News from Aon Canada
Aon’s Cyber Solutions Releases 2019 Cyber Security Risk Report: “What’s Now and What’s Next”
Eight risk areas underscore how the shift to digital is bringing great opportunity and more risk
TORONTO (February 13, 2019) – Aon plc (NYSE:AON), the leading global professional services firm providing a broad range of risk, retirement and health solutions, released its 2019 Cyber Security Risk Report today. The report, which details the greatest cyber security threats and challenges organizations are currently facing, discusses that as companies continue to use technology to speed up the transfer of information, game-changing business opportunities are created, as well as increased cyber risk.
“In 2018 we witnessed that a proactive approach to cyber preparation and planning paid off for the companies that invested in it, and in 2019, we anticipate the need for advanced planning will only further accelerate,” said J. Hogg, CEO of Cyber Solutions at Aon. “Leaders must work to better insulate their companies and their processes, while simultaneously identifying the ways they can benefit from the opportunities offered through technology and digital transformation.”
Hogg continued: “Our 2019 report also shows that organizations must recognize the need to share threat intelligence across not only their own network but with others as well. While it may seem counterintuitive when thinking about cyber security, collaboration within and across enterprises and industries can keep private data of companies and individuals alike safer. Working together can result in improved efforts to hunt bad actors, while also raising the bar and making all parties more prepared for the inevitable day when a disruption does happen.”
The “What’s Now and What’s Next” report focuses on eight specific risk areas that companies may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the attack surface of global business expands rapidly and sometimes in unexpected ways. In other words, thanks to the rapid enhancements and constant changes in technology, the number of touch points that cyber criminals can access within a business is growing exponentially.
The cyber risks in Canada
In Canada, business leaders are concerned about the same cyber risks outlined in the report. More specifically, organizations are struggling with how to prevent supply chain losses as a result of a cyber event such as Notpetya. The demand for viable and creative insurance solutions that mitigate the losses sustained by supply chain participants when one organization in such a chain is crippled due to a cyber intrusion, has never been higher.
Although Canadian corporate boards and executives have not generally been held to directly account for failures in cyber governance like their American cousins, it is only a matter of time before that trend reverses. Organizations of all sizes and types continue to focus on educating and training their employees about cyber risk and implementing proper protocols and procedures to meet new and more far-reaching regulatory requirements such as mandatory breach notification provisions and the EU’s General Data Protection Regulation.
“I think we have reached a tipping point in Canada with respect to organizational cyber risk”, said Brian Rosenbaum, National Cyber Leader at Aon in Canada. “Most organizations finally realize they have some degree of exposure and know they must do something about it. For the better part of the last decade, a large number of Canadian organizations were either ignorant or in denial about their cyber risks. So we have no doubt seen progress. That said, many still have a way to go before they reach a level of cyber maturity to properly deal with that exposure and that is now the new challenge”.
Highlights from the report include:
- Technology – While technology has revolutionized the way organizations today conduct business, broader and wider-spread use of technology also brings vulnerabilities. From publishing to automotive, industries are facing new, evolving services and business models. These new opportunities however, bring with them a radically different set of risks, which organizations will need to anticipate and manage as they continue the digital transformation process.
- Supply Chain – Two prevailing supply chain trends will heighten cyber risks dramatically in the coming year: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT); and the other trend is companies’ growing reliance on third-party—and even fourth-party—vendors and service providers. Both trends present attackers with new openings into supply chains, and require board-level, forward-looking risk management in order to sustain reliable and viable business operations.
- IoT – IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don’t securely manage or even inventory all IoT devices that touch their business, which is already resulting in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the current worldwide rollouts of cellular IoT and the forthcoming transition to 5G. Effective organizational inventory and monitoring process implementation will be critical for companies in the coming year and beyond.
- Business Operations – Connectivity to the Internet improves operational tasks dramatically, but increased connectivity also leads to new security vulnerabilities. The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organizations need to be better aware of, and prepared for, the cyber impact of increased connectivity.
- Employees – Employees remain one of the most common causes of breaches. Yet employees likely do not even realize the true threat they pose to an entire organization’s cyber security. As technology continues to impact every job function, from the CEO to the entry-level intern, it is imperative for organizations to establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cyber security policies throughout the organization, and implementing effective access and data-protection controls.
- Mergers & Acquisitions (M&A) – Projections anticipate that M&A deal value will top $4 trillion in 2018, which would be the highest in four years. The conundrum this poses to companies acquiring other businesses is that while they may have a flawless approach to cyber security enterprise risk, there is no guarantee that their M&A target has the same approach in place. Dealmakers must weave specific cyber security strategies into their larger M&A plans if they want to ensure seamless transitions in the future.
- Regulatory – Increased regulation, laws, rules and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019. Regulation and compliance, however, cannot become the sole focus. Firms must balance both new regulations and evolving cyber threats, which will require vigilance on all sides.
- Board of Directors – Cyber security oversight continues to be a point of emphasis for board directors and officers, but recent history has seen an expanding personal risk raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber incident, but also proactive preparation and planning.
Learn more about the risks included in Aon’s 2019 Cyber Security Risk Report.
 IMAA Institute’s M&A Statistics
For further information please contact the Aon media team: Alexandre Daudelin, +1.514.982.4910.