March 2025 / 5 Min Read

Aon and TheCityUK – Cyber Risk and Resilience Webinar Series 2025

 

Aon partnered with TheCityUK to deliver a series of three webinars covering cyber risk and resilience to TheCityUK’s financial institutions and professional services members. Bringing together senior leaders and practitioners from across the industry, these webinars considered the importance of cyber resilience for financial and economic stability, and what measures are needed to boost organisational resilience. In this article, we’ll explore the key points that were raised throughout these discussions.

What resilience gaps are we seeing?

Cyber-attacks are a growing threat for financial and related professional services, which are a primary target due to the vast amount of sensitive information and assets they handle. Currently, with over 600 million attacks globally every day (1), the scale and potential impact of these events has made cyber resilience a business priority. Cyber warfare is increasingly waged by hostile nation states through professional proxy groups that continue to grow in size and sophistication. Meanwhile, Generative AI (GenAI) has reduced the barrier of entry for cyber criminals, who can execute social engineering and ransomware attacks with greater volume and effectiveness. Fraudsters are testing the waters with GenAI, creating synthetic identities in an attempt to find loopholes in financial systems. Against this backdrop, organisations are collecting more information – including biometrics – to protect systems against threat actors.

The growing interconnectedness and digitalisation of supply chains has only amplified the potential for cyber risks, as each link in the financial chain presents a potential vulnerability that can be exploited. The CrowdStrike outage in 2024 demonstrated how exposure to major third-party technology providers could cause significant disruption, with a single bad update impacting companies across industries, geographies and revenue bands. Regulatory action, seen with the newly adopted Digital Operational Resilience Act (DORA) and the NIS2 Directive, has placed additional reporting requirements on financial institutions, moving from a focus on data privacy to greater resilience throughout the industry. As a result, financial and related professional services firms must do more to remain compliant, with failure on this front potentially resulting in hefty fines, legal action and reputational damage.

Quantum computing is a threat to the future scale and severity of cyber-attacks, with most cryptographic methods in use today capable of being broken by a quantum computer. There is a risk that bad actors can store data that is encrypted today with the intention of decrypting it later when quantum computers become more viable. Quantum computers could also generate valid digital signatures without access to private keys. The advice of the National Cyber Security Centre and other state cybersecurity agencies is migration to post-quantum cryptography (PQC), built on asymmetric crypt algorithms based on maths problems that are believed to be secure from attack by both classical and quantum computers. Work on these algorithms has been ongoing for many years, culminating in these algorithms being standardised more recently.

PQC has primarily been a topic for cryptographers up to this point, but it will soon be an IT and operational technology (OT) issue as organisations prepare to migrate their technology. Technical system and risk owners of both enterprise and bespoke IT should begin or continue financial planning for updating their systems for PQC. As systems are updated in service or replaced as they come to the end of their supported lifecycle, new IT should either use PQC or be capable of being upgraded to support it.

The first activity in a well-planned migration is crypt discovery, understanding where the risks lie in legacy technology and supply chains, as well as what data is being protected as part of an organisation’s estate. This provides the basis for migration activities, which should prioritise high value or long-lived sensitive data, and systems which will either take a long time to upgrade or will be deployed for a long period of time. As migration will be a costly and multi-year upgrade, buy-in from budget holders and system owners will be required to minimise the risks posed by quantum computing.

The importance of proactive cyber security cultures

Despite often being understood as a technological issue, lapses in cyber security are more frequently the result of people or organisational vulnerabilities. A strong cyber security culture with good cyber ‘hygiene’ practices is the antidote to this problem, being based on effective communication around cyber threats and understanding the ways in which employees can uphold cyber security throughout their work. To achieve this, it’s important that employees have a firm understanding of what ‘normal’ looks like on their systems and feel empowered to raise concerns around suspicious activity. Finding potential faults in a system should be viewed as a success, giving personnel the opportunity to fix vulnerabilities before they are exploited.

Buy-in from boards is a critical building block of proactive cyber security cultures, in turn emphasising the need for a collective understanding of where cyber security fits in the ‘big picture’ of the organisation. Chief Information Security Officers are increasingly integrating with the wider business to build the technology response into the overall view of business risks.

For global organisations, regulatory fragmentation is also a crucial factor when considering the effectiveness of a coordinated cyber policy. Internal misalignment in practices due to varying regulations at a local level complicates the implementation of a single cyber approach throughout an organisation, highlighting the value of a standardised reporting system for all geographies.

How should organisations respond to cyber-attacks

Cyber-attacks can vary in complexity, but often follow five stages:

 

  1. Reconnaissance: gathering information about an organisation and its structure, scanning the network to find holes in the software.
  2. Initial compromise: breaking into an organisation’s systems using the information gained – often from phishing emails or vulnerabilities in software updates.
  3. Persistence: staying inside systems, including installing malware as a back door and stealing credentials to impersonate employees.
  4. Lateral movement: attackers explore the network, looking for valuable systems and information to ransom.
  5. Impact/exfiltration: attackers steal the valuable information or cripple systems ahead of the ransom.

Following a cyber-attack, the key response lies in disconnecting the affected system to prevent further spread. This is where a tried and tested incident response plan is necessary to limit the potential damage and return the system to normal function as fast as possible. For a quick recovery, it’s important that an incident response plan feels familiar at the point of an attack, unburdened by the cyber planning process. Organisations that have prioritised these measures by investing in monitoring tools, backups, tabletop exercises and testing of their incident response plans can limit the spread and effectiveness of attacks. After an attack has been detected, organisations must conduct a thorough forensic analysis to make sure that there are no lingering back doors into their systems, making sure that these are not wiped, preserving evidence of the attack and vulnerabilities.

An equally important stage within an incident response plan is the way in which an organisation communicates the cyber-attack to affected third parties and customers. Typically, organisations that communicate clearly in a crisis see a much better response from customers, who have a growing appreciation for the difficulty in mitigating the impact of cyber-attacks. While organisations may not face the same level of blame and reputational damage they may once have done for suffering an attack, there’s now a greater expectation of honesty and clarity in the organisation’s response. After an attack has taken place, transparency is needed to rebuild trust with third parties and customers, as well as in the measures taken to improve an organisation’s cyber posture.

Aon’s Thought Leader for more information:

Chris Scott
UK Head of Cyber Solutions

More Like This

How to Navigate AI-Driven Cyber Risks
Podcast

How to Navigate AI-Driven Cyber Risks

Listen now Opens in a new tab
Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions
Article

Why It’s Key to Conduct Cyber Due Diligence in Financial Services During Mergers and Acquisitions

Read more Opens in a new tab
Building Growth From Uncertainty in Financial Institutions
Article

Building Growth From Uncertainty in Financial Institutions

Read more Opens in a new tab

(1) Microsoft Digital Defense Report: 600 million cyberattacks per day around the globe - CEE Multi-Country News Center

General Disclaimer
This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.