Aon | Professional Services Practice
Cyber October 2023 – Cyber Risk and Professional Service Firms
Following a tradition started in 2004, when the federal government of the U.S. designated October as Cybersecurity Awareness Month, the Professional Service Practice of Aon is highlighting thought leadership and Aon solutions that will help professional service firms make better decisions about cyber risk.
Professional Services Overview
How it Started, How it’s Going
In January Tom Ricketts, Professional Services Practice’s Cyber Leader, boldly made some predictions on the anticipated major cyber security challenges for professional service firms in 2023. Cyber October seemed like the ideal opportunity to review whether he was badly wrong or depressingly right.
Cyber Market Update
In September, Aon Reinsurance released U.S. Cyber Market Update - 2022 U.S. Cyber Insurance Profits and Performance and the findings track with insurers’ experience in the professional service firm segment.
Cyber insurance premiums have risen over the last four years primarily due to an increase in cyber claims and the consequent impact on insurer loss ratios. There has also been corrective action in the form of a focus on price sustainability and increased underwriting scrutiny of insureds’ cybersecurity. These efforts have strengthened the overall market, as insurers offering cyber coverage moved back into profitability.
The following statistics and developments show the impact of the corrective steps taken:
- U.S. insurer loss ratios improved by 22 percentage points to 45% in 2022 after two consecutive years at 67%.
- U.S. domestic gross written premium rose by nearly 50% to $7.22 billion in 2022, following a 75% increase to $4.83 billion in 2021.
- New players have entered the market and existing insurers continue to maintain their books. The number of U.S. insurers writing cyber risk in 2022 was 213, against 184 in 2018. Early indicators point to increasing competition in 2023.
As threat actors actively targeted law, accounting, and consulting firms, there were significant premium increases, restrictive terms and conditions and pressure to increase self-insured retentions throughout 2021 and 2022. However, options are expanding for professional services firms as insurers’ perceptions have been improved by the strong controls that have been implemented in the sector.
Insurers appear confident that primary layer pricing sustainability has been achieved. Firms with clean loss histories and strong controls have incumbent insurers eager to retain positions, offering favorable renewal terms. The bulk of premium remains in the primary layer, but firms purchasing large towers of insurance have realized notable program savings due to an influx of excess insurers competing to write the business, benefiting pricing.
Nonetheless, insurers and brokers are paying close attention to the deteriorating threat environment, with record setting increases in ransomware and software supply chain attacks. Although the ultimate effect on the market in 2024 is unknown another correction is not out of the question.
Managing the Cyber Threat Environment
Aon’s Global Resilience Report
Aon’s 2023 Cyber Resilience Report is a guide that company leaders can use to help benchmark their organization’s risk maturity against peer companies and build their cyber resilience.
Aon Highlights “Scattered Spider”
Client Threat Advisory: Financially motived criminal group uses advanced social engineering tactics and reconnaissance. A ransomware group most commonly referred to as “Scattered Spider” has been highlighted in the cyber security media as a troublesome threat actor.
“Bad Pennies” – Topics That Come Up Over and Over Again
The only constant in the cyber insurance environment is change. Nonetheless, there are topics that have been discussed for years. Two of the more significant are 1) social engineering fraud and whether it is insured under a cyber or a crime policy and 2) understanding and managing the risk associated with Personally Identifiable Information.
When is a Cyber Crime not a “Cyber-Crime”? Social Engineering Fraud (SEF) and Business Email Compromise (BEC)
Social engineering fraud (SEF), also often referred to as Business Email Compromise (BEC), is rapidly becoming a major risk, arguably overtaking ransomware. According to a November 2022 interview in Insurance Business America...
How Many Records Do We Have? Professional Service Firms and PII / PHI Records
Insurers are increasingly asking for Personally Identifiable Information (PII) and Personal Health Information (PHI) record counts as part of the underwriting process and it is important for insureds to have made a good faith effort to identify the number of records and provide a reasoned and defensible estimate of the exposure.
Artificial Intelligence
Although Artificial Intelligence has been evolving for decades, discussion of the topic exploded with the release of ChatGPT and a number of other Generative Transformer applications in late 2022 and 2023. These opened a Pandora’s Box of risk issues for professional services firms. How, if at all, should these tools be used? Will they change fundamental business processes and impact risk? How will they be used by threat actors against firms?
Managing the Risks of ChatGPT and Other Generative AI Tools
In a May bulletin, Professional Services Practice’s Loss Prevention team discusses the risks of lawyers’ use of ChatGPT and other publicly available generative AI tools and provides a prototype law firm policy on the use of ChatGPT and similar generative AI platforms.
AI Fireside Chat and Panel Discussion - Aon Webinar
On May 31, 2023, Aon hosted a live webinar featuring United States Congressman Bill Foster, Physics PhD and immediate past chair of the House Financial Services Committee Task Force on AI. The webinar focused on use cases for artificial intelligence (AI), the potential risks and benefits of AI and the ways governments...
Read more articles by Tom here.
Contact
The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts or Parker Baddley.
Tom Ricketts
Managing Director
New York
View Articles by Tom Ricketts
Parker Baddley
Assistant Vice President and Associate Director
New York
View Articles by Parker Baddley
The Cyber Solutions team at Aon can help you understand and quantify your cyber risks. Please contact Bryan Hurd.
Bryan Hurd
Managing Director, Aon Cyber - Stroz Friedberg
Seattle
View Articles by Bryan Hurd
Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.
The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.
Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it.