The Cyber Loop: Why The Path To Cyber Resilience Is Not Linear

Jump to Section:


$3.9 million. That’s the average cost of a data breach.

And it’s a widely recognized risk. Cyber security was number six in the top 10 global risks in this year’s Aon Global Risk Management Survey – and it was the top concern in North America.

The risk is recognized for good reason: 48 percent of companies surveyed in Ponemon Institute’s 2019 Intangible Assets Financial Statement Impact Comparison Report say they have suffered a data breach that caused disruption to business and IT operations.

Yet despite these warnings, Aon cyber experts have seen that an organization’s first attempt to address cyber risk is generally at the worst possible time – right in the middle of experiencing a cyber attack. Aside from the immediate costs stemming from a breach, the long-term impact on a brand’s reputation and loss of consumer trust can be irreparable.

“We know from working with our clients on their most critical risk issues that cyber risk is a priority for boards, the C-suite and business leaders,” says Chad Pinson, president of engagement management and incident response at Aon Cyber Solutions. “Yet when it comes to solving the problem, the long-term, multifaceted nature of achieving cyber resilience can leave these leaders scratching their heads.”

That confusion is understandable. The easiest way to get from point A to point B is usually a straight line. But developing cyber resilience isn’t a linear process. Instead, it’s a repetitive, circular one, with several critical stages along the way: risk assessment, risk quantification, cyber insurance and incident-response readiness. “We call that strategy the ‘Cyber Loop,’” says Stephanie Snyder, commercial strategy leader at Aon Cyber Solutions. “Every organization is going to enter this loop at different points.”


Combating cyber risk is a precise science – every organization varies in its level of exposure and stage of preparedness.

“What is unique about cyber risk is that every organization has a slightly different risk profile, even those that are in the same industry,” says Snyder.

Although organizations might enter the Cyber Loop at different points, continuously circling through the stages leads to the best possible outcomes.

However, many organizations enter the Cyber Loop at the incident-response stage – when they’re under attack. “Responding to a cyber event is not an ideal entry point into the Cyber Loop,” says Pinson. “Unfortunately, many companies get forced into it – and after managing the immediate threat, they ask, ‘How do we prevent this from ever happening again?’”

A common challenge to addressing cyber perils is finding quality data on which to base better risk-mitigation decisions. Continuously circling through the Cyber Loop can help organizations gather the right data to inform better decisions, Snyder says.

The Cyber Loop: A Continuous Response To An Evolving Threat

Faced with complex and constantly evolving threats such as cyber risk, organizations should embrace a comprehensive, continuous framework that acknowledges the cyclical nature of the risk.

Adam Peckman, global practice leader at Aon Cyber Solutions, adds that this type of circular framework can lead to other benefits: “A framework like this can help break down organizational silos. It gets teams working together, generating actionable insights to help decision makers improve operational and financial solutions for cyber risk,” he says.

“Building resilience is a continuous process – it’s not linear with a defined start and finish line,” says Pinson. “Cyber risk is not static, so your approach to mitigation can’t be.”