As cyber ransomware attacks soar (they increased 485 percent in 2020), only 31 percent of organizations report having adequate business resilience measures in place to deal with ransomware threats, according to Aon data. No segment or industry is immune from these attacks, which makes the work of navigating and mitigating cyber risk more important than ever. Cyber insurance products have become a key component of insurance portfolios, growing to a $7 billion global industry and taking the need for Aon’s expertise to critical levels.
As cyber ransomware attacks soar (they increased 485 percent in 2020), only 31 percent of organizations report having adequate business resilience measures in place to deal with ransomware threats, according to Aon data. No segment or industry is immune from these attacks, which makes the work of navigating and mitigating cyber risk more important than ever. Cyber insurance products have become a key component of insurance portfolios, growing to a $7 billion global industry and taking the need for Aon’s expertise to critical levels.
In this episode of “On Aon,” Joey Raheb, Senior Vice President of Health Solutions & Large Market Sales Leader, is joined by Christian Hoffman, CEO of Aon's Cyber Solutions, North America, for a conversation about the evolution of cyber risk over the past 20 years. They discuss what organizations need to be focusing on today and unpack the findings from Aon’s recently released 2021 Cyber Security Risk Report.
Additional Resources:
Aon’s Cyber Solutions
Aon’s 2021 Cyber Security Risk Report
CyQu: Cyber Quotient Evaluation from Aon
The Insurer: Combatting cybercrime requires consequences, capital and collaboration – contributed editorial from Aon’s Catherine Mulligan and James Trainor
Mulligan and Trainor also dove in deeper in a video interview with The Insurer
Tweetables:
“The cyber insurance product is now such a key component of our clients’ insurance portfolios.” — Christian Hoffman
“All departments need to be connected and collaborating around the topic of cyber security.” — Christian Hoffman
“There is still tremendous work and enhancement and maturity for organizations in the cyber security space.” — Christian Hoffman
“Taking a holistic approach and aligning stakeholders ultimately will provide the best results for organizations.” — Christian Hoffman
Voiceover:
Welcome to “On Aon,” a podcast featuring conversations between colleagues on, well, Aon. This week, we hear from Christian Hoffman about the evolution of cyber risk over the past 20 years. And now, this week’s host, Joey Raheb.
Joey Raheb:
Hello, everyone. My name is Joey Raheb and I've been a colleague at Aon for approximately eight years. Currently serving as senior vice president health solutions and sales leader in Canada. With me today is Christian Hoffman, who has been at Aon since 2003, and currently serves as our CEO cyber solutions North America. The team also recently released the 2021 cybersecurity report. I'm excited to dig into the findings with you, Christian. Thanks for being here today. Before we get started, I'm curious, what brought you into the field of cyber risk?
Christian Hoffman:
Thanks, Joey. I'm excited to talk all things cyber with you today. My background's not in cyber. I started at Aon back in 2003 within our financial services group, focused on directors and officers liability insurance. Then in 2013, 2014, we started to see some significant data breach activity, namely with some large retail organizations.
Christian Hoffman:
Based on that and based on these large events and the increased frequency of cyber events, the topic started to get kicked around the boardroom in the C-suite and my clients from a directors and officers liability perspective were thinking about it and talking about it. Fast forward to 2015, we had an opportunity within our group to lead the cyber brokerage team. After thinking through the opportunity, talking with colleagues and gaining support from colleagues, I decided to turn my focus to cyber, and jumped in and led the team in the US. Cyber appealed to me because it was this merging and evolving issue. Clients were talking about it at a high level, and it was really becoming an enterprise risk that needed to be addressed, again, by board of directors and C-suite. Similar to today, like we're talking about ESG, like we're talking about inclusion and diversity, at that time, it was really making its way into the boardroom as this topic. It was exciting, back in 2015, to be a part of it.
Christian Hoffman:
Then we continued to evolve the Aon platform. In 2016, we bought an organization, Stroz Friedberg, which was a proactive and reactive cybersecurity firm. In 2018, we put our consulting and brokerage capability under one roof, that being cyber solutions. Now we've been operating as one brokerage and consulting group since 2018. My first role within the broader group was as president. We didn't go to market strategy, and sales and brokerage and a number of other components of our business. Then I was lucky enough in June of 2020 to become CEO of Cyber Solutions here at Aon in North America.
Joey Raheb:
That's really interesting. I mean, you seem to be big in the right trend curve in cyber risk. I mean, it just sounds like it's just such a constantly evolving need and risk. I mean, tell me, what's changed in cyber risk in the last 15, 20 years?
Christian Hoffman:
20 years is an interesting line. Stroz Friedbery, interestingly, the company we acquired was founded 20 plus years ago. We actually placed our first cyber insurance policy and program 20 years ago. Then clearly, it's evolved significantly since then. Technology and digital evolution has been a large part of that. Companies investing in technology and digital to drive efficiency, drive insights, and clearly stay competitive in their market. When I think about the cyber landscape aligned with the technology component, I think back, again, as I talked about earlier to that 2013, 2014 timeframe, when we really saw data breach really come into a more frequent mode and especially in retail, and healthcare and financial institutions that were interestingly, the early adopters of the insurance product.
Christian Hoffman:
Fast forward today from those big data breaches and the topic clearly on ransomware, and organizations that are being hit with ransomware and interrupted by ransomware, and being forced by bad actors to pay ransoms to get their systems back up and running. We've seen the proliferation and frequency of that basically increase 500% over the last two to three years. Those ransom payments from the early days of 17,000, obviously paid in digital currency, but $17,000, and we're seeing them in the 10 plus million dollar range today. No segment or industry is immune, so that's the challenge today is ransomware.
Christian Hoffman:
Then thinking about the evolution and the maturity of the cyber insurance product, that has been a big change. It's now such a key component of our clients insurance portfolios and has grown based on statistics out there, to a $7 billion premium global industry. Again, a lot has changed. One of the biggest changes, there was obviously this boardroom and C-suite focus, that is continued to evolve. Cyber, it typically sits at a top five enterprise risk. The other key piece that where we've seen evolution is the need for stakeholder alignment. It's not just security or IT's issue within the organization. There needs to be alignment to risk management. Legal is involved, HR, finance, operations, all need to be connected and collaborating around the topic of cyber, and aligned to ultimately have the right technology and tools in place, appropriately transfer the risks, inform and train colleagues, strategize, plan and simulate around incident response. All stakeholders are required and that's definitely evolved over the last number of years.
Joey Raheb:
It's interesting to hear what's happened in the last 20 or so years. How about when we think about the last 18 months? I mean, the pandemic has obviously shifted businesses significantly to remote environments. People relying on third-party partners, technology tools. What's that done to the cyber risk landscape?
Christian Hoffman:
The pandemic definitely created significant change, moving to the remote work environment. In those early days in March, in April of the pandemic, that initial focus was on technology. How do we get colleagues up and running, and operational from the home as opposed to the office? In many cases, security took a bit of a backseat. No longer were organizations working in that controlled office environment. It was very distributed across the US, across the globe on where individuals were working. From a security perspective, interestingly, our proactive business, our advisory and testing business saw some decline. We saw it firsthand where security took that backseat. Now, ultimately, things corrected themselves and the focus on security returned, but in that time we saw the ransomware challenge continue to gain momentum, some of it be fueled by the remote work environment.
Christian Hoffman:
Then interestingly, as we fast forward into the latter half of 2020, we started to see these challenges as relates to third party technology vendors. In December, we saw the solar winds event, which impacted 18,000 organizations in the public private sector. We've seen a number of these systemic events in 2021, with just a couple of weeks ago, the Kaseya event. These complexities that continue to arise, remote work environment, technology, evolution, ransomware, third-party technology events, continue to create challenges for organizations in our client base.
Joey Raheb:
Yeah, it's interesting. I mean, so I'm sure a lot of this is going to be mentioned as we get into it, but let's shift gears into the 2021 Cybersecurity Risk Report. Can you tell us some of the key findings from the report?
Christian Hoffman:
Sure. The one major finding in all the data is that there's still tremendous work, and enhancement and maturity for organizations in the cybersecurity space. We focused on four key areas, digital evolution, which we talked a little bit about. Ransomware, which we've talked about and then regulation and third-party risk. Some of the data points that jump out to me when I think about digital evolution, 40% of companies report having adequate remote work strategies. Only 40% of the thousand companies that were in the dataset. A lot of work to be done still on the remote work side and it just probably continues to proliferate across different platforms, and as companies evolve digitally.
Christian Hoffman:
On the ransomware side, 31% of organizations in the group have adequate business resilience measures. On regulation, only 30% of organizations report having adequate risk management in place to address changing data privacy and cybersecurity regulations. You think about the change and transformation of regulation, you go back obviously in the US, it's state-by-state regulation. That's evolving with changes in California and other states. You obviously had, in Europe, the GDPR data protection regulation that was put into place four or so years ago. A lot's happening in that space and clearly, there needs to be a change and organizations need to adapt. Then on the third-party risk, we talked about some of the big events that started in December, but 21% of organizations report having baseline measures in place to oversee critical suppliers and vendors. That can be technology vendors or other supply chain vendors. There definitely needs to be an increased focus on how organizations are working with their critical suppliers, their vendors from a security perspective. Again, a lot of work still to be done by organizations to enhance their security on these multiple fronts.
Joey Raheb:
Those are interesting statistics, Christian. I mean, low, in my opinion. If you were to hazard a guess, what would you think is preventing organizations from moving on some of these items?
Christian Hoffman:
I think there are a couple of things. One, just the complexity of the risk. It is evolving so quickly, which adds to that complexity and new things continue to arise, whether it's new threat actors, the third-party technology vendor challenges, I mentioned. Things constantly arise and organizations need to adapt, so one is complexity. Two, is that stakeholder alignment, position I noted earlier. A lot of organizations are moving in that direction, but there needs to be continued transformation of that board level C-suite top down approach and getting stakeholders aligned across the organization to really bring that holistic view of cyber, as I said, through security technology and tools, risk transfer, response planning, and simulating. Then it's costly, right? I mean, security is costly, whether from a technology and tools perspective, or a people perspective where ultimately in the cybersecurity arena, there's a war on talent.
Christian Hoffman:
There are basic controls that can be put in place, let's say to defend against ransomware, multifactor authentication, endpoint detection and response. Companies can perform phishing exercises and train and inform the colleague base who are, unfortunately, in many times, a weak link in the security of an organization. On that same front, that's what needs to be in place for organizations to defend themselves, and also important components to how an insurance underwriter looks at the risk of an organization and specifically around ransomware. Again, complexity costs, stakeholder alignment, all need to continue to change and evolve.
Joey Raheb:
Christian, you hit on a handful of things that organizations could or should be doing. Is there anything else that you'd like to highlight for organizations to think about as they're looking to address those risks?
Christian Hoffman:
Yeah, I think it's ultimately taking that holistic approach and it's why we're excited about our platform of proactive consulting around assessment, and mitigation and testing vulnerabilities, being able to transfer the risk in the insurance marketplace, helping clients prepare for and ultimately be able to respond to events with the deployment of our digital forensics and incident response team. We want to help clients think about it holistically and think about how to navigate this enterprise risk, again, from a extremely proactive perspective, and then if they ultimately make the decision to transfer the risk into the marketplace and ultimately respond, but taking that holistic approach and aligning stakeholders ultimately will provide the best results for organizations.
Joey Raheb:
That's great. That was very informative and I learned a lot about cyber risk. Let's shift gears to something more personal. If we had to ask you what gets you up in the morning? What keeps you energized? What keeps Christian going?
Christian Hoffman:
Cyber keeps me going. It keeps me busy, but outside of that, what keeps me energized outside of the daily business craziness that we're involved in? My family, ultimately, my wife, my three daughters who are ages 13, 12, and 11. Spending time with them, a big piece of that. My girls are very much involved in sports. It's summertime. They all sail, which is exciting, but lacrosse, soccer, swimming, softball, fencing, you name it. Each season is filled with sports. Then my wife and I get some time away to do some of that ourselves, and enjoy golf and tennis and spending time with friends. That all keeps me busy alongside work, but keeps me energized and inspired, and keeps me going day in and day out.
Joey Raheb:
That's awesome. It sounds like you have a little mini Olympics going on at your house. That's great.
Voiceover:
This has been a conversation “On Aon” and our work helping firms navigate and mitigate cyber risks. Thank you for listening. If you enjoyed this week’s episode, tune in in two weeks for a discussion with Aon's Head of Catastrophe Insight - often referred to as our Chief Meteorologist. To learn more about Aon, its colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com.
Joey Raheb:
I'd be remiss if I didn't ask this. I know this is your first podcast and I'm obviously a seasoned veteran being my second. If you had to choose between Conan O'Brien and Joey Raheb, who would you pick as your favorite podcast host?
Christian Hoffman:
It's all about you, Joey. It's been great. A ton of fun.
Joey Raheb:
Thanks. I figured that.