Major cyber incidents at large corporations have resulted in a 9% average decrease in shareholder value in the year following the event. This was a key finding of the 2023 Cyber Resilience Report, published last week by global professional services firm Aon.
The report is intended to help business leaders benchmark their organisation’s cyber risk maturity against peers and make better decisions when managing cyber across six risk areas: cyber, operational, supply chain, insider, reputational and systemic.
Aon’s global report is based on proprietary client data collected from Aon’s Cyber Quotient Evaluation (CyQu), Aon’s Ransomware Supplemental Application and Aon’s Operational Technology Application. CyQu is a global eSubmission and risk assessment platform that helps organisations better manage cyber risk by providing visibility into cyber exposures and insurability drivers.
“Companies have experienced new forms of volatility over the last four years, experiencing a rise in the frequency and severity of cyber threats and ransomware events, followed by a cyber insurance market with rising premiums and retentions with significant underwriting scrutiny,” said Christian Hoffman, global cyber leader for Aon. “We observe that the C-suite increasingly sees that cyber events have the potential to impact all areas of their business. Achieving cyber resilience is a recurring theme in board room discussions and the threat is now being addressed from a holistic risk perspective.”
Additional highlights from the global report include:
- Cyber risk: Five domains – endpoint and systems security, remote work, application security, access control and data security – demonstrated the most improvement on changes to CyQu risk profiles, providing greater insight into an organisation’s most significant risks and control effectiveness.
- Operational risk: Ransomware events decreased 16 percent from Q3 2022 to Q4 2022, but data from the cyber and errors and omissions insurance marketplace show an uptick in Q1 2023.
- Insider risk: Two in five companies reported a lack of security operations centre controls, which highlights the need for improved cyber security measures to prevent phishing, the most common vector for initial network access.
- Systemic risk: Managing systemic risk is a high priority, stemming from the use of technology in an interconnected world. As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organisation’s risk profile and inform the extent of cyber insurance coverage required.
Aon also published key insights by industry, including:
- Finance and insurance: Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023.
- Healthcare: The overall cyber risk score for healthcare clients improved from 2.6 to 2.8, on a scale of 1 to 4. In 2022, for enterprise and global clients in healthcare, the overall risk profile improved from “basic” to “managed” with more than 80 percent of the companies reporting scores of 2.5 or higher.
- Manufacturing: Aon’s CyQu data shows that the overall risk score improved from 2.2 to 2.5 – on a scale of 1 to 4 – in 2022 for mid-market clients in the manufacturing industry; however, 56 percent of the companies reported risk scores lower than 2.5 in 2022. The median percent of IT budget reportedly spent on security also rose globally, with companies reporting 8.5 percent of the IT budget dedicated to security.
Said Hoffman: “Achieving cyber and business resilience is a challenging endeavour for any organisation. Through Aon’s broking and consulting capabilities, we help organisations navigate volatility and minimise financial, operational and reputational risk more appropriately.”
Aon collected CyQu self-assessment scores from 2,946 client organisations in Asia Pacific, EMEA, Latin America, North America and the UK in 2020 and 2022. The study focused on six areas of risk – cyber, insider, operational, reputational, supply chain and systemic – in the finance and insurance, healthcare and manufacturing industries. Aon plans to release additional data and insights, including regional findings, later this year.
* View the 2023 Cyber Resilience Report here.