Executive Welcome

Welcome to Aon’s 2025 Global Cyber Risk Report, a study that follows a year of noteworthy systemic cyber events. This report stands alone in its ability help businesses make better cyber risk decisions thanks to the unique way we have drawn together data and interpretation across critical cyber security controls, cyber events and the cyber insurance market —globally and by region.

Amid escalating cyber risk, Aon’s Cyber Quotient Evaluation (CyQu), our patented global assessment platform, delivered a positive outlook from our responders and showed that companies are overall maturing. This proved to be particularly true for our enterprise clients. Understanding the need to align cyber insurance to cyber security strategy became more prevalent among large companies, where we also saw greater collaboration across stakeholders, up and down the organization. Third-party risk continued as a frontline issue across the year, as businesses found it increasingly challenging to protect their supply chains. And importantly, we observed occasional misunderstandings about what cyber insurance covers – and doesn’t cover — which reflects the need for more education across the industry.

Turning to our Aon CyQu data, several important points emerged. According to self-reported client assessments, organizations across the globe achieved a 5 percent year-over-year improvement across those critical cyber security controls deemed most important by the insurance industry. Aon renewal clients reported even more growth, reporting 9 percent improvement overall, with middle market clients demonstrating 11 percent improvement in 2024. This is promising, but more investment is required to strengthen third-party risk, application security and business resilience security domains. Looking at cyber events, ransomware incidents continued to rise at a pace of 24 percent in 2024, while claims were down across all other areas of loss, such as privacy and fraud. Interestingly, early indicators show ransomware claims payments are declining year-over-year, which we submit demonstrates in part the return on investment from implementing backup security controls.

Competition heightened globally across the cyber insurance marketplace and, after realizing ten straight quarters of pricing decreases for US based risks, cyber insurance pricing continued its softening trend, ending with a 7 percent decline in Q1 2025. The time is ideal for businesses of all sizes to enter the cyber insurance market, and this is of utmost importance for increasingly vulnerable middle market companies. These organizations filed more cyber claims than any other group last year and, from a preparedness standpoint, 55 percent have not carried out a cyber security tabletop exercise while 45 percent have vulnerability scans that cover < 100 percent of the enterprise, significantly increasing the potential risk for business interruption loss due to a cyber event. Better education and awareness around cyber risk is needed and alternative means of securing the business from cyber risk need to be explored — such as outsourcing select security functions or automating vulnerability testing. Equally crucial is the need to transfer cyber risk.

This report can help start the conversation to help improve your organization’s cyber resilience. Only through data can you secure a 360° view of cyber risk and better understand the probability and magnitude of potential loss. At Aon, we can help you make better decisions to improve controls, which can lead to improved cyber insurance pricing, more substantial coverage, stronger terms and more market capacity. We bring the breadth of our deep experience, relationships and analytics to unlock capital, which we access across markets, geographies and various financial structures to help protect and grow your organization. I cannot stress enough the importance of understanding your cyber risk and the role of insurance in your cyber security resilience strategy.

Brent Rieth

Global Cyber Leader