Six cyber resilience lessons for risk managers

The implications of a cyber breach for a business can be catastrophic.

In fact, major cyber incidents result in a 9% decrease in shareholder value in the year following the event, according to new data from Aon.

Consequentially, achieving cyber resilience is a recurring theme in board room discussions and the threat is finally being considered from a holistic risk perspective.

Christian Hoffman, global cyber leader for Aon, said:  “Companies have experienced new forms of volatility over the last four years, experiencing a rise in the frequency and severity of cyber threats and ransomware events.”

What does it mean for risk managers?

In response to the threats, cyber insurance premiums have risen, and insurers are now scrutinising firms’ risk management controls. 

Aon clients reported that cyber maturity and readiness improved between 2020 and 2022, realising a global average shift from “basic” to “managed” cyber maturity.

Companies, in general, employed measures to strengthen security domains and controls deemed critical by insurers, including an increased focus on access management and multi-factor authentication (MFA) strategies.

”The risk introduced across a company’s supply chain is complex”

Correlated with this, Aon says ransomware claims decline by 32% and overall cyber insurance claims frequency decline by 14%  in 2022.

However, the data shows that organisations across all sectors struggled with third-party risk management, for which no sector reported a “managed” profile. 

Hoffman said: ”The risk introduced across a company’s supply chain is complex, and the deepening interconnection across technology stacks exponentially increases third-party risk.

”We expect that many insurers will shift their focus to systemic and correlated risk exposure and impact this year.”

How can risk managers tackle the threats

One of the most challenging events any risk manager will go through is navigating the path towards achieving cyber and ultimately, business resilience.

Such resilience is essential to help minimise risk from a financial, operational and reputational perspective. It demands a holistic view that connects proactive risk management, response preparation, and risk transfer mechanisms.

Six key lessons for risk managers

Assess control effectiveness

Navigating, the risk landscape, while trying to understand the correlation between cyber and business risk has always been challenging.

The pressure is on to not only continuously block and tackle, patch vulnerable systems and understand the connection points across highly integrated technology stacks, but also keep on top of the potential impact of emerging threats and regulatory changes.

”Security teams should regularly assess controls to determine effectiveness across preventative and response cyber maturity.”

The result is risk management, security, and technology teams must constantly evaluate the organisation’s preparedness for evolving threats and provide quantifiable evidence of current controls’ effectiveness to insurers and the marketplace.

Aon said: ”Alignment with best-practice control standards, like those specified by the National Institute of Standards and Technology (NIST) or the Center for Internet Security (CIS) is prudent.

“Security teams should regularly assess controls to determine effectiveness across preventative and response cyber maturity.”

Reduce the risk of human error

Humans can make mistakes, and threat actors often take advantage of this vulnerability. 

By 2025, half of all cyber events are expected to be the result of human errors or malicious actions. This is a reality companies need to prepare for.

New digital business models bring additional challenges. Among these, contingent workers can introduce vulnerabilities, and the increased accessibility of networks to third parties can compromise security.

“The focus on safe work practices and data loss protection will remain if the hybrid workplace remains in place.”

Phishing remains the most common vector for initial network access, placing the insider – or the employee – at the front line.

Aon says: ”As system integration and organisational dependence on third parties continue to rise, so will the need for increased insider risk monitoring.

”Organisations will focus more on the necessity for endpoint detection and response (EDR), security operations center (SOC), and network security.

“Similarly, the focus on safe work practices and data loss protection will remain if the hybrid workplace remains in place.”

Plan for the worst

Organisations must plan for the worst-case attack.

For example, what happens if the company’s network goes down completely? How will the business be supported and sustained? Does the company have a resiliency model that can manage this process? How will the company keep clients whole, even at the cost of business opportunity?

These questions are critical components of business continuity planning (BCP) and business continuity management (BCM).

”Equally important is the need for disruption preparedness across business operations.”

Aon’s data revealed that across regions, levels of BCM remained flat between 2020 and 2022 and sit at a basic level.

Aon said: ”More focus on scenario-planning operational disruptions is needed.

“While it is imperative to layer technical controls on the enterprise to prevent ransomware, equally important is the need for disruption preparedness across business operations.”

Manage reputational risks

Aon’s analysis of 47 prominent cyber events reveals that, on average, these incidents resulted in a 9% decrease in shareholder value over and above market effects in the year following the event.

This translates to an overall negative value impact of $225 billion. Companies that fared worse realised an average value impact of -21% or a total value loss of $670 billion.

However, not all companies lost value in the wake of an attack. Some saw reputation capital increase over the course of the event. 

The same research identified 17 companies that successfully navigated these challenges, realising an average increase in value of 18% above market trends, resulting in a combined value gain of $445 billion.

”Companies must be deeply committed to cyber loss prevention and mitigation, enabled by a strong recovery or incident response plan.”

Aon said: ”The management of cyber risk and procurement of cyber insurance is generally viewed favourably by stakeholders. It can deliver protection against financial volatility and erosion of shareholder value (EPS), and it can help protect employees, customers, and partners.

”Five hallmarks of reputational value recovery can help companies mitigate the risk of reputational fallout post-breach: preparedness, leadership, communication, action, and change.

”Companies must be deeply committed to cyber loss prevention and mitigation, enabled by a strong recovery or incident response plan. Strong and visible CEO leadership and accurate and well-coordinated disclosures are part of the critical response plan.

”Action should be instant and global. And above all, genuine remorse and an honest commitment to meaningful change are required.”

Understand the supply chain

The impact of a supply chain attack can be widespread. With potentially thousands of suppliers, a supply chain event can result in varied outcomes beyond business interruption.

People safety risks are a key concern. For example, the automotive original equipment manufacturer (OEM) that relies on other OEM devices might produce at-risk connected cars.

”The complexities and potential impacts of these supply chain attacks underscore the need for effective risk management”

Then there are the political risks introduced by vendors based in geopolitically volatile locations, or new risks introduced by vendors that operate within a more challenging regulatory framework.

Aon said: ”The complexities and potential impacts of these supply chain attacks underscore the need for effective risk management, making one thing undeniably clear—comprehensive oversight and understanding of third-party risks are crucial.”

Minimise cyber’s impact on systemic risk

Systemic risk arises internally and externally to the organisation and represents a multiplier effect on the scale and scope of a cyber incident. 

This means that individual organisations can suffer significant financial losses if systemic risks are not effectively managed. 

”Modelling extreme cyber events can expose aggregate risk and predict the likelihood of an attack.”

As cyber threats evolve, risk quantification models and scenario planning are being refined to accurately determine an organisation’s risk profile. This informs the extent of cyber insurance coverage required to safeguard against potential losses from systemic risks.

Aon said: ”Like tracking the path of a storm, modelling extreme cyber events can expose aggregate risk and predict the likelihood of an attack.

”Data intelligence, including a detailed map of the organisation’s tech stack (internal and third-party vendor tech stacks), helps to deliver insight into the level of connectivity, the sophistication of the threat actors, and consideration of standard security mechanisms form the basis of risk models.”