Cyber interconnected with several of risk managers’ top risks

Cyber remains the top risk concerning risk managers, but businesses are still not buying adequate protection through insurance, according to Rory Egan, head of cyber and analytics for Global ReSpecialty at Aon’s Reinsurance Solutions.

Aon’s recent 2025 Global Risk Management Survey showed that cyber risk again topped the global agenda. It remained the number one current and future risk for the third time, based on responses from nearly 3,000 risk and business leaders in 63 countries.

“The survey confirms that, with all the volatility in the world today, cyber is still more relevant than ever as a risk, and for us as brokers,” said Egan. “But the paradox is that the protection gap is ever present in terms of firms’ cyber coverage.”

Numerous recent cyberattacks have highlighted this gap, with Jaguar Land Rover and Co-op reportedly not buying any cyber insurance at all, and Marks & Spencer being significantly underinsured in terms of its limit relative to the loss it had.

“We've established that cyber is pretty high or highest on companies’ agendas – and we can measure that in different ways in terms of the likelihood and also the severity – so why are exposures still not being protected through reinsurance, insurance, any kind of risk transfer, to the same extent that some other apparently less important risks are being addressed?” Egan said.

He added: “I think the reason for this disparity is just time, education and experience, but it is kind of staggering the opportunity we have in terms of the size of the protection gap, given how important the risk is.”

CYBER A FACTOR IN OTHER BUSINESS RISKS

The consequences of cyberattacks were also shown in other risks that were prominent in the survey rankings.

The number two current risk identified by risk managers is business interruption. Cyber is one of the most prominent ways that business interruption can occur.

“It's exactly what happened in some of the high-profile cyberattacks that occurred recently,” Egan said.

Supply chain failure was the number seven risk identified by risk managers, which is another area affected by cyber. The JLR incident also highlighted this issue, with its suppliers out of pocket because of the event.

The number eight risk is reputation damage, an issue that companies including JLR and M&S have dealt with this year after their cyberattacks.

“And bringing artificial intelligence into play now, there's even more possibility for reputation damage through deceptions like deepfakes, and the fact that so many companies are rushing to embrace AI and all the exciting possibilities of that technology.

“In that rush, are they considering appropriate governance? If they're not, potentially negative events can happen, and that can erode confidence in the company, either from the customer point of view or from investors’ perspective as well,” Egan said.

He added: “So there are a lot of examples of how cyber as an interconnected risk should be top of mind for risk managers.”

‘MORE TO DO AS A MARKET’

Egan said a conversation needs to be had about whether risk managers’ biggest risk is being addressed, and whether that is being done adequately.

“That's a much bigger topic than the current pricing situation,” he said.

On the one hand, the high-profile instances of companies with no insurance suffering cyberattacks, which include United Healthcare last year, should serve to heighten awareness of the cover and potentially boost demand.

But, on the other hand, Egan notes that events such as the CrowdStrike and Amazon Web Services outages have not been big insured losses despite causing problems for many companies.

“The carriers from a risk management point of view are really cautious on using features like waiting periods on the business interruption coverages that are most in scope,” he said. “Some events are not really landing, and then there are other events that should have been really within the appetite of insurers, and for whatever reason cedants haven't been buying.

“So there is more to do as a market,” he said.

Egan said that some solutions have been floated such as buying back some of the waiting period, for example offering the six to 12 hours period as a separate product to try to close that gap.

But he said this is hard to do because of the accumulation issue, and it can only be done in isolated pockets.

INTEREST GROWING FOR SURGE STOP-LOSS COVER

On the reinsurance side, one recent solution that Aon has pioneered is a surge stop-loss product that has no event definition. The broker completed its first placement of the product at June 1 for Arch Insurance International.

“This continues to generate a lot of interest among buyers,” said Egan. “We've been showing the surge product to many of our clients, and even though it is an Aon product, we've heard that other brokers are being asked by their clients to create a similar offering.

“So it's a product that can endure, as it's very much solving for a specific area of client need in the market. The traction continues to increase both from buyers and reinsurers that want to become involved in the transactions.”

Egan expects another favourable renewal for cedants at January 1. He said he is starting to see more nuance around innovating within some of the relatively vanilla products.

“Quota share is an area that is becoming more considered, sometimes as a way to address specific sections of portfolios. Overall, we're starting to see a bit more innovation within the traditional product suite,” he said.