2023 Cyber Resilience Report

This is article 6 of 18 in this Report.

August 01, 2023 / 5 min Read

Take These Steps to Mitigate Operational Risks

Critical controls perceived to reduce the probability or severity of a ransomware event with the potential to disrupt operations are the focus of insurers.

Key Takeaways

  1. Clients reported an aggregate improvement in critical controls implementation in 2022 over 2021 across those controls prioritized by insurance carriers.
  2. Ransomware data breaches were down 16 percent from Q3 2022 to Q4 2022, but the cyber and errors and omissions (E&O) insurance marketplace data show an uptick in Q1 2023.
  3. Across regions, clients’ level of business continuity management (BCM) remained flat between 2020 and 2022 and sits at a basic level.

Operational risk, defined as the risk of losses caused by disruption to an organization’s operations or failure across people, processes, or technology, is a top concern for global security teams and insurance carriers. Ransomware and phishing schemes continue to present significant risk. While ransomware data breaches were down 16 percent from Q3 2022 to Q4 20221, the cyber and errors and omissions (E&O) insurance marketplace data show that in Q1 2023, there was an uptick in ransomware and the frequency of events increased by 49 percent.2 Phishing and spear phishing also ramped up significantly at the start of 2023, according to Aon’s cyber security team. The sophistication of these techniques makes it easier for attackers to masquerade and more challenging for victims to discern between what is legitimate and illegitimate.

Organizations must plan for the worst-case attack. For example, what happens if the company’s network goes down completely? How will the business be supported and sustained? Does the company have a resiliency model that can manage this process? How will the company keep clients whole, even at the cost of business opportunity? These questions are critical components of business continuity planning (BCP) and business continuity management (BCM). Aon’s CyQu data revealed that across regions, clients’ level of BCM remained flat between 2020 and 2022 and sits at a basic level. More focus on scenario-planning operational disruptions is needed. While it is imperative to layer technical controls on the enterprise to prevent ransomware, equally important is the need for disruption preparedness across business operations.

Insurers and the marketplace are increasingly expecting this operational risk planning level. While market conditions for cyber and E&O insurance have stabilized, and substantial new capacity and lower loss ratios helped decrease rates in cyber and E&O in early 2023,2 the underwriting process remains rigorous.3 Critical controls perceived to reduce the probability or severity of a ransomware event with the potential to disrupt operations are the focus of insurers. These priority controls include access management, business resilience, and data security/patch management.4

Ransomware Supplemental Red Flag Controls Data Findings: Aon Clients Report

Clients reported an aggregate improvement in critical controls implementation in 2022 over 2021 across those controls prioritized by insurance carriers. In the U.S., the industries that reported the most remarkable progress in critical IT controls were construction (+10 percent), manufacturing (+9 percent), and finance and insurance (+7 percent). To stay globally competitive, manufacturing companies are shifting toward more digitized and integrated Internet of Things (IoT) processes both within the factory walls and out into their supply chains,5 which correlates with this dedication to operational risk maturity. The construction industry is similar. Many firms have started using IoT technologies to enhance worksite safety and manage progress.6 This digitization expands the attack surface. Construction teams have also moved from paper workflows to the cloud, introducing new vulnerabilities and providing an excellent opportunity for ransomware and phishing schemes. In EMEA and the UK, 2022 data showed that the manufacturing and construction industries are less sophisticated in critical IT controls maturity, with construction reporting deficiencies in more than half of these controls.


Percent of Lack of Critical IT Controls' for Given Industry in US (red flags)

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support, Wholesale Trade.

** ‘Other Services’ category is self-selected by the client


Percent of Lack of Critical IT Controls' for Given Industry in EMEA and UK (red flags)

* ‘Other Industries’ category represents responses from clients in the following industries: Accommodation and Food Services, Agriculture, Arts, Education Services, Entertainment and Recreation, Management of Companies and Enterprises, Public Administration, Utilities, Waste Management and Remediation Services, and Administration and Support.

** ‘Other Services’ category is self-selected by the client


Organizations focused on shoring up critical backup controls in 2022, with 61 percent of controls implemented in 2022 compared to 55 percent in 2021. However, looking at the data more granularly, a gap is revealed. Almost 90 percent of companies in U.S. reported not storing backups in the cloud, and 70 percent do not store backups offsite or have immutable backups. Backup security remains a top concern, and rightly so. Ransomware has evolved to attack backups themselves, putting data at increased risk. Immutable backups are critical for businesses that depend on the safety and security of the data they are responsible for. Only immutable backups provide a clean, recent copy of data that supports quick recovery and efficient protection.

Business resilience continued to pose a top concern for clients in 2022. Insurers have moved from simplistic check-box questions, for example, asking if the organization has backups, to asking how resilient you are. Companies must prove that the business process can sustain an impact from a cyber breach. Clients in manufacturing (67 percent vs. 59 percent in 2021) and construction (66 percent vs. 55 percent in 2021) industries reported the most significant improvement in critical controls connected to resilience. When examining differences across company size, mid-market and small to medium-sized enterprises reported an essential lack of business resilience controls more frequently than enterprise and global companies. However, this trend was reversed for endpoint security, where endpoint detection and response tools do not cover all of the technology endpoints of the enterprise and multinational companies. Alarmingly, over half of all client organizations reported a lack of tabletop exercises as part of business continuity planning, and more than one-third reported a lack of incident response planning.


Percentage of Lack of Critical IT Controls' for Given US Client Segment (red flags)


Percentage of Lack of Critical IT Controls' for Given EMEA and UK Client Segment (red flags)

References

1  “E&O and Cyber Market Review Q4 2022”. E&O and Cyber Market Review | 2022 (aon.com)

2  “Buyer-Friendly Cyber and E&O Markets: How to Take Advantage” Buyer-Friendly Cyber and E&O Market: How to Take Advantage | Aon

Trends by Line of Business – Q4 2022 Global Market Insights (aon.com)

4 “E&O and Cyber Market Review Q4 2022”. E&O and Cyber Market Review | 2022 (aon.com)

5  Manufacturing Cybersecurity. Palo Alto Networks. Report. 2023. https://www.paloaltonetworks.com/industry/unit42-manufacturing

6  Understanding Cyber Risk in the Construction Industry. IT Chronicles. Article. March 21, 2022.  https://itchronicles.com/information-security/understanding-cyber-risk-in-the-construction-industry/


Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Managing cyber across six featured risk themes.

This year’s report is a guide for leaders to benchmark their organization’s risk maturity against peer companies and to help make better decisions around managing cyber across six featured risk themes: cyber, operational, supply chain, insider, reputational, and systemic.