The Cyber Loop
A Model for Sustained Cyber Resilience
Uniting stakeholders irrespective of role to make better decisions on cyber risk.
The Cyber Loop
A Model for Sustained Cyber Resilience
Uniting stakeholders irrespective of role to make better decisions on cyber risk.
Download the paperThere is Nothing Linear About Cyber Security
Business and IT leaders are under increasing pressure to maximize return on security investment (ROSI) in an increasingly complex business and risk environment.
There is Nothing Linear About Cyber Security
Business and IT leaders are under increasing pressure to maximize return on security investment (ROSI) in an increasingly complex business and risk environment.
Aon’s Cyber Loop model acknowledges that each organization will start its journey from a different place: assess, mitigate, transfer, or recover. Once within the Loop, businesses become informed participants in managing risk, engaged in continuous review, improvement, and investment in security – guided by data.
Do you know the total cost of cyber risk to your organization?
Do you have access to data and financial modeling tools to measure your organization’s ROSI?
The Cyber Loop
A Model for Sustained Cyber Resilience
Assess
Quantifiable insight for better decisions.
Understand how security controls directly impact balance sheet exposure. Aon’s approach to assessment informs future decisions on the best strategies to manage cyber risk. By developing relevant quantified risk scenarios and assessing control effectiveness against these loss models, businesses can quickly decide how to best allocate budget to maximize resilience.
Questions to be answered
- Where is the business dependent on the accessibility and availability of technology, services, and data?
- Are we prepared for a cyber event? What are our key risks, and what drives this exposure?
- What is the potential financial impact of key cyber risks? How do we present the financial impacts to executives and the board to facilitate better governance and security investment?
- What is the maturity of our security and controls, and how does this align with the risk landscape and business need? How can we prove the effectiveness of current control implementation?
- Where do we go next in the Cyber Loop? Mitigate? Transfer?
- Where do we invest finite budget to get maximum return? How do we demonstrate return on security investment (ROSI)?
Recover
Mitigate
Build resilience and minimize impact.
Utilize targeted security controls and measurable industry standards to enhance security maturity, reduce exposure, and minimize financial impact from key cyber risks. Aon’s approach to mitigate bridges the gap between understanding the technical risk of an identified vulnerability and the related financial exposure so an organization can make risk informed decisions to implement changes, or fixes, and maximize ROSI.
Questions to be answered
- Are our current controls appropriate and proportionate to the cyber risk?
- Are our controls appropriate to securely enable the risk associated to our business vision?
- Do we have the right technologies, policies, and governance strategies in place?
- How will we reduce exposure in times of change, e.g., new business model, partner, or technology?
- Are we maximizing our existing investments into people, process, and technology?
- With only a finite budget, what risks do we mitigate? accept? transfer? What improvements can unlock additional value in the form of improvements to insurance premiums and coverage?
Transfer
Safeguard your balance sheet.
Harness meaningful, genuine risk transfer solutions to safeguard the balance sheet. Aon’s approach to transfer helps businesses identify and quantify maximum probable cyber losses to enable senior stakeholders to understand the magnitude of potential loss. Armed with this knowledge, businesses can make decisions around risk baring appetite and appropriate levels of risk transfer.
Questions to be answered
- How much risk are we willing to bear?
- Where do we invest security budget to get maximum balance sheet protection?
- How is the cyber insurance marketplace different from traditional PP&E? What do we need to know?
- What alternative transfer vehicles and capital solutions are available, e.g., captives, cells? What is accessible outside of our geographic region?
- Are we ready to approach the insurance marketplace? If no, what data needs to be collected?
- What data do we need in order to submit an insurance submission that will secure a cyber policy?
Recover
Drive operational and financial loss recovery.
Receive tailored expert response for the business in the wake of a cyber event. Aon’s approach to recover encompasses expert and rapid incident response yet extends further and understands the need to effectively quantify impact and manage third party and insurance claims. This ensures maximum possible recovery of cost and helps businesses get to a cashflow neutral position.
Questions to be answered
- Do we have an incident response and disaster recovery plan and in place?
- Which experts will we engage in the event of a breach, and are these experts approved by insurers?
- Do we have common protocols across incident response, crisis management, and business continuity?
- Do we understand the coverage operating across our policies that may respond to a cyber event?
- In the immediate crisis, who will advise on how to best protect our interests regarding the insurance claim?
- Who will present losses including the quantification of company-wide business interruption impact?
- Who will manage the claims process and drive the claim forward to achieve a successful loss recovery under the policy?
Eight Actions Your Organization Can Take Today To Reinforce Its Cyber Security Strategy
Review business continuity and disaster recovery (BCDR) plans to ensure they take account of, and regularly test for, cyber threats.
Assess vulnerabilities.This allows organizations to strategically budget and address critical areas.
Review governance, controls, roles, and responsibilities and develop protective safeguards to prevent ransomware attacks.
Quantify the financial loss associated with an incident, breach, or disruption.
Engage in breach simulations and tabletop exercises to test incident preparedness.
Check contractual protections and have all insurance policies reviewed to ensure the organization is covered for financial loss from a breach.
Proactively utilize threat intelligence to monitor for the tactics, techniques, and procedures (TTPs) of cyber attackers.
Never stop cycling through The Cyber Loop.
Businesses circle through Cyber Loop entry points — to achieve sustained resilience. Stakeholders come together to assess where they sit in the circular journey.
Better decisions around cyber risk are made.
Case In Point
Explore case examples by clicking on the Cyber Loop entry points below.
- Assess
- Mitigate
- Transfer
- Recover
Case In Point
Explore case examples by clicking on the Cyber Loop entry points below.
- Assess
- Mitigate
- Transfer
- Recover
Entry Point:
Assess
Policy renewal denied: How a setback marked the beginning of a Cyber Loop journey
An organization submits what it thinks to be a simple cyber insurance renewal application only to see it returned and stamped: Denied.
Why? Attack surface extended beyond the typical retail footprint into manufacturing involving operational activities (OT) and the influence of the digital economy.
- Enters Loop at assessment. After identifying critical needs, the retailer enters mitigation and then successfully transfers the risk and renews its policy.
- Not the end of the journey. Recognizes need for Cyber Impact Analysis to make sure current risk transfer reflects cyber exposures.
- Recommended improvements made, ROSI quantified. Enters transfer again.
- Assess
- Transfer
- Mitigate
- Transfer
Entry Point:
Mitigate
C-suite seeking assurance: Is our cyber risk strategy sound?
While a mitigation was in place, this organization was not confident it was keeping the attack surface as small as possible.
Why? The threat landscape is dynamic and risk of business interruption and financial loss is rising.
- Followed Kill Chain cyber security model to identify vulnerabilities and stop attacks.
- Working alongside internal team, built risk register and security testing program based on layers of control implementation.
- Evolved into multi-year Loop program featuring dynamic and ongoing mitigation and assessment.
- Mitigate
- Assess
- Mitigate
- Transfer
Entry Point:
Transfer
Too great a risk: Diverse technology estate raises red flag for traditional insurance market
An organization realized the potentially devastating cost of a significant cyber event. Concerned, the organization enquired into a traditional cyber insurance policy only to be: Denied.
Why? Mitigative controls did not demonstrate strong security posture.
- Collaborated to understand current posture and identify key market requirements.
- Became deeply rooted in technology estate and business, including future direction.
- Used scenario-based modelling to deploy tooling, develop processes, and reinforce posture.
- Cyber insurance policy submission written and issued.
- Transfer
- Mitigate
- Transfer
Entry Point:
Recover
Daybreak crisis: Ransomware attack swiftly ripples to impact financials and reputation
World-leading travel management company suffers a ransomware attack. Effects ripple across every element of the business, having ramifications on or from external parties including regulators, investors, and customers.
Why? Cyber events result in escalating costs and irreparable reputational damage long after the compromise occurs.
- CEO reaches out to help internal security team respond to, and fully recover from, the attack.
- Digital forensic and IR team help to restore systems, engage with attackers, and return business to normal operations.
- Organization then entered Cyber Loop with a program of cyber risk assessment and mitigation.
- Recover
- Assess
- Mitigate
It’s time to become an informed participant in managing risk.
To realize the promise of The Cyber Loop, it is critical that stakeholders – across the business – come together to assess where they sit in the circular cyber resilience journey. Harness the value of data to make better decisions.