report, Verizon, 2023, https://www.verizon.com/business/resources/reports/dbir/.
² Cost of a Data Breach Report 2023, IBM Security, July 2023, https://www.ibm.com/downloads/cas/E3G5JMBP.

General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent, or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss caused by reliance on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.