1. Cyber Attacks/Data Breach

Industry leaders call cyber attacks an epidemic.

In May 2021, the United States Congress summoned representatives of the country’s largest banks for a hearing to examine risks facing financial institutions.

At the time, the COVID-19 Delta variant was surging in many parts of the world. The threats of material scarcity, inflation, climate change and a possible extended economic contraction in the U.S. were looming large. However, much to the surprise of many observers, the CEOs of Citigroup, Goldman Sachs, Morgan Stanley and Wells Fargo singled out cyber attacks as the most serious threat to U.S. financial institutions and the system as a whole.

Their concerns are justified. While global financial institutions have higher levels of cyber maturity than most organizations, their sheer scales and geographic diversity have created challenges. Over the past decade, the sector has sustained many high-profile attacks. A special report by Cyber Talk reveals that financial services organizations experienced a 238 percent increase in cyber attacks in the first half of 2020. Nearly 75 percent of banks and insurance groups have witnessed a spike in cyber crimes since the start of the coronavirus (COVID-19) pandemic. Meanwhile, the U.S. Department of the Treasury claims that Evil Corp, a Russia-based cyber-criminal organization, has stolen nearly $100 million from banks and financial institutions in more than 40 countries.

In fact, hackers and criminals exploited the pandemic to target every business sector. The sheer number of cyber attacks on corporations broke all records in 2020. For example, ransomware attacks grew dramatically — up 400 percent from the first quarter of 2018 to the fourth quarter of 2020, according to Aon’s 2021 Cyber Security Risk Report.

Meanwhile, Aon’s Cyber Solutions saw an average of three new errors and omissions (E&O) and cyber matters per business day in 2020, up almost 100 percent from 2019. The majority of these matters were related to ransomware events. Cybersecurity firm SonicWall points out that ransomware attacks surged globally in the first half of 2021 to $ 304.7 million, surpassing 2020’s full-year total of $304.6 million.

Alarming statistics related to the frequency and severity of cyber attacks and dire warnings by business and political leaders have heightened awareness of this risk. In Aon’s 2021 Global Risk Management Survey, participants around the globe rated the risk of cyber attacks/data breach as the number one threat facing companies today.

This risk was listed at number six in Aon’s 2019 survey. At that time, participating businesses projected that it would be ranked third in the future. In 2015, only one industry — telecommunications and broadcasting — considered the risk of cyber attacks/data breach to be a top threat. Now, four more industries — finance, insurance, professional services and technology — perceive it as a top threat. Moreover, it is perceived as a top 10 risk by every surveyed sector — a massive statement on the heightened awareness of this risk.

Meanwhile, all job roles, including CFOs, CEOs and Chief People Officers, now rank the risk of cyber attacks/data breach in the top 10, even though none of them ranked it as high as risk managers did in 2019.

Regionally, businesses in North America have consistently regarded cyber attacks/data breach as a number one risk since 2019. Their risk perception is driven by the dramatic increase in the frequency and severity of high-profile cyber breaches and exorbitant ransom payments in North America. In 2020, the FBI's Internet Crime Complaint Center received 791,790 complaints for all types of internet crime — a record number — from the American public, with reported losses exceeding $4.1 billion. The dire situation prompted Yahoo Finance’s technology editor to proclaim in one of his columns, “Sorry, America. You have already been hacked!” U.S. Federal Reserve Chair Jerome Powell stated that he is more worried about cyber risk than another financial crash because “a cyber event” could have “a broad part” to play in the financial system coming to a halt.”

Against this backdrop of increasing attacks, the risk of cyber attacks/data breach registered the highest level of risk readiness at 87 percent. In the “loss of income” category, it ranked third-lowest on the top 10 risk list at 18 percent in 2021. In comparison with other risks on the top 10 risk list, cyber has had the highest percentage of risk mitigation actions taken: 65 percent of participants say they have assessed cyber risk, 46 percent have quantified cyber risk, 68 percent have developed a cyber risk management plan, 45 percent have evaluated risk finance and transfer solutions, and 60 percent have developed continuity plans.

Then, why is cyber risk ranked number one when readiness levels are high and reported losses are low?

The high ranking could be attributed to the recognition of the central role that technology has played as an enabler both of business survival during the COVID-19 lockdowns of 2020 and of acceleration of economic activity during the reopening. However, this expanded dependency on technology has similarly expanded “attack surfaces,” presenting more potential security vulnerabilities to bad actors.

One illustrative example is remote work’s transition from an option to a necessity almost overnight. This forced companies to advance investment in and transformation into a “digital at scale" model by two to five years. The change in operating-model and technology architecture was at time so rapid that vulnerabilities were overlooked or unintentionally created by companies less advanced in this transformational journey. Aon’s 2021 Cyber Security Risk Report underscores this, with only 40 percent of organizations reporting that they have adequate cyber-security controls to safeguard new remote-work strategies.

Another trend driving the rise in cyber’s ranking has been the evolution of the objectives and tactics of adversaries. For example, in the past, criminals attempted to steal sensitive data or money online. Now, they employ ransomware to extort, breach and erase data, as well as directly targeting critical physical infrastructure. In May 2021, ransomware penetrated an American oil pipeline’s computerized equipment system, paralyzing its operations. However, Aon research shows that only 31 percent of organizations have adequate business resilience measures in place to deal with ransomware threats.

The bad actors are also exploiting the expansion of third-party technology vendors and digital supply chains. In what are known as watering-hole attacks, hackers insert malicious codes into enterprise platforms to spread their attack to corporate clients, which can sometimes number in the thousands. However, despite such risks, only 21 percent of organizations surveyed by Aon’s 2021 Cyber Security Risk Report have baseline measures to oversee critical suppliers and vendors.

The cyber insurance market has been equally impacted by the rise in cyber attacks since the beginning of the pandemic. According to Aon’s Underwriting Survey Data of 2021, ransomware now accounts for the majority of insurer losses (more than 58 percent), with loss ratios increasing between 5 and 25 percent for all large cyber underwriters.

From Aon’s research monitoring the behavioral signals from the market, these insurer losses are triggering two major responses:

  • Increases in insurance premiums: Rates increased by more than 35 percent in Q1 2021, and continue to uptrend to as high as 40 to 50 percent in Q2 2021.
  • Reduced capacity: Fewer companies can now secure or renew cyber insurance policies. Carriers are now demanding a higher baseline in ransomware protection that includes proactive and reactive measures, including business continuity management and incident-response plans. If those conditions are not met, insurers are more likely to decline coverage.

Because cyber criminals and nation-states are constantly innovating and our dependency on digital technology is only increasing, companies must keep pace with cyber risk. In addition to increasing their cyber-security budgets, Rich Nolan, managing director for cyber investigations at Citigroup, tells Aon that companies must embrace zero-trust architecture to deal with cyber risks. Zero trust is a security concept in which an organization does not trust anyone inside or outside its perimeters and verifies any request for connecting to its systems, even if the request appears to be coming from an employee.

According to Forbes, by 2025 an estimated 70 percent of the workforce will be working remotely at least five days a month. “As the pandemic catalyzed the rapid digital evolution of business models across all industries, there has been an acknowledgment that cyber risk will now be a persistent threat to the ‘new normal’ going forward,” says Adam Peckman, global practice leader for Cyber Risk Consulting. “With distributed supply chains, automation, remote working and e-commerce underpinning these new models, our risk mitigation and insurance market strategies to manage cyber risk will need to continue evolving to stay ahead.”

Rankings in Previous Surveys

Rankings by Region

Have a question? Contact us.

Top 10 Risks

2. Business Interruption

©2021 Aon plc. All rights reserved | Contact Us | Privacy Policy | Legal