Industry insights

Energy, utilities and natural resources

The role of energy resources in critical infrastructure and its financial clout makes these organizations an inviting target for foreign nation states, economic espionage, and hacktivists. Digital evolution, reliance on third-parties, and the rise of IoT smart devices and smart grids, make energy, utilities and natural resources organizations an attractive target.

How does the energy, utilities and natural resources industry stack up?

2.4 (basic)

The average CyQu rating for energy, utilities and natural resources organizations globally is 2.4/4 (basic).

What this means

This rating indicates that cyber security maturity is at a basic level. Organizational cyber security risk management practices and technologies are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Risk management practices and technologies are not established organization-wide.

Explore the most pertinent cyber risks to energy, utilities and natural resources organizations, map them to key cyber security controls, and determine actions your organization can take to close cyber security gaps.

Click below (+) to learn more

*Aon's Cyber Quotient Evaluation (CyQu) is a comprehensive cyber risk assessment that evaluates cyber risk across 9 security domains and 35 critical control areas

Underpinned by proprietary data and expert insights, explore four key risk themes that are prominent to energy, utilities and natural resources organizations today.

Read below to learn more

Navigate new exposures:

Rapid digital evolution

There is a large discrepancy across organizations in this industry. While the majority are above the global benchmark, 24% do not undertake any form of regular penetration testing. Conversely, 27% employ best practices and regularly use external penetration testing teams to stress test control environments.

Know your partners:

Third-party risk

This industry appears to have good basic third-party contract hygiene, with use of minimum insurance requirements and predefined Service Level Agreements (SLAs) for cyber security. That said, only 2% of organizations obligate such controls for all contracts, indicating the importance of robust third-party assessment and layered controls.

Concentrate on controls:


This industry is subject to a heightened number of incidents around data theft, espionage, and billing fraud. Taking this into account, it’s not surprising that 21% of organizations scored substantially higher than the global industry average for incident response (IR). However, 41% indicated that they have an ad hoc approach to response.

Perfect the basics:


Embedding cyber risk management into wider risk management frameworks is a challenge for many organizations, with 61% indicating they have not adopted the appropriate governance, risk management, or data protection measures. Collaboration with other risk management oversight functions such as, audit, Enterprise Risk Management (ERM) and legal, to measure and manage cyber risk, remains low. This impacts on an organization’s ability to anticipate and respond to future privacy regulations.

Industry insights | Financial institutions