A Middle Market Roadmap for Cyber Resilience

A Middle Market Roadmap for Cyber Resilience
Cyber Resilience

02 of 11

This insight is part 02 of 11 in this Collection.

October 2, 2024 11 mins

A Middle Market Roadmap for Cyber Resilience

A Middle Market Roadmap for Cyber Resilience

Middle market organizations face unique challenges in the ever-changing cyber environment, requiring holistic insurance solutions and enhanced resilience readiness to manage risks that could impact profitability.

Key Takeaways
  1. Some middle market firms may not purchase cyber insurance coverage or invest in cyber security to the extent required to defend against evolving cyber risks.
  2. While middle market cyber insurance purchasing trends are shifting, further education on available risk transfer solutions and a well-rounded cyber readiness plan are necessary.
  3. Broking partners in the cyber risk landscape can help middle market organizations navigate the insurance marketplace to find competitive solutions.

Cyber attacks and data breaches continue to rank as the top global threat companies face today — a threat exemplified by events like the global CrowdStrike outage, which put companies’ incident response plans to the test and demonstrated that even non-malicious cyber incidents may have serious repercussions.

Middle market organizations are particularly exposed in this evolving risk environment due to historical underinsurance trends and cyber readiness plans that are misaligned with company growth. By understanding and mitigating their exposure to cyber threats, these organizations can strengthen their cyber resilience and protect against the financial fallout of cyber incidents.

4 Myths Impacting the Middle Market’s Cyber Preparedness

Midsize organizations face a unique set of challenges that heighten cyber risks. As a company grows, so too does the importance of understanding these risks to ensure a clear path to cyber resilience. However, there are many existing myths to watch out for that can interfere with a firm’s cyber readiness journey:

Myth #1: Middle market firms are not targeted by bad actors to the same extent as large organizations.

Cyber events can have an impact on all areas of an organization. They are industry- and size-agnostic. Regulatory bodies are also tightening cyber security requirements, which could impact middle market firms’ exposures to risk if unprepared to abide by the rules. Moreover, middle market companies often handle significant amounts of valuable data, including personal customer information, financial records and intellectual property, making them a prime target for bad actors.

176%

Ransomware attacks spiked 176 percent in the first half of 2023, while the price tag of a single enterprise data breach rose to a historic high of nearly $4.5 million.

Source: Aon’s Global Risk Management Survey

Myth #2: Midsize firms don’t need to invest in cyber security.

This trend is changing as middle market companies focus more heavily on cyber security. Nonetheless, bad actors are looking for low-hanging fruit, irrespective of size. If a midsize client leaves the door open, they're going to extract what they can from that organization. “Technology and cyber risks continue to evolve rapidly, presenting a tremendous challenge for middle market companies as they balance resource allocation with managing risk and staying focused on growth aspirations,” explains Brent Rieth, Aon’s head of cyber solutions in North America.

Myth #3: Cyber policies are unaffordable and difficult to obtain for non-buyers.

While the hard market a few years ago may have made this true for some companies, the current soft cyber insurance market is competitive for first-time buyers who might still be in the process of implementing safety controls.

“The rising tide of cyber security maturity globally is lending itself to a more buyer-friendly market,” says David Molony, head of cyber solutions for EMEA. “In addition, the cyber insurance market is opening itself to become much more available to first-time buyers.”

Myth #4: Cyber coverage is included in other policies that middle market firms purchase.

Midsize organizations may mistakenly believe that they have cyber coverage as part of their other insurance policies. However, traditional commercial insurance policies might not be designed to explicitly address cyber-related losses. If a policy does not affirmatively grant or exclude cyber coverage, this is termed “silent cyber,” and there’s no guarantee that it will cover a loss.

By purchasing standalone cyber insurance coverage, middle market organizations can counteract the risk of insufficient cover in the face of increasing cyber threats.

The Cyber Risks Facing the Middle Market

Seventy percent of all organizations report they are prepared to navigate new exposures, but just 36 percent say they have adequate application security measures in place. In the middle market specifically, organizations typically retain more risk. Many still don't purchase cyber insurance coverage and if they do, they don't purchase it to the level of coverage or limits they need.

Middle market cyber resilience and insurance purchasing varies by region:

  • North America

    Cyber risk transfer has been more broadly accepted and intertwined into midsize companies’ insurance strategies. However, recent data shows that midsize clients’ control deficiencies in business resilience in North America were 10 percent higher than that of enterprise and global clients, demonstrating that there’s room for improvement.

    In Canada, just 5 percent of all businesses have cyber insurance,1 while in the U.S., 27 percent of midsize firms report not having cyber coverage.Additionally, just 47 percent of middle market companies in the U.S. believe they have adequate cyber insurance in place and a 52 percent acknowledge that they need or are considering coverage.3

  • Europe, Middle East and Africa

    In response to rising risk and regulation, client cyber maturity in this region has moved from “basic” to “managed,” but organizations still underperformed in business resilience, according to the 2023 Cyber Resilience Report. Middle market firms in EMEA are also several years behind their U.S. counterparts in terms of purchasing cyber insurance. This is due to the existence of data privacy legislation in the U.S. since the early 2000s and the need for organizations to meet their third-party liability exposures.

    The General Data Protection Regulation is having a similar effect across Europe. Organizations are increasingly becoming aware of cyber security strategies and threat analytics. For instance, suppliers for some organizations are being mandated to put certain security controls in place or accept limits of liability, resulting in an increasing level of consistency in cyber security across the board.

-8%

Average North America cyber premiums in the primary market decreased 8 percent in H1 2024.

Source: Building Resilience in a Buyer-Friendly Cyber and E&O Market

How Middle Market Organizations Can Achieve Cyber Resilience

The pressure is on middle market firms to not only continuously block and tackle bad actors, patch vulnerable systems and understand the connection points across highly integrated technology stacks, but also stay on top of the potential impact of emerging threats and regulatory changes.

As a result, security and technology teams in the middle market must constantly evaluate their preparedness for evolving threats and provide quantifiable evidence of current controls effectiveness to insurers and the marketplace.

Midsize companies can build sustained cyber resilience by managing the full cyber life cycle through the four points of assess, mitigate, transfer and recover:

  • Assess: Understand the organization’s security posture and its current level of cyber resilience. Use analytics to benchmark cyber security resilience against peers in the market and identify weak points to make better decisions on risk management and cyber insurance solutions.
  • Mitigate: Be proactive to help minimize the impact of cyber threats, using tools that can help defend against active threats, while also planning for incident response and rehearsing that response with attack simulations.
  • Transfer: Turn to risk transfer solutions and work with a partner that can provide access to improved insurability, pricing and scope of coverage. Organizations can better navigate the insurance-buying process by identifying control deficiencies and prioritizing improvements prior to approaching insurance carriers to minimize Q&A and be viewed as a more appealing risk to insurers.
  • Recover: When a cyber attack occurs, middle market firms need to have processes in place to respond effectively in real-time. Research the causes of the incident and take concrete steps to become more resilient against future attacks.

To execute a cyber resilience strategy successfully, organizations should focus on access to risk transfer solutions backed by competitive pricing and broad coverage terms, strong client claims advocacy, proactive cyber security consulting, effective response incident planning and analytics-backed loss scenario modeling.

Quote icon

Middle market firms can put together a story about their cyber security journey and demonstrate to insurers that they are moving in the right direction.

Greg Sparacio
National Middle Market Leader, Cyber Solutions, Broking, U.S.
Empowering the Middle Market in a Challenging Cyber Landscape

Case Study

Data-Driven Cyber Resilience: Empowering the Middle Market

A middle market financial services company in the U.S. wanted to strengthen its cyber resilience and access competitive cyber coverage in a challenging market.

Aon worked with the company to benchmark its cyber security capabilities against peers using the CyQu platform, as well as address gaps in security practices to approach carriers with confidence. Aon also used adversary simulations to help the client understand how controls would perform in a real-world attack and connected the firm with vendors to help minimize the fallout from a cyber attack.

With Aon's help, the client can stay informed on changing cyber insurance market dynamics and in turn, gain access to appropriate coverage and competitive insurance costs. Today, the CyQu tool helps the client strive to be in the top quartile amongst its industry peers in cyber security assessments. Aon has helped the organization secure a strong cyber policy and understand the changing marketplace. 

The Future of Cyber Risk: Lessons Learned from the CrowdStrike Outage

The CrowdStrike outage underscored the degree of cyber risks facing middle market firms today and how insurance can transfer exposures. Some organizations that did not have cyber insurance may have thought that the CrowdStrike outage would not have been covered by a policy because it was related to a system caused by a third-party vendor. However, this risk fits squarely within the four walls of a standard cyber insurance policy — and has for a long time.

Other learnings from the outage include:

  • Vulnerabilities in Technology

    The CrowdStrike outage revealed that software updates, system failures and patching could have a significant impact on a business. It opened organizations’ eyes to the fact that they have critical points of failure that they were unaware of.

    “Leaders may have previously focused on establishing security controls around their mission-critical assets, but the outage demonstrated that it’s possible for a piece of code in a program housed in another system to cause material and unintended operational failure across the globe,” says Molony.

  • The Threat of Third-Party Risk

    The outage likewise highlighted the importance of understanding and mitigating third-party risk. “All companies realize that third-party risks exist, but maybe they haven’t necessarily realized the extent of this in their environment and what kind of impact the risks could have,” says Matt Chmel, Aon’s chief broking officer of cyber solutions in North America. “Even if those third parties have cyber security controls in place, the amount of access that is being given to these entities creates a business risk.”

  • The Need for Holistic Cyber Insurance

    The outage also demonstrated the benefits of a standalone cyber insurance policy tailored to middle market organizations. General liability or package policies may not cover business interruption losses stemming from this type of event. Having a standalone cyber insurance policy that's built toward a middle market buyer will help ensure that they have the appropriate coverage — specifically system failure business interruption, which covers unplanned outages.

Quote icon

We have seen underwriters start to ask questions around how organizations were affected by the CrowdStrike outage, so it will be interesting to see how the outage could affect the marketplace down the road.

Samantha Billy
Growth Leader, Cyber Solutions, North America

In light of the evolving cyber risk landscape, middle market organizations should strive to partner with a broker that has a pulse on how cyber risks are evolving — one that brings (re)insurance expertise and can anticipate shifts in the retail cyber insurance market before incidents occur.

Learn more about how middle market organizations can build sustained cyber resilience.

Aon’s Thought Leaders
  • Samantha Billy
    Growth Leader, Cyber Solutions, North America
  • Matthew Chmel
    Chief Broking Officer, Cyber Solutions, North America
  • Aileen Eaves
    Strategy & Execution Leader, Cyber Solutions, North America
  • David Molony
    Head of Cyber Solutions, EMEA
  • Brent Rieth
    Head of Cyber Solutions, North America
  • Greg Sparacio
    National Middle Market Leader, Cyber Solutions, Broking, U.S.

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner