• United States



Clint Boulton
Senior Writer

Aon beefs up its cyber insurance portfolio with acquisition

Nov 08, 20164 mins
IT LeadershipSecurityTechnology Industry

The risk management firm has acquired Stroz Friedberg, which AON says will help it better meet clients’ requirements for managing their responses to cyberattacks.

cyber insurance primary2
Credit: Thinkstock

Cyberattacks against Target, Home Depot, Sony and several other large companies have galvanized what was a formerly niche cyber insurance market. As a result of those high-profile breaches, corporatedemand for policies that hedge against hackers has soared.

Seizing on this opportunity, Aon last month acquired Stroz Friedberg, adding incident response and other capabilities to its portfolio of cybersecurity assessment and risk transfer services. Aon further plans to round its portfolio with risk analytics, sentiment analysis and vendor partnerships.

“[Stroz’] incident response capabilities are the gold standard in the market,” says John Bruno, Aon’s CIO and executive vice president of enterprise innovation. He says Stroz, perhaps best known for helping the likes of Sony and Yahoo mitigate damage from breaches, will enable Aon to help clients mitigate cyber incidents more rapidly, which has a direct correlation on reducing claims.

“Those that practice the best in hygiene, preparation and response have an opportunity to reduce the severity of the incident because they reduce the time in which an attacker is inside,” Bruno says.

Why it’s important to hedge against cyber risk

Aon’s bid for Stroz comes in a market that is maturing rapidly because of the increased intensity of attacks, which have triggered mandatory data-breach reporting laws. Allianz forecasts that cyber insurance premiums will grow globally from $2 billion annually to over $20 billion over the next decade.

Although 60 vendors offer cyber insurance of some sort, none currently account for every type of intrusion, data loss or contingency associated with a cyberattack. Forrester Research says organizations will need to “build towers of insurance,” establishing relationships with several carriers to build sufficient coverage.

Aon targeted Stroz to fill some of its own gaps. Bruno says that adding penetration testing, incident response and digital forensics to Aon’s assessment and risk transfer services will help clients halt data loss and repair harm to the corporate reputation.

Stroz will also help Aon close the chasm between CFOs and risk managers’ understanding of the value of cyber insurance — which experts say is sorely lacking — because the company is credible among many enterprise general counsels and CISOs. Bruno says that when an Aon client’s CISO or CIO joins the risk manager in a sales engagement, the close rate happens twice as fast as it does when only no IT managers are involved. “We have to educate the risk managers – it’s our responsibility,” Bruno says.

And as companies purchase more cyber policies it will launch a reinsurance market, generating a new revenue stream for Aon, which could offer cyber bonds, similar to how reinsurers offer catastrophe bonds to mitigate risk from natural disasters.

Next stop: real-time analytics

Bruno says Aon may acquire more companies as it seeks to add real-time data analytics capabilities to anticipate attacks or address them asthey are happening, automating what has traditionally been a manual assessment process. Bruno says this will become more critical as the internet of things expands into more industries.

Another big focus for Aon includes using sentiment analysis capabilities to anticipate actions of a rogue employees who may show patterns of becoming disgruntled over time. Perhaps no incident is more famous than former NSA contractor Edward Snowden pilfering classified documents and sharing them online.

“People don’t wake up one-day and decide to go rogue,” Bruno says. “It usually happens over a period of time and are there ways and things that we can, through behavioral sciences, data and analytics, and sentiment analysis …” doto preempt bad actors.

Bruno also says Aon aims to partner with large vendors such as Symantec, Hewlett Packard Enterprise, Cisco, IBM and Microsoft, to certify their technology for insurability. Ideally, this would make it easier for CIOs unaccustomed to purchasing cyber policies to embrace a solution.

“If they deploy in a certain way and work in a certain framework we can bring their clients cover they might not have otherwise,” Bruno says.

Stroz’ more than 550 employees will join Aon, which has created a Cyber Risk Management Advisory Group. Stroz CEO Michael Patsalos-Fox will become the CEO and co-chair of Aon’s Cyber Solutions Group. Bruno will join Patsalos-Fox as co-chair of this new group.