Dear reader,

Now more than ever, global leaders are finding themselves under increasing pressure. Revenues are down, budgets are constrained, and the continuous rush to transform has organizations playing catch-up in the cyber security game. All of which means that tougher decisions need to be made in increasingly complex environments. Across industries, the velocity of digital change outpaced that of security in 2020; with organizations giving up ground to keep the lights on and maintain momentum. The majority of the cyber threats organizations face today are not new – connected devices, ransomware, and insider risk will be ever-present. But what is new is that COVID-19 ushered in a 360-degree shift in the nature of business and exponentially intensified cyber risk. This was seen by a sharp uptick in the number and severity of ransomware cases, coupled with supply chain and support vendor vulnerabilities. Successful cyber attacks that came to light at the end of 2020 and start of 2021 — including Mimecast, SolarWinds, Accellion, and Microsoft Exchange —highlighted vulnerabilities associated with working with third-parties. Ransomware became a headline risk for insurers and insureds alike, as activity grew dramatically — up 400% from the first quarter of 2018 to the fourth quarter of 20201. Underwriters, who saw their cyber insurance portfolios running at a loss predominantly due to ransomware, recognized the critical need to better evaluate and put a higher price on cyber insurance. The challenges are profound and run deep. Global organizations are not in a state of digital transformation — this term implies a beginning, middle and an end. What organizations are experiencing is digital evolution, and new risks are emerging daily. It is a balancing act between risk and opportunity, and clients are constantly asking themselves: How can we make informed decisions around our cyber budget to support changing business models, while protecting our people, clients, partners, and our balance sheet? Against this backdrop we deliver Aon’s 2021 Cyber Security Risk Report: Balancing risk and opportunity through better decisions, our annual analysis of the state of cyber risk. This report concentrates on four key risks that are critical today, entitled: Navigate new exposures, Know your partners, Concentrate on controls and Perfect the basics, and closes with a discussion on emerging risks. Using our leading-edge data, analytics, and expert insights, the report aims to help organizations evaluate their cyber risk maturity and make better enterprise risk decisions. New this year is insight derived from Aon’s Cyber Quotient Evaluation (CyQu), a comprehensive risk assessment that evaluates cyber risk maturity across nine critical domains. CyQu helps organizations understand cyber threats through both a commercial and information security lens. The 2020 data tells us that organizations, across various regions, industries, and revenue bands are on average performing under baseline – and only maintaining a basic level of cyber maturity and readiness. A case in point, only two in five organizations report that they are prepared to navigate new exposures arising from rapid digital evolution. More alarmingly, a mere 17% of organizations report having adequate application security measures in place. Moving to third-party risk, only 21% of organizations report having baseline measures in place to oversee critical suppliers and vendors. Overall, the CyQu data tells us that cyber security risk management practices and technologies are not formalized, and that risk is being managed in an ad hoc and reactive manner. Throughout 2021 and beyond, organizations have much work ahead to pass the scrutiny of regulatory bodies, insurers, partners, and customers. This report will help empower results, and guide organizations as they evolve towards managing cyber risk as an enterprise risk.

1. “2021 Errors and Omissions and Cyber Insurance Snapshot: A focused view of 2021 risk and insurance challenges,” Aon,


Data on security performance trends were drawn from Aon's Cyber Quotient Evaluation (CyQu), an online cyber risk assessment. 996 organizations representing 20 industry groups and spanning North America, Europe, Middle East and Africa, and Asia-Pacific, provided data. More than 111,552 data points were recorded, and security performance trends were structured using the nine security domains and 35 critical control areas that comprise the CyQu methodology.

Navigate new exposures: Rapid digital evolution

Know your partners: Third-party risk

Concentrate on controls: Ransomware

Perfect the basics: Regulation

1 | Navigate new exposures