In this episode of On Aon, our cyber experts explore the escalating scale and complexity of cyber threats, from AI-driven attacks to systemic third-party risks. Hosted by Nancy Eaves, product leader for Cyber Solutions, and featuring insights from Brent Rieth, global cyber leader, and David Molony, EMEA head of cyber solutions, the conversation explores the evolving regulatory landscape, the strategic use of cyber insurance and the critical role of executive engagement in managing cyber risk.
Key Takeaways:
Key moments:
(0:55) The increase in frequency of reported cyber incidents, including AI-driven threats, ransomware and cloud and identity-based intrusions.
(3:50) The reputational impact of cyber incidents on organizations.
(13:30) The factors contributing to the buyer-friendly market for cyber insurance
Additional Resources:
Soundbites:
David Molony: “Ultimately, we are seeing threat actors leveraging generative AI to create highly personalized phishing campaigns and deepfake content, making social engineering more effective.”
Brent Rieth: “I'd add it's important to continue to drive a holistic approach to navigating cyber risk. It's incredibly complex. It can't be managed in isolation by any individual stakeholder.”
Intro:
Hello and welcome to this episode of On Aon, where we dive into some of the most pressing Risk Capital and Human Capital issues businesses around the world are facing. Today, we're looking at the findings of the Aon Global Cyber Risk Report which highlights the growing financial and reputational stakes of cyber risk. Here to discuss the report and the lessons businesses can learn from it is our host for this episode, Nancy Eaves, product leader for Cyber solutions, and she’s joined by Brent Rieth, global cyber leader at Aon, and David Molony, Aon’s EMEA Head of Cyber Solutions.
Nancy
Hello everyone, my name is Nancy Eaves and I'm the product leader for Cyber Solutions. In today's episode, we're talking about the new Cyber Risk Report. I'm joined by two of my colleagues, Brent Rieth, Global Cyber Leader, and David Molony, Head of Cyber Solutions at EMEA.
In our discussion, we're going to cover the increase in cyber incidents, security controls, cyber insurance and action steps for leaders.
So let's get started. In recent years, we've seen an increase in frequency of reported cyber incidents. Can you elaborate on the factors driving this trend and how organizations are adapting to manage these growing threats? Let's start with David.
David
Thanks, Nancy. Great to be with you. And we'll just categorize this in a few areas and we can circle back if I've left anything out. I think the first and probably most obvious area I just want to touch on is around AI-driven threats. So ultimately, we are seeing threat actors leveraging generative AI to create highly personalized phishing campaigns and deepfake content, making social engineering more effective. But at the same time, what AI is allowing threat actors to do really is to attack at scale.
And that's manifesting itself in a number of ways, but notably in the deploying of ransomware as a service. So effectively the commoditization of this product has lowered the barrier to entry for many cyber criminals, leading to a proliferation of cyber attacks.
I think I'll also just want to touch on things like cloud and identity-based intrusions as organizations migrate to the cloud, attackers are exploiting misconfigurations and weak identity controls. Again, nothing new but we're just seeing it now at scale. And it's a greater challenge given the fact that companies are looking to consolidate many of their platforms in a single area.
I think lastly, I just want to touch on geopolitical tensions in particular. We have known for many years that nation states back bad actors in this space and we have seen intensification around espionage and sabotage. So again, not new, but we're seeing it at greater scale.
I think just in order to probably adapt to some of these challenges that are being faced in the modern day, we have seen significantly greater proactive resilience planning than before. Ultimately, even if I look at anecdotally where we are now in an environment as against five years ago, the cyber security global water mark is significantly higher than it was before. And a lot of that is around proactive resilience planning.
I've spoken about AI as a multiplier factor for the threat environment. I think, ultimately, it's really important to suggest that it's also a multiplier in terms of defense. Organizations are using AI for faster threat detection, incident response, and even things like risk quantification.
And I think the last element that's really important here is probably the simplest one. It's just around board-level engagement. So, from a governance perspective, we have senior C-suite individuals who are now far more engaged in prioritizing cyber security than ever before and embedding these new strategies into enterprise risk management.
Because ultimately, this has the potential to be a real material D&O issue. And ultimately, we have seen the mindsets of these individuals move in a proactive manner and in a welcome manner to safeguard organizational environments.
Nancy
Thanks David, and now over to you Brett.
Brent
Yeah, thank you, Nancy, and great to be with everybody today. Just to use David's last comments around board-level engagement and executive engagement as an opportunity to walk into just the notion of reported events. There have been a tremendous amount of developments across the globe with respect to regulatory and government agency involvement with respect to reporting requirements.
In the U.S. we've seen requirements introduced by CISA, the cybersecurity and infrastructure security agency. We've seen new rules implemented by the SEC. We've seen various industry-specific requirements through organizations like HIPAA. We've seen state-level laws that have reporting requirements across the EU. There are requirements that exist within GDPR, the Cyber Resilience Act, CRA. There's been various changes across the APAC region.
All of these obligations really have had an impact on companies as they think about really coming public with events that they're dealing with, sharing information with these agencies and with law enforcement so that they can help other organizations that might be combating similar attack methods or similar attack patterns.
The other thing I would just call out, I will say, I think there's been a diminishing negative perception or reputational impact on businesses who do share this information, who disclose that they've been dealing with a cyber event. I believe that has had increasing effect on the reported claims that we see, whether it's through Aon's own claims reporting data or through some of the data that we're able to obtain from public sources or from other companies that are monitoring cyber events activity.
Last thing I'd add, and I think this is maybe a shift into the balance of the conversation today, but there's a need to make sure we're balancing frequency with severity. When we look at some of the data that's being pulled together around reported events and the frequency of these events continuing to climb each year, it really is helpful. It helps us identify patterns, helps us evaluate systemic root causes, helps us inform companies that we're working with as they look to manage cyber risks more effectively, as they look to implement controls or really invest in resources that can help their businesses as they prevent common attack patterns.
Certainly, it's helpful for underwriters as they think about managing their portfolio effectively and truly trying to underwrite to risk as effectively as they possibly can.
And I think we saw an example of this with the proliferation of ransomware throughout 2019-2020. And the reaction that we saw across the underwriting platforms where underwriters were asking about common controls that were perceived to prevent common ransomware attack methods and examples being managing admin privileges or user authentication tools.
There wasn't necessarily an appreciation for things that could help minimize the impact of an event. So offline backups or different segmentation strategies that could prevent lateral movement across networks, risk management or efforts to protect against human error, even with the most technically trained colleagues that exist in a security organization within a business.
And as some of those different issues got exploited, we saw that have a tremendous effect on the severity of some of these claims in 2023 and certainly in 2024. Those severity events and the accumulation of those larger losses really have started to put a little bit of pressure on the insurance industry.
And again, just trying to marry these two topics together, I think all of David's comments are incredibly helpful as we think about some of the emerging tactics and the things that are important in the eyes of the underwriting community certainly in the eyes of businesses that are managing these risks. But as we think about the broader economic impact to businesses, we have to also take into consideration what's driving larger losses with certain businesses or what might be bubbling up in terms of accumulated losses that are impacting the insurance industry.
Nancy
Thank you. Despite the increase in claims frequency, cyber insurance pricing has continued to decline? Brent, let's start with you this time.
Brent
Thanks, Nancy. So I'd start with three major trends that I feel like we've been observing. First, while we've seen an accumulation of losses developing, certainly a larger number of what I would call more severe losses throughout 2023 or more widespread events in 2024.
It's against kind of a backdrop that the product itself has grown tremendously across the insurance industry. We've seen great investment from various insurers. We've seen insurers entering the space, offering errors and emissions and cyber coverage for the first time. We have seen insurers diversify their portfolios, working into different segments. They've diversified by working into different regions, entering new markets.
And in totality, we estimate that this has caused the global gross written premium of the product to nearly double from 2018 through year-end 2024. And as you just lever that backstop against the increase in loss activity and loss development, there's quite a bit more runway for the insurers to leverage as they think about managing to a point where profitability could potentially become unbearable.
And you have to see a shift in the rate environment, whether that be firming rates or another market cycle where we have a correction that needs to be accounted for.
Second thing I'd call out is reinsurance. Reinsurance continues to be readily available for most retail insurers that are offering E&O and cyber coverage as a product in their portfolio. The availability of treaty reinsurance, excess of loss reinsurance, single event solutions, the emergence of catastrophe bonds and various companies purchasing that to protect against widespread events or systemic events. All of those solutions in the reinsurance toolkit have been helpful for insurers as they think about really protecting their portfolio or hedging against certain scenarios.
Last thing I'd say is when I talk about diversification across regions or segments in the context of growth, it's obviously been helpful as you think about the ability for insurers to have more premium to rely on as they think about profitability metrics.
But the other aspect is each of these geographies or segments may be performing in a different way when we think about expense ratio, loss ratio, combined ratio, the key metrics that could impact profitability or the need for a change in strategy with the insurers.
I'll give you an example. The litigation trends that we're seeing in the U.S. are going to be very different than the litigation trends we may be seeing in EMEA or across the APAC region or LatAm region.
We saw a tremendous increase in the volume of ransomware attacks in the United States throughout 2018 and 2019, 2020. We didn't necessarily see the same experience or we didn't have coverage that could respond to some of the same types of loss in other parts of the world. And just that diversification of product and portfolio alone can be very helpful for insurers as they offer a product globally and really allows them to not get into a situation where they have to make really quick corrections based on something they may be experiencing in one particular part of the world or one particular segment.
Nancy
Thank you, over to you David.
David
I would reiterate probably a lot of the points Brent has made, maybe just double down on a couple of things. I think the first thing when we think about what wire rates are declining despite an increase in claims, ultimately, from a cyber insurance perspective, it's still a very nascent market.
We're still 25 years in, let's call it. But ultimately, if you think about the fundamentals of what is the insurance market intended to do, it is designed to pay claims. We're just in a position now whereby the change environment is a little bit more settled, the premium pool is a little bit bigger, the challenges are more understandable.
So we're putting our minds around what all of this means. And ultimately, we're starting to get to a playing field that is consistent and consistently makes sense. The other aspect I just touched on in particular, we've already spoken about improved RIC hygiene factors. Again, greater comfort to the insurers in terms of the pricing models that they're able to drive. And then I think lastly, one of the things I'd focus on is around data driven underwriting.
So again, through a rating models perspective, there's far greater certainty in terms of how risks are being priced today to make sure that they can do so on a basis where the market doesn't end up in an area where the combined ratio or the loss ratios are in excess of where they need them to be as a sustainable marketplace. So now ultimately, it's an exciting development for the market because we have seen periods of volatility in the last 25 years that perhaps gave rise to concern to some, not to most.
And thankfully, the views of the majority have prevailed and we have started to see a market that is achieving probably the consistency we needed to.
Nancy
Thanks. That's a great lead into our next question. In 2025, what actions should organizations take to better manage their systemic and third-party risks? And how can they leverage cyber insurance to help? David, let's start with you.
David
Great question and probably not an easy one to answer, but probably needs its own podcast, Nancy. But what I'd say is there's probably a few things that immediately come to the front of mind for me. So the first aspect is, has each organization mapped their own digital dependencies? So really do they understand what their critical third-party services are? Be they cloud, SaaS platforms, really critical vendors in their supply chain, upstream or downstream?
I think secondly, has there been...a willingness or an ability to stress test instant response plans? Has been thought about? But really what this means is when we think about the development into the next phase of this question, how can we start to adopt resilience by design? And from my perspective, it's also ensuring that an insurance process is embedded within resilience by design when thinking in that direction.
I touch on the fact that from a cyber risk perspective in the supply chain or from third party risks, that it is really important that we start to quantify what those sorts of exposures begin to mean.
That's really difficult when you might have 10,000 suppliers in your supply chain. What you need to be able to do is to look at contract value as against exposure and make sure the decisions you're making on a daily basis continue to make sense.
And then lastly, you know, we talk about how do we start to leverage cyber insurance strategically. And that's probably looking at things like transferring residual risk again, that we can understand that we feel that there's value in removing from the balance sheet, particularly in catastrophic scenarios.
But also we need to think about the future. So, from an innovations perspective, the market needs to continue to challenge itself around exploring the utilization of things like parametric insurance for massive vendor outage as an example, or interesting securities for advanced levels of capacity deployment, perhaps that we haven't seen before for niche circumstance. And that's probably something we'll continue to see. But I'll leave it there because I think you could go on for another hour talking about that.
Nancy
Thank you so much. Over to you, Brent.
Brent
Yeah. And just to pick up on something David mentioned, as you think about third party risks and managing against some of the supply chain risk issues that companies have had to deal with throughout 2024 and 2025. I think it's also important to make sure as you evaluate the impact of particular suppliers or particular counterparties in your ecosystem, thinking about how to categorize them based on potential impact to your business, whether that's financial impact or reputational impact is critical. I think it's difficult. I'll say it this way: I think sometimes we find companies or in the underwriting process, underwriters fall into the trap of thinking that a contract value with a particular vendor is the best identifier of how important they are to you as a business.
Certainly true from a budgetary perspective, but as you think about things like a data breach scenario or a downtime event, the largest companies you're partnering with from a contract value perspective may not necessarily correlate to the impact they can have on your business if they suffer a downtime event or if they are to deal with a data breach and have access to information you've provided them as a business partner.
So I think thinking about how you tier those risks is a critical step for businesses to take and something that should be evaluated a little bit differently. From my perspective, again, David provided a great summary. I'd add it's important to continue to drive a holistic approach to navigating cyber risk. It's incredibly complex. It can't be managed in isolation by any individual stakeholder. It's important to manage the risk through improving security posture and continuing to iterate based on recent trends or various issues that other companies have had to deal with or that we've seen in terms of threat actor activity. I think it's important to analyze those risks. We haven't spent a lot of time today talking about risk quantification tools. There's a variety of great scenario-based cyber risk models that Aon's made available to its clients and other great tools that are out there for companies to truly evaluate the potential financial impact of a scenario to their business.
Make sure you partner with the insurance industry. There's a lot of great insights and information that is provided by insurers, certainly by the brokerage community and by Aon. View them as a partner, don't necessarily view them any differently. And I think it's important because it gives companies access to what is truly contingent capital — it’s ability to have a mechanism that you can rely on when a business is dealing with an unforeseen event. And they're really trying to stay resilient from a balance sheet perspective to protect against volatility to the balance sheet.
And all of these things that we've talked about today and the risk issues that really have begun to develop throughout 2024 and now into 2025 as we're almost halfway through — all are really important for us to monitor and manage. The insurance industry can serve as a great backstop for companies as they look to reduce volatility from their balance sheet. I think it's important to continue to partner with the industry in that fashion.
Nancy
Thank you, David and Brent for your insights. That's our show today. In the upcoming months, we'll have more episodes on risk capital topics. Thanks to everyone for listening.
Outro:
Thanks for tuning into the latest episode of On Aon. If you enjoyed this episode, don't forget to subscribe wherever you get your podcasts. And be sure to visit Aon.com to learn more about Aon.