This is article part 3 of 14 in this report.
April 30, 2025
Raising a Red Flag: Cyber Risk Controls and Insurability
Key takeaways
- Aon clients who invested in security controls reported a significant 9% improvement in critical — or ‘red flag’ — controls. This may impact insurability.
- Cyber insurance carriers moved towards a more holistic view of cyber risk resilience.
- Prioritization of controls and red flags continued to change in 2024, with privacy-oriented, third-party and supply chain controls emerging as new areas of interest for insurance.
Security measures and frameworks continue to be mission-critical in the battle against cyber threats, and organizations across sectors continued to invest in and improve their critical controls over the course of 2024.
At the same time, insurance carriers have become more sophisticated in risk underwriting, requesting less information than before. Where insurers might have looked at a weak control a few years ago and taken a firm position, this was no longer the case. As opposed to the long-established approach, if you have control “X,” then the result “Y” ensues, carriers became more focused on the overall cyber maturity profile and proved more receptive to accepting an organization’s narrative around specific controls. This approach rang true with larger, more mature organizations, as many insurers accepted updates on security road maps and confirmation that controls were in place without scrutinizing evidence that controls were tested and effective. This new climate that emerged in 2024 was driven in part by intense global cyber insurance market competition and is expected to continue into 2025.
Despite the changing requirements for cyber insurance, global data indicates that organizations continue to invest in cyber security. Aon client organizations who invested in cyber security control improvement demonstrated robust preparedness against cyber, reporting a 9 percent improvement in critical — or “red flag” — controls that may impact insurability.
Notable improvements were reported by the financial (21 percent), professional and business services (12 percent) and industrial and manufacturing sectors (11 percent). Clients also stated improvement in operational technology (OT) red flags, with a seven percent increase. Notably, OT environment segmentation, multi-factor authentication (MFA) for employee remote access to OT and endpoint detection and response in the OT environment improved.
This shows how organizations think across the whole enterprise, fortifying defenses against external access and exploitation and increasing the ability to detect cyber events rapidly.
Privacy-Oriented Controls. A Growing Priority
Despite overall cyber security improvements, significant breaches persisted across 2024, exploiting vulnerabilities such as weak MFA controls and third-party diligence. As risks dynamically change and threat actors shift their tactics, controls remain a moving target. The prioritization of different security controls continues to evolve, making organizations often uncertain about where to focus security investment. A data analysis of security controls to risk can help illuminate potential exposure to loss.
Privacy-oriented controls emerged as a focus for insurance carriers in 2024. This shift is in response to the increasing legal scrutiny of how insured entities handle personal information. This scrutiny was particularly noticeable in the U.S., where data breaches have led to multi-plaintiff or class action lawsuits.1 These lawsuits piled up in 2024 in response to numerous healthcare breaches alleging violation of patient privacy rights, including sharing data with third parties.2 As new technologies such as AI emerge, class action lawsuits are evolving. Companies are also facing a new cyber threat based on “pixels,” code embedded in webpages or mobile apps from third-party providers to collect information about a user’s interaction.3
Regulatory shifts also play a significant role in shaping the focus on privacy. More states across the U.S. are working to pass laws and regulations that emulate both the California Consumer Privacy Act (CCPA) — which protects consumers’ data privacy and security, including from cyber attacks, fraud and mistakes — and the European Union’s Digital Operational Resilience Act, which requires financial institutions to incorporate data protection and privacy risks into their overall Information and Communication Technology risk assessments.4
Recommended Actions
- Work with your cyber insurance broker to review controls and claim sources. Control improvement helps to reduce claim frequency and severity and helps build cyber risk resilience.
- Conduct a data-driven analysis of your organization’s cyber risk posture to inform decision-making about security investments. Understand controls from both a risk and an insurability perspective.
- Develop an action plan to address critical risks that could increase your organization’s likelihood of being attacked. Importantly, build resilience in privacy and third-party cyber security.
References
[1] Emerging Legal Issues in Data Breach Class Actions. American Bar Association. Business Law Report. Joseph Yenouskas and Levi Swank. July 17, 2018.
[2] Class Action Lawsuits Pile Up After Healthcare Data Breach. The HIPAA E-Tool. February 11, 2025. https://thehipaaetool.com/class-action-lawsuits-pile-up-after-healthcare-data-breach/
[3] Pixels and Privacy. A New Wave of Class Action Litigation. LAW.COM. Ian M. Ross and Sidley Austin. March 15, 2024.
[4] Digital Operational Resiliency Act. European Insurance and Occupational Pensions Authority.
Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates.
The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Chapters
Companies of all sizes will find these articles to be a resource and tool to help inform Cyber risk decision-making in 2025 and beyond. They can help start the conversation to help improve your organization’s cyber resilience.
