2023 Cyber Resilience Report

This is article 7 of 18 in this Report.

August 01, 2023 / 7 min Read

Actions to Improve Cyber Resilience in Finance and Insurance Sector

Cyber threats are ever evolving and a critical area of focus for regulators, customers, shareholders and board of directors in the finance and insurance industry.

Key Takeaways

  1. Clients reported overall risk score improvement in 2022, approaching “managed”.
  2. Backup security continues to be an area of vulnerability, and U.S. companies reported deficiencies in almost 40 percent of the critical IT controls.
  3. Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023.

Governments, businesses, and customers look to financial institutions as the backbone of the global economy.1 Because of the vital role it plays, the industry’s security is highly regulated and scrutinized. Emphasizing the need for cyber resilience, the U.S. Securities and Exchange Commission recently introduced a proposal to address cyber security risk. This would require all market entities to implement policies and procedures that are designed to address their cyber security risks. On top of this, financial and insurance organizations will need to, at least annually, review and assess the design and effectiveness of their cyber security policies and procedures —including whether they reflect changes in cyber security risk over the time period covered by the review.2 In the European Union financial institutions have two years to manage operational resilience and comply with the Digital Operation Resilience Act (DORA).3

New risks and vulnerabilities are detected daily, and finance and insurance industry leaders ranked the threat of a cyber-attack or data breach as the top risk in Aon’s most recent Global Risk Management Survey.

The sector faces a complex globally interconnected risk landscape and leaders should make decisions that demand rapid analysis and execution. Emerging technologies and new business models continually alter the terrain. For example, mobile wallets are one fundamental development. Offline or online payments conducted with a mobile device, smartphone, or wearable are commonplace, and FinTech is snowballing.   This new sector, Fintech, exponentially expands the attack footprint and introduces even more third-party vulnerability to larger financial institutions that connect to these smaller, less-sophisticated companies.  While Asia leads in prominence of FinTech companies by revenue, North America has the most FinTech start-ups, with statistics pointing to 8,775 currently operating. Europe, the Middle East, and Africa boast 7,385 FinTech start-ups4 and 4,765 in Asia-Pacific.5

Changes in cyber liability insurance have also been significant over the past two years. Incidents such as the 2021 ransomware attack on a U.S. pipeline system altered the marketplace, and insurers realized the tremendous risk of business interruption and interconnectivity. Carriers now require Financial Institutions to demonstrate cyber resilience to secure an affordable — or any — policy. During renewal discussions, some carriers bring independent technology professionals to question a financial institution’s chief information security officer.

This demonstrates the opportunity to use the insurance renewal process as a means to demonstrate the controls and systems they have in place. Such an approach helps ensure that the process becomes a compliment to their risk management process.

Aon Clients Report:  Finance and Insurance Industry and Cyber Risk

Aggregated data results from Aon’s Cyber Quotient (CyQu) show that clients reported overall risk score improvement from 2.7 to 2.9 (approaching “managed”) in 2022 across all finance and insurance companies. Small and medium-sized entities said their risk profile improved from “basic” to “managed”, and 64 percent reported risk scores of more than 2.5. This strong growth in maturity will likely continue as insurers retain their focus on these emerging organizations that are critical to the financial services ecosystem.

The median percent of the IT budget spent on security also rose globally, with finance and insurance companies reporting 8 percent of the IT budget dedicated to security in 2022.

CyQu Risk Scores for Finance and Insurance Client Segments

Annual Revenue (group) 2020 2022 Change

CyQu Risk Maturity Scoring

Initial: 1.0 - 1.9

Basic: 2.0 - 2.5

Managed: 2.6 - 3.4

Advanced: 3.5 - 4.0

We are currently seeing a resurgence of aggressive threat actor groups targeting financial services companies. And those attacks are succeeding in a majority of cases. Insurance claims are rising, with a 38 percent increase in ransomware claims from Q4 2022 to Q1 2023, even though revenue bands reported steady improvement in overall cyber risk profile. Finance and insurance companies improved information technology controls implementation between 2021 to 2022 and emphasized strengthening multifactor authentication (MFA) controls. US companies reported significant improvement in MFA critical controls, deploying 80 percent versus 65 percent in 2021. However, even with this improvement, Aon notes that many may have not yet deployed these solutions thoroughly and may factor into the rise we are currently experiencing.

Looking to the U.S., finance and insurance companies reported steady improvement in IT controls readiness between 2021 and 2022. Aon’s Ransomware Supplemental Applications red flag controls data shows that the most significant improvement was in MFA with a 15 percent improvement and business resilience with an 8 percent improvement in implementing essential underwriting controls. Compared to the healthcare and manufacturing sectors, the financial services industry appears to be much more mature regarding business resilience. However, backup security continues to be seen as an area of vulnerability, with organizations still reporting a need for almost 40 percent of IT controls. This control domain should be an area of focus moving throughout 2023 as ransomware threats again escalate.

Percent of Lack of Critical IT Controls' for Given Industry in US (red flags)

While trend data is not yet available for the UK, in 2022, the country’s finance and insurance organizations reported the strongest maturity in access management, email security, and patch management, registering 20 percent or fewer gaps in each control area. Clients reported significant software management gaps and network and data security controls. Like their counterparts in the U.S., backup protection also appears to need attention.

Percent of Lack of Critical IT Controls' for Given Industry in UK (red flags)

Now What? Action for Finance and Insurance Organizations


1 “How Financial Institutions Reshape the Agenda in a Volatile Environment.” Aon’s Finance and Insurance Industry Primer. Aon 2023

2 “SEC Introduces New Requirements to Address Cybersecurity Risks to the US Securities Market.” Press Release. Securities and Exchange Commission (SEC). 15 Mar 2023.

3 Digital Operation Reslience Act (DORA) – Regulation (EU) 2022/2054. Retrieved from https://www.digital-operational-resilience-act.com

4 “The Importance of Better Decision Making Amid Increased Volatility.” Aon’s 2021 Global Risk Management Survey. Report. 2021. Cover – 2021 Global Risk Management Survey (aon.com)

5  FinTech Statistics.” Article. Balancing Everything. 03 Mar 2023.

Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.

The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.