North America – Cyber Risk Maturity Grows Amid Systemic Cyber Events

Systemic cyber security events across North America demonstrated the compounding risk associated with growing technology interdependencies and how quickly a cyber event can impact entities.2 The World Economic Forum identified supply chain interdependencies as a leading factor in the increasing complexity of cyberspace in 2025.3 The ransomware breach of a significant U.S. healthcare payments technology provider involved the private data of approximately 190 million individuals. The glitched CrowdStrike Cloud software update caused more than 8.5 million systems to crash, disrupting operations worldwide for days and impacting commercial flights, hospitals, and financial services.4 These major events contributed to rising cyber insurance claims across the year. Aon’s U.S. Cyber Solutions broking data revealed 1,228 reported incidents across broking clients in 2024, or an increase of 22 percent, and cyber incident or litigation represented most claims with a rise of 31 percent.

Despite the turbulence of systemic cyber events and rising claims, the financial impact on the insurance industry was not as impactful as it could have been due to purchasing trends, program structure changes and business continuity measures by insureds. However, the industry is on alert. The past year’s series of events amounted to near misses and could have been devastating. These events provided a great lesson on what risks the insurance industry — and organizations — must manage.

Cyber Insurance Market Competition Intensifies

Organizations across North America took cyber risk very seriously in 2024. According to data from Aon’s Cyber Quotient Evaluation (CyQu), our eSubmission platform, clients saw improvements in their risk scores across key domains. Insurer confidence was restored in many industries as clients took deep dives into critical — or “red flag” — security controls and domains. For both the U.S. and Canada, the strongest cyber security domain in 2024 was endpoint security, which comprises penetration testing, network environment and network capacity. Application security and third-party security were the two lowest-scoring domains.

Cyber Domains | 2024 North America Data

Overall Risk Score 2.78

Cyber Domains | 2024 Canada Data

Overall Risk Score 2.66

Critical controls also improved. Seven percent of clients improved the target time for critical patching, moving from more than seven days to three-to-seven days, and noticeable growth was reported in disaster recover/backups and multi-factor authentication (MFA).

Notably, the impact of ransomware diminished in 2024. The global average ransomware payment amount declined by 77 percent compared to the same period in 2023, as more robust security controls and business continuity planning made it more difficult for attackers to deploy successful attacks. We also saw more organizations withhold ransomware payments, instead engaging with the event. Meanwhile insurance became more confident in underwriting ransomware risk. The industry’s response to the growing supply chain risk in 2024 was also proactive, and Aon clients invested in modeling their cyber exposure across vendors. However, due its complexity, third-party risk continued to hold its position as one of the lowest-scoring risk domains for Aon clients in the U.S. and Canada.

As organizations strengthened their controls, competition soared across the cyber insurance industry. Despite the increase in claims frequency in 2024 and poor loss development on 2023 claims, buyers’ market conditions continued through the year in a well-capitalized and competitive environment. On average, U.S. buyers achieved a seven percent premium decrease in Q1 2025.

2020–2025 Cyber Premium Changes by Quarter​
Average Year–over–Year Change (Same Clients)​

The Canadian market saw accelerated softening through 2024 and ultimately realized a 15 percent decrease year-over-year. Insureds became more sophisticated, harnessing cyber modeling to evaluate their purchasing decisions, determine the appropriate limit levels, and protect their balance sheets. Aon saw 25 percent of clients purchase additional limits in 2024

Reports of abundant and alternative capacity in North America led to a favorable January 2025 cyber reinsurance cycle, indicating that buyer-friendly market conditions will likely continue.

Volatility Heightens and Insurers Act

With intense geopolitical volatility marking the start of 2025, cyber risk is anticipated to continue to heighten. In March, the U.S. announced the pause of offensive cyber operations against Russia by U.S. Cyber Command, rolling back some efforts to contend with a key adversary even as national security experts call for the U.S. to expand those capabilities.5 China’s espionage and intelligence collection capabilities reached an inflection point in 20246 and, among nation-states, China-nexus activity surged 150 percent overall, with some targeted industries suffering three to four times more attacks than the previous year.7 This risk environment puts substantial pressure on the insurance industry and organizations to respond.

Insurance companies are expected to bolster investment in the underwriting process and risk modeling to better understand the risk ecosystem and potential exposure. Privacy liability is another risk that insurers and organizations alike must manage. The recent cyber security incident involving an education technology company resulted in the unauthorized exfiltration of certain personal information of minors and the disclosure of millions of student records.8

Privacy Liability and Supply Chain Risk Come to the Forefront

In the U.S., multiple instances have occurred where settlements went north of $30 million because of a failure to properly protect customer data.9 We are beginning to see a more punitive climate and while is this not seen to the extent present in the U.S., Canada is not exempt from this trend. In previous years, courts across Canada exercised their gatekeeping role to halt to data breach class actions that lacked evidence of harm to the proposed class members.10 This tide is shifting. Common allegations in new class action filings in 2024 ranged from misuse of information to a lack of protections for children and teenagers who use online services. Canadian courts are continuing to consider and grapple with potential new privacy torts.11

Insurers must be mindful of this situation and consider policy structure changes such as advising clients on additional coverage as settlement values climb. Strengthening technology strategies and controls around privacy or data breaches and knowing where the data sits —and classifying that data — is critical. It is ever more important that cyber, marketing and legal teams align to understand the risk better and prepare to manage and respond to an incident in compliance with regulatory frameworks. A subset of class action lawsuits will likely emerge as new technologies emerge, such as artificial intelligence. These lawsuits are already happening with companies facing a new cyber threat based on “pixels,” the code placed on a webpage or an online advertisement to collect information about a user’s interaction.12

Recommended Actions

• Use data analytics and risk modeling to make informed decisions around investment in security controls, business continuity planning and cyber insurance purchasing.
• For insureds — evaluate your cyber insurance policy and take advantage of ripe market conditions. Consider supply chain and privacy risk exposures.
• For insurers — ensure stability of your portfolio as uncertainty prevails. Consider long-term rate agreements, auto-renewals, and above all, partnership between client and insurer.