2023 Cyber Resilience Report

This is article 1 of 18 in this Report.

August 01, 2023 / 4 min Read

How Cyber Risk Touches Nearly all Aspects of Business Risk

Increased underwriting rigor in the Cyber and E&O insurance market in 2021 and the first half of 2022 likely influenced client progress in cyber maturity.

Key Takeaways

  1. On average, organizations across industries and revenue bands improved their cyber maturity from “basic” to “managed.”
  2. Five domains – data security, application security, remote work, access control, and endpoint and systems security – demonstrated the most improvement in risk profiles.
  3. Teams must constantly evaluate the organization's preparedness for evolving threats and provide quantifiable evidence of current controls effectiveness.

According to Aon’s 2021 Global Risk Management Survey cyber threat was predicted to remain the top risk globally for 2024, outranking COVID-19 and broken supply chains.1 The prominence of long-term hybrid working, supply chain-related attacks, geopolitical instability, and digital connectivity continued to drive a material increase in focus around cyber risk for companies around the globe.2 Additionally, tighter requirements by insurers from 2020 to 2022 made it more challenging to secure a cyber policy and increased the need for companies to demonstrate proper security controls’ and their resulting  effectiveness. In this higher threat and more stringent underwriting context, organizations could no longer expect to have cyber insurance capital readily available to hedge against the financial volatility stemming from cyber risk.

Cyber risk can be defined as the risk of financial loss, business interruption, or damage to an organization from some failure connected to its information or operational technology systems. But cyber risk goes far beyond technology. Cyber is, among others, a holistic and enterprise risk that poses a financial, operational, people, regulatory, and even catastrophic threat to all organizations, regardless of size or sector. As such, understanding an organization’s business drivers and the daily decisions related to them often proves the critical link towards managing the journey to achieving holistic and sustainable cyber resilience.

CyQu Findings: Aon Clients Report

The 2022 CyQu client data tell us that, on average, organizations across industries and revenue bands improved their cyber maturity from “basic” to “managed.” The global average of CyQu risk scores, which increased in 2022 from 2020, reflects this growth. Increased underwriting rigor in the Cyber and E&O insurance market in 2021 and the first half of 2022 drove greater scrutiny of security controls, more rigid guidelines, re-evaluation of risk, and subsequent reduced market capacity, which likely influenced this progress in cyber maturity.

Clients across industries and revenue bands reported that the budget for cyber security increased between 2020 and 2022, with an average of 10 percent of the information technology budget reportedly spent on security.

CyQu Domain Scores

CyQu Scores Domain 2020 2022 Change
Endpoint and Systems Security
2.5
2.9
+0.4
Remote Work
2.5
2.8
+0.4
Application Security
1.9
2.3
+0.4
Network Security
2.7
3.0
+0.3
Access Control
2.5
2.8
+0.3
Data Security
2.3
2.6
+0.3
Business Resilience
2.2
2.5
+0.3
Physical Security
2.6
2.8
+0.2
Third Party
2.0
2.2
+0.2

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

From a controls perspective, five domains demonstrated the most significant risk profile improvements, and from this inferred budget increases: Data security, application security, remote work, access control, and endpoint and systems security.

Across revenue bands, mid-market clients reported the most significant improvements in overall cyber maturity.  In contrast, organizations in the global and enterprise segment reported improvements but remained at “managed” maturity. Improvement in incident response (IR) planning, data protection, endpoint logging and monitoring, and remote work vulnerability and monitoring drove the upgrade in the security profile for the mid-market. These controls moved from “basic” to “managed” in 2022. Client data reflect that access controls, data and security, and business resilience were areas of focused improvement for most revenue bands. At the same time, third-party contract diligence and inventory management risk scores remained flat.

CyQu Client Segment Score Changes

Annual Revenue (group) 2020 2022 Change
Global
2.8
2.9
+0.1
Enterprise
2.6
2.9
+0.3
Mid-Market
2.4
2.7
+0.3
SME
2.2
2.5
+0.3

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

From an industry perspective, all industries reported improvements in overall CyQu risk scores. The healthcare and social assistance, retail trade, and real estate industries reported substantial improvement in moving from “basic” to “managed” security risk profiles.

CyQu Industry Score Changes

Industry 2020 2022 Change
Manufacturing
2.2
2.5
+0.3
Other Industries*
2.3
2.5
+0.2
Other Services**
2.3
2.7
+0.4
Information, Software and Technology
2.6
2.9
+0.3
Finance and Insurance
2.7
2.9
+0.2
Health Care and Social Assistance
2.4
2.7
+0.3
Professional, Scientific and Technical Services
2.6
2.9
+0.3
Retail Trade
2.3
2.6
+0.3
Transportation and Warehousing
2.2
2.5
+0.3
Construction
2.1
2.4
+0.3
Educational Services
2.4
2.5
+0.1
Real Estate, Rental and Leasing
2.3
2.7
+0.4

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client

The most significant gain in CyQu risk scores for the healthcare industry was reported in multi-factor authentication (MFA) (1.9 in 2020 to 2.6 in 2022) and data protection (2.4 in 2020 to 3.0). The industry, however, continued to report marginal movement in third-party, software management, and application security risk profiles. Within the retail sector, 74 percent of companies reported scores higher than 2.5 for user awareness training, and more than half reported similar scores for logging and monitoring capabilities, helping to improve the sector’s overall risk profile.

In real estate, changes in scores across application security development (1.8 in 2021 to 2.5 in 2022), software management (1.9 in 2021 vs. 2.3 in 2022), risk management (1.9 in 2021 to 2.4 in 2022), and user awareness training (2.5 in 2021 to 3.2 in 2022) drove overall profile improvement.

In Summary:

Navigating this risk landscape, while trying to understand the correlation between cyber and business risk has always been challenging. The pressure is on to not only continuously block and tackle, patch vulnerable systems and understand the connection points across highly integrated technology stacks, but also keep on top of the potential impact of emerging threats and regulatory changes. The result is security and technology teams must constantly evaluate the organization’s preparedness for evolving threats and provide quantifiable evidence of current controls effectiveness to insurers and the marketplace. Alignment with best practice control standards, like those specified by the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS) is prudent. Security teams should regularly assess controls to determine effectiveness across preventative and response cyber maturity.


Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Managing cyber across six featured risk themes.

This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.