Management Consulting
Aon
Full Credential Description
In the finance and insurance industries, clients faced significant challenges related to cyber security, particularly concerning third-party risks and the lack of basic IT controls. A notable issue was that 15% to 25% of middle-market companies and small and medium-sized enterprises (SMEs) lacked multifactor authentication across key systems, which heightened their vulnerability to cyber attacks. The interconnected nature of the industry, compounded by decades of mergers and acquisitions, resulted in a complex cyber infrastructure that was difficult to secure. Additionally, the rapid growth of fintech and digital assets introduced further vulnerabilities, particularly from third-party attacks, which were responsible for a majority of data breaches among the top 150 insurance companies. To address these challenges, tailored solutions were implemented, focusing on enhancing cyber resilience and improving risk management practices. Companies increased their investment in cyber security, with an average of 9% of their IT budgets allocated to security in 2024, up from 8% in 2022. This investment led to measurable improvements in overall cyber risk scores, which rose from 2.92 in 2022 to 2.96 in 2024, indicating that risks were increasingly being managed effectively. Notably, small and midsize entities saw their risk scores improve from 2.7 to 2.8, while global companies improved from 3.0 to 3.3. The results of these efforts were significant. Aons data indicated that almost 70% of middle-market and SME clients now had an incident response plan for ransomware, a substantial increase from previous years. Furthermore, the proportion of clients with red flagsindicators of potential vulnerabilitiesdropped by 15% year-over-year, outpacing the industry average of 9%. Despite these advancements, challenges remained, particularly for SMEs, where over 25% still lacked multifactor authentication for backups, and more than 40% did not have backups stored at a secondary data center. These gaps in basic controls could jeopardize their insurability in a market that is otherwise favorable for finance and insurance companies. Overall, while the finance and insurance sectors have made strides in managing cyber risks, ongoing efforts are necessary to address vulnerabilities, particularly in third-party security and application security, to ensure continued resilience against evolving cyber threats.