This is article part 15 of 15 in this report.
June 13, 2025
Behind the Data: Better Decisions Facilitated Through Aon’s Cyber Broking Process
Aon’s 2025 Cyber Risk Report leverages proprietary data from the Cyber Quotient Evaluation (CyQu), a patented global cyber e-submission platform, that helps streamline the insurance intake process and strengthens clients’ cyber risk management programs by delivering insights into exposures and insurability factors. CyQu, aligned with ISO and NIST frameworks, aids organizations in identifying performance gaps, prioritizing key controls, and tracking changes in cyber maturity. Regular updates, informed by cyber insurance underwriters, improve Aon’s brokerage process and ensure alignment with over 65 insurers in the U.S. and EMEA1. The CyQu client portal transcends traditional paper applications by providing peer comparisons and security control benchmarks as part of the submission process. It uses analytics and a comprehensive evaluation framework to offer detailed insights into cyber risk posture, enabling vulnerability identification and risk mitigation prioritization.
These insights, along with client benchmarking, claims modeling, and guidance from Aon’s account teams, enable clients to enhance their control posture annually2 and align stakeholders. The Cyber Risk Analyzer3, integrated with the CyQu platform via Application Programming Interface (API), supports limit adequacy and loss-based modeling, facilitating strategic balance sheet protection. It empowers risk managers to convey the value of insurance and the Total Cost of Risk (TCOR) to the C-suite, fostering stakeholder alignment.
Aon’s Broking team leads a collaborative process that improves the insurance purchasing experience by identifying control deficiencies and prioritizing key improvements to optimize pricing and coverage scope. This strengthens Aon’s holistic approach, allowing clients to leverage analytics to inform their cyber risk management strategy.
This global process underpins the insights published in this report.
Data Methodology
Controls: The CyQu assessment evaluates risk across 35 critical controls within nine security domains, providing insights into significant risks and control effectiveness.
The CyQu database benchmarks over 10,000 clients and has 20,000 client users. This 2025 Risk Report is based on CyQu scores from 3,226 Aon clients reported in 2024 across APAC, EMEA, LATAM, and North America, with representation across industries and revenue bands. Scores range from 1 to 4, with trend insights derived from comparisons of 2020, 2021, 2022, 2023, and 2024 data.
CyQu Global Submission data: Companies distribution
Market Segment Definitions.
Small Medium Enterprises (SME): < $100 million in revenue
Middle-Market (MM): $100 million – 2 billion in revenue
Large Enterprise: $2-5 billion in revenue
Global: $5+ billion in revenue
U.S. Operation Technology Industry Distribution
Pricing: Pricing data is collected from over 1,300 Aon clients in the U.S., using a trailing 13-month trend. SME and Middle-Market segments account for 70% of the data. The CyQu Broker Dashboard stores data from over 2,300 active and 7,000 past program towers.
Cyber Monthly Pricing All Layers
Average Year–over–Year Change (Same Clients)
Claims: This 2025 Report’s claims analysis is derived from multiple proprietary platforms, including CyQu Broker Dashboard’s U.S. Claims Submissions Data (2023-2024), Aon’s Global Claims Resolution Database, and Aon’s Digital Forensics and Incident Response (DFIR) team’s OpenCTI data. Additional sources include Flashpoint (Risk Based Security) analysis by Aon, ransomware statistics from Aon’s proprietary large claims data (2023-2024), and intelligence from ransomware leak sites on the dark web. Aon’s Reinsurance Experience Benchmark Database offers insights into ransomware and non-ransomware frequency and severity, segmented by SME (insureds with < $1 billion annual revenue) and large insured portfolios (insureds with > $1 billion annual revenue) across various accident quarters split by SME versus Large insured-focused portfolios.
Glossary
Aon’s Ransomware Supplemental Application and CyQu Questionnaire provides visibility into an organization’s Information Technology (IT) controls to evaluate the vulnerability of a ransomware attack.
As risks continue to evolve, so do Aon’s key underwriting controls and risk weightings. The below list reflects a year-over-year control comparison but is a subset of the key underwriting categories and Red Flags Aon helps clients prioritize today.
Key Security Controls Definition
Information Technology (IT)
| Disaster Recovery/Backups | Backup capabilities of the clients for its robustness, frequency, storage location and recovery. |
| Incident Response Plan/Ransomware Exercise | Plans for prompt and effective continuation of business-critical services in the event of a disruption. |
| Network Segmentation/Network Monitoring (IT/OT) | Measures taken to protect network and data integrity and privacy from attack and infiltration. |
| Multi-factor Authentication (MFA) | Controls around authentication for remote access, critical networks, and privileged access accounts before accessing organizational data. |
| Access Control/Service Accounts | Grants authorized users the right to use a service while preventing access to non-authorized users. |
| Endpoint Protection & Response (EDR) | Delivery and administration of infrastructure services, systems monitoring, endpoint detection, configuration management, storage management, and infrastructure operations. |
| Email Filtering | Business email security that protects from phishing attacks and prevents data exfiltration. |
| Patch Management/Zero Day Vulnerability | Vulnerability management by improving, fixing, and updating application systems. |
| Phishing Exercise/Cyber Awareness Training | Annual phishing training/simulations campaigns, reducing the risk of successful phishing attacks and improving overall cybersecurity posture. |
Operational Technology (OT)
| Operational Technology | Hardware and software that detects or causes a change in physical processes or events through the direct monitoring and/or control of physical devices (e.g., industrial equipment) in the enterprise. |
The following Industries and subindustries are in this report.
| Industry | Subindustry |
| Construction and Real Estate | Commercial Construction, Engineering, Real Estate, Residential Construction, Other |
| Natural Resources | Mining, Oil, Gas, & Petrochemicals, Power Generation & Distribution, Renewables, Other |
| Financial Institutions | Asset & Alternative Managers, Banks, Markets Data & Exchanges, Payment & Fintech, Other |
| Financial Sponsors | Infrastructure & Real Assets, Private Equity (buyout/mid-market/growth capital), Sovereign Wealth Funds, Venture Capital, Other |
| Food Agribusiness and Beverage | Ag & Food Tech, Agribusiness, Beverage, Food Service, Processing & Manufacturing, Wholesale & Distribution, Other |
| Healthcare Providers and Services | Providers, Services, Other |
| Hospitality Travel and Leisure | Casinos, Cruise Lines, Hotels & Resorts, Travel, Other |
| Industrials and Manufacturing | Advanced Manufacturing, Aerospace & Defense, Automotive, Chemicals, Heavy Industry, Other |
| Insurance | Health, Life, MGA, Multi-line, Property & Casualty, Reinsurance, Other |
| Life Sciences | Biotech, Medical Tech & Devices, Nutraceuticals & AgroSciences, Pharmaceutical, Service (CRO/CDMO), Other |
| Professional and Business Services | Accounting Firms, Business Services, Consultants, Law Firms, Other |
| Public Sector | Education, Federal, NGOs & Non-profits, State/Local, Other |
| Retail and Consumer Goods | Consumer Durables, e-Commerce, Leisure Products, Retail, Other |
| Sports and Entertainment | Film, TV, Radio, & Print, Special Events, Sports, Other |
| Technology Media and Communications | Content/Media Distribution, Data & Analytics Platforms, Digital Platforms, Hardware & Equipment, Semiconductors & Equipment, Software & Services, Telecom Equipment & Services, Other |
| Transportation and Logistics | Transport Select, Airlines, Integrated Logistics, Marine, Rail, Trucking, Other |
References
[1] The majority of largest cyber insurance markets, including Aon Structured Portfolio Solution for clients between $100 million and $2 billion, accept CyQu as their main submission document. Aon Supplementals ransomware, errors and omissions, media content liability, operational technology, privacy and vendor are incorporated into and made part of any application for cyber coverage submitted by the applicant.
[2] Aon Cyber Broking Renewal Critical Controls improved by 6% YOY between 2023 & 2024.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Chapters
Companies of all sizes will find these articles to be a resource and tool to help inform Cyber risk decision-making in 2025 and beyond. They can help start the conversation to help improve your organization’s cyber resilience.
