Finance and Insurance Industries: Managing Risk in a Rapidly Evolving Environment

Financial institutions continue to be the backbone of the global economy. A cyber attack that compromises the operations of a financial institution can have a major effect on the ability to access finance and payment systems, with direct impacts for markets, businesses across sectors and the general public. As a result, issues related to cyber security are highly regulated. Reflecting the importance of this issue, the International Monetary Fund  made the growing threat of cyber attacks, and the knock-on potential impact for macroeconomic stability, a major theme of its April 2024 Global Financial Stability Report.1

The sector faces an increasingly complex risk landscape — as can be seen in the recent high-profile attacks targeting both companies and government agencies. In April 2025, the U.S. Department of the Treasury’s Office of the Comptroller of the Currency, whose role is to regulate and supervise U.S. and foreign banks, announced that the emails of executives and other employees of the agency had been hacked, blaming long-standing vulnerabilities for the breach.2

The finance and insurance industries are well aware of the extent of these risks. Industry leaders ranked the threat of a cyber attack or data breach as the top risk in Aon’s most recent Global Risk Management Survey.3 As a result, these industries are constantly seeking to understand the changing shape of the threat environment and get ahead of it. There are signs that these efforts are starting to pay off — at least for enterprise and global clients. On average, the global risk score for finance and insurance organizations is higher than for other sectors, though scores do vary significantly according to the size of the organization and other factors.

But companies still have a lot of work to do in building their cyber resilience. Vulnerabilities still exist across the sector, particularly around third-party and application security. In addition, and of particular concern, many small and medium-sized enterprises (SMEs) and mid-market companies still lack basic controls, such as multifactor authentication, for key systems.

The cyber-insurance market has matured a great deal over the past few years. Previously, financial institutions were thought to represent a vertical that was “high risk,” or difficult to place, but now they are among the organizations that present the most attractive risks for the cyber market. The amount of regulatory scrutiny that these companies face on a daily basis means that they are among the most well-managed businesses from a cyber perspective.

In addition, the banks and insurance companies of today increasingly view themselves as financial technology businesses rather than “just” financial institutions and believe that digital transformation has forced the market to step up and expand the scope of cyber-insurance offerings available to those businesses. The supply of willing risk transfer capital has continued to expand, which means that financial institutions of all sizes can now enter the market confident that they will be provided with cyber risk-transfer programs that meet their needs.

Cyber Attacks Can Still Cause Significant Damage in the Finance and Insurance Sector

In addition to the broad geopolitical, macroeconomic and technological factors that have complicated the operating environment and increased cyber risks across industries, the finance and insurance industry has several features that render cyber attacks particularly problematic. First, the industry is highly interconnected, and the shared use of a number of platforms and services can significantly increase the magnitude of any cyber attack.

Second, many of today’s banks and other financial institutions are the result of decades of mergers and acquisitions, which means that cyber-related infrastructure can be a tapestry of different systems with different levels of sophistication. In addition, rapid growth in fintech and broader digital assets — which may not be governed by the same regulations as the industry at large — continues to exponentially expand the potential attack footprint and introduces even more third-party vulnerability to larger financial institutions. Third-party attacks are a growing issue, with a recent report indicating that these attacks are responsible for most data breaches reported by the top 150 insurance companies.4

Last, a cyber attack that compromises service availability — even for a very short period — can have very serious implications for finance and insurance customers in a way that is not necessarily true for other industries. The relationship between a bank and its customer is based on reputation and the customer’s trust in their ability to access and move money, among other factors. Losses or issues with access — even if relatively minor — can damage that relationship to the extent that the customer may decide to take their business elsewhere, possibly leading to a run on the bank.

Aon Clients Report: Finance and Insurance Industry and Cyber Risk

The proportion of finance and insurance companies’ information technology budgets that is spent on security has risen globally over the last few years. Companies reported that 9 percent of their IT budget was dedicated to security in 2024, compared to 8 percent in 2022. And this increased investment is beginning to pay off. Aggregated data results from Aon’s Cyber Quotient (CyQu) show that clients reported overall risk score improvement from 2.92 in 2022 to 2.96 in 2024 across all finance and insurance companies, indicating that risks are, on average, “managed.” These scores indicate that the finance and insurance industry is further along on managing risk than many other industries, including both healthcare (2.82) and manufacturing (2.53).

The risk score varies according to the size of the organization, with large companies notably more advanced than smaller companies. Reported risk scores improved between 2022 and 2024 for small and midsize entities (2.8, up from 2.7) and global companies (3.3, up from 3.0), while remaining consistent for enterprise and mid-market entities at 3.2 and 3.0, respectively.5

When looking at risk score by cyber domain, companies generally score best on endpoint and network security. Unsurprisingly, given the known issues around third-party vulnerabilities discussed above, they score least well — on average — for application security and third-party security, creating potential opportunities for threat actors. Risks around backups and business resilience also continue to be an issue, which is particularly problematic given the ongoing issues with ransomware attacks.

Cyber Domains | 2024 Financial Institutions and Insurance

Overall Risk Score 2.96

Looking to the U.S. in particular, Aon’s CyQu red flag controls data shows that, year-over-year, our renewal clients’ red flags dropped by 15 percent, a substantially faster rate of improvement than the industry average of 9 percent. Almost 70 percent of middle-market and small and medium-sized enterprises now have an incident response plan for ransomware, and the same is true for over 80 percent of our global and enterprise clients — a substantial improvement over prior years.

There is, however, still plenty of room for improvement, particularly for middle-market and SME companies. The data indicates that over 25 percent of these companies do not have multifactor authentication (MFA) for backups, and 15 to 20 percent also lack MFA on corporate emails and domain admin emails. More than 40 percent do not have backups stored at a secondary data center. Controls such as these are fundamental to effective cyber-risk management, and their absence could render these companies effectively uninsurable, despite the market being broadly favorable for finance and insurance companies. Companies lacking these basic controls should move to fill these gaps as soon as possible.

Global and enterprise clients perform better on these fundamental controls, although — again — there is more they can do to effectively manage risks. Almost half of these companies, for example, do not yet scan 100 percent of the enterprise for cyber vulnerabilities.

Globally, fewer than 5 percent of ransomware attacks appear to have targeted financial services companies,6 a significantly lower percentage than for many other industries. This comparatively small number of attacks is likely explained by the industry’s greater degree of sophistication in managing cyber risk.

Now What? Action for Finance and Insurance Organizations

While finance and insurance companies are generally further along on managing risk than those in other industries may be, there is still room for improvement. In addition, companies continue to vary considerably on their progress. Those looking to decrease risk exposure — as well as improve the terms of their cyber-insurance policies — should consider action across these  five areas among others they may deem appropriate for their individual organization.

1. Invest in Cyber Resilience: Many companies are considering pulling back from major investments as a result of economic uncertainty, but they could face challenges if they defer investments related to managing cyber risk. Instead, companies need to continue to build — and keep investing in — cyber resilience. Customer and regulatory demands are becoming ever more stringent, and successful organizations will need to continue to meet or exceed those standards. At the same time, threat actors are always searching for new ways into an organization. Companies will need to identify and manage weaknesses. Unpatched vulnerabilities, for example, are an easy way for diligent attackers to access a company’s systems, with these risks increasing as AI continues to become more sophisticated. Email and phishing once provided the primary entry point, but as many organizations deploy MFA, attackers have pivoted to compromising business emails and other strategies.
2. Map and Manage Third-Party Risks: In a breach, it is important to understand who is responsible for response and recovery. Companies should ensure they have a full and up-to-date understanding of third-party vulnerabilities and undertake regular scenario planning related to third-party cyber events. Organizations will also need to ensure that they have a risk transfer program to help mitigate the effects of a cyber event by protecting the balance sheet and alleviating issues arising from income loss.
3. Optimize Cyber Insurance: Cyber insurance should be considered an integral part of the organization’s approach to managing cyber risk. Instead of thinking about cyber risk as a technology issue or merely an insurance issue, companies should approach these risks from an enterprise point of view. Cyber-insurance solutions should be adapting to reflect the shift that financial institutions are making to become joined-up technology-driven businesses. With that in mind, companies may find that they have more than one option to transfer and manage cyber risk. It may make sense to transfer a portion to the cyber-insurance market, but companies should also consider alternative risk retention or self-insurance financing strategies, in addition to continued upgrading of processes and controls.
4. Prepare for Ransomware Attacks: Ransomware attacks can wreak havoc on operations, causing significant financial and reputational damage, and both insurers and regulators are increasing their scrutiny in this area. Companies should act now to put the best tools, processes and other resources in place to build better resilience to these attacks. They should also test those defenses regularly, including developing the ability to help remediate damage effectively and quickly. Ensuring quick access to clean backups will also be vital.
5. Track Ongoing Regulatory Developments: Complying with the EU’s Digital Operational Resilience Act (DORA) remains a major focus across Europe.7 For many companies, this legislation means going beyond check-box compliance and conducting regular assessments across technical defenses, control maturity, financial impact and insurability. However, simply complying with existing legislation is not sufficient. Given regulatory uncertainty in the U.S. and variations in the extent of DORA implementation across European countries,8 companies will also need to keep a close eye on both regulatory developments and the impact that these may have on their business.