Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice

Cyber October 2024 – Securing Our World

Release Date: October 2024
pdf download Implications for D&O Litigation From Climate-Related Risk

October’s Cyber Awareness Month is a time to consider the cyber landscape and how professional service firms can build resilience, plan and practice responses to attacks and make their contribution to securing our world.

As ransomware continues its relentless rise, the professional service sector remains one of the most targeted sectors.

Chainalysis, a firm that tracks payments to known ransomware actors on the blockchain, has reported that 2023 was the most profitable year for the extortionists with record payments of $1.1b being made, 80% in payments over $1m.

In addition, a report from Comparitech, based on publicly available information, indicates that since 2018, 138 law firms have confirmed ransomware attacks impacting at least 2.9 million records.

This latter point is significant because theft of data not only increases the leverage of the extortion threat actors, it also is giving rise to increasing numbers of class action lawsuits from affected individuals. According to a report from Law.com, not only is 2024 “on pace to be the biggest year in the history of law firm data breach reports,” but “more than 40 data breach class actions are being filed per month in 2024.”

Ransomware and malicious cyber activity are a continuing and growing threat to professional service firms. In the worst-case scenario a cyber attack can be devastating to a firm and consequently to its clients. In the face of this, it is essential to invest in resilience to secure the firm and the data it holds, for the benefit of the firm, its employees and clients.

Resilience requires a multi-faceted strategy and Cyber Awareness month is an ideal time to review and evaluate measures to harden defenses to better prepare for response in the face of a successful attack:


To Combat Cyber Risk, Businesses Invest in Resilience

Cyber security is a growing business concern, but many companies still need to improve their cyber resilience in key areas. Aon’s 2023 Cyber Resilience Report explores how global industries are protecting themselves against cyber threats.

Read Insight



Lessons Learned from the CrowdStrike Outage: 5 Strategies to Build Cyber Resilience

The global CrowdStrike IT outage demonstrated that even non-malicious cyber incidents may have serious repercussions. Events like these serve as a wake-up call for businesses to review their cyber resilience and be prepared for more significant incidents in the future.

Read Insight


An essential - or possibly THE essential - component of resilience is preparation. Dwight D. Eisenhower famously said, “In preparing for battle I have always found that plans are useless, but planning is indispensable.” In the context of cyber, the battle plan is the Incident Response Plan, the “planning” is running tabletop simulations to test the plan and to train the individuals responsible for implementing and adapting it in the event of a cyber incident (as Field Marshal Erwin Rommel observed “no plan survives contact with the enemy”).

The IBM-Ponemon “Cost of a Data Breach Report 2023” found that not only was incident response planning and testing a top 3 cost mitigator, but also that organizations with high levels of these countermeasures in place incurred USD 1.49 million lower data breach costs compared to organizations with low levels or none and they resolved incidents 54 days faster.



Table Stakes: Planning a Tabletop Simulation

Tom Ricketts, Cyber Practice Leader of the Professional Services Practice at Aon, discusses how indispensable tabletop simulations are in allowing professional service firms to better prepare and respond to cyber-attacks.

Read Insight


No conversation on cyber resilience is complete without addressing the topic of cyber insurance and the question of how much limit is “enough.” Professional Liability insurers have started to show interest in the amount of cyber insurance being purchased by their clients, partly because of claims that engage both the cyber and professional liability policies and the increasing incidence of class action lawsuits arising from cyber breaches.



Pushing the Limits – How Much Cyber Insurance Do Professional Service Firms Need?

The only thing worse than being hit by a cyber-attack is finding that your cyber program limits are insufficient to pay the full amount of the loss. Cyber insurance is no longer cheap and nobody wants to pay for insurance limits that may never be used.

Read Insight


One of the key metrics that insurers use to measure exposure to regulatory expense (such as notification costs) also affects exposure to class action lawsuits. It is the metric quantifying PII and PHI as an amount that the insured “holds” in their systems:



How Many Records Do We Have? Professional Service Firms and PII / PHI Records

Insurers are increasingly asking for Personally Identifiable Information (PII) and Personal Health Information (PHI) record counts as part of the underwriting process and it is important for insureds to have made a good faith effort to identify the number of records and provide a reasoned and defensible estimate of the exposure.

Read Insight




Read more articles by Tom here.


Tom Ricketts

Contact


The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts or Parker Baddley.

Tom Ricketts
Managing Director
New York

Parker Baddley

Parker Baddley
Assistant Vice President and Associate Director
New York







About Aon

Aon (NYSE: AON) exists to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the clarity and confidence to make better risk and people decisions that help protect and grow their businesses.

Follow Aon on LinkedIn, X, Facebook and Instagram. Stay up-to-date by visiting Aon’s newsroom and sign up for news alerts here.

©2024 Aon plc. All rights reserved.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or insurance advisors on any commentary provided herein. All descriptions, summaries or highlights of coverage described herein are for general informational purposes only and do not amend, alter or modify the actual terms and conditions of any relevant policy. Coverage is governed only by the terms and conditions of such policy. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details.

The information contained in this document and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.