Presented by Aon

Ransomware attacks continue to make headlines, impacting companies across all segments and industries. Despite the highly public nature of ransomware and recent attacks, Aon’s 2021 Cyber Security Risk Report found that only 31% of organizations report having adequate business resilience measures in place. Most companies are also failing to address other key risks, with only 21% of organizations reporting adequate third-party management measures to oversee critical suppliers and vendors, and only 40% of organizations reporting adequate remote work strategies.

Beyond the data privacy, reputational and business interruption risks posed by ransomware events, organizations are also facing systemic threats including third-party technology risk. The frequency and severity of ransomware coupled with emerging threats is dictating a challenging cyber insurance market. Insurers are experiencing mounting losses with ransomware frequency increasing 486% dating back to 20181. In response to these trends, insurers are seeking premium increases of greater than 30% on average, based on Aon’s Quarterly Pricing data. In addition, the market is seeing a constriction in capacity, retention increases and tightening of policy terms and conditions. Ultimately, insurers are advocating for security posture improvement across their portfolio to help halt the current trend.

To help determine if their clients have instituted adequate security controls, many insurers have begun instituting supplemental ransomware applications. Aon has collaborated with insurance carriers to help align the supplemental questions to known ransomware attack vectors encountered in our digital forensic and incident response work. An answer to a supplemental question that an insurer might view as unfavorable may have a formulaically adverse impact on a client’s premium, limit and terms and conditions.

This represents enhanced underwriting discipline and calls for a new level of stakeholder alignment within an organization. The alignment starts with a top-down approach from the board of directors and C-suite recognizing Cyber as an enterprise risk and positioning the importance of Cyber maturity across the company. As an insurance placement can be directly impacted by the organization’s security strategy and priorities, the security team including the Chief Information Security Officer (CISO) should be directly involved with the insurance process in collaboration with risk management. Additionally, if the organization were to have an unfavorable insurance outcome due to their responses, security leadership may even need to adjust their priorities to avoid the loss of balance sheet protection.

This required level of communication, collaboration, and interdependency between executive leadership, risk management, security and even operations, legal and finance is unprecedented. There is no one stakeholder for Cyber anymore – every executive, people leader and colleague is responsible for managing and addressing the organization’s Cyber risk.

1 Source: Risk Based Security, analysis by Aon. Data as of 01/05/2021; Ransomware payment per Coveware Ransomware Report as of 11/14/2020

Christian Hoffman serves as CEO of Aon’s Cyber Solutions North America, with over 20 years of experience helping clients manage their most significant risks. Christian leads Aon’s North American capabilities under one organizational structure delivering a holistic Cyber approach to clients around assessment, maturity, quantification, risk transfer and incident response.

Cyber risk runs deep. Is your organization making informed decisions around its cyber budget? Aon’s 2021 Cyber Security Risk Report helps answer this question.