Lack of Integrated View On Cyber Risk Management In Companies A Major Concern

As India’s digital economy accelerates, the country’s risk landscape is becoming increasingly interconnected. Aon’s Global Risk Management Survey (GRMS) 2025 highlights that Indian businesses now rank cyberattacks and data breaches as their top current and emerging risks, underscoring how cyber risk has evolved into a key business and financial concern.

Adam Peckman, Aon’s Global Head of Cyber Risk Consulting interacted with FE CIO to discuss the financial metrics to quantify the cyber risks and also strategies to manage them. 

Edited Excerpts:

AI-driven cloud growth is reshaping infrastructure while amplifying cyber and operational risks, making active risk management essential. From an Indian perspective, what has the traditional risk management approach been?

According to our client surveys, about 78 to 80 percent of them are using generative AI. The same holds for India too. Accordingly, they're scaling up cloud computing for the compute power to run. Then there's an operational technology aspect to all of this too. 

Within our global risk management survey, cyber remains the number one risk. AI for Indian companies and Indian business leaders is one of the top 10 risks emerging within the next three years. There's an acceptance that cyber and these emerging technology risks are important.

Currently, the risk perception is distributed across the organisation. There's no consistent view about the biggest risks which is why the claims data and cyber risks were up in this region – 29 percent in 2024. Within the global risk management survey, 14 percent had suffered material losses. So the claims data is going up, suggesting that more companies are being impacted by these cyber risks. The problem is they're probably paying a lot towards the impact from that risk off balance sheet, taxing future capital investment that should be going toward digital acceleration, transformation, and reinvesting to fight fires caused by some of these cyber risks.

I think the challenge is that we still see a disconnect between how these risks are measured and managed technically, and how they're understood and positioned with a non technical, senior audience. As experimentation, innovation, and adoption of AI accelerate, dependencies deepen and systemic risk increases, but there is still a disconnect in how this risk is reported and escalated to leadership. This makes it harder for leaders to decide how much risk they are willing to take and how much to invest in technology and operational risk mitigation. It also complicates decisions on the right use of contracts and insurance to hedge the business against potential volatility. 

As a result of the disconnect, the financial quantification of risks is only adopted by 12.3% of companies in the region. 

What level of maturity do you see in cyber risk management handling in the Indian market?

We are seeing maturation in how companies in India are approaching risk management as 70 percent of organizations now have formal risk management functions. 

About 47 percent of organizations have board-level oversights on risk management related aspects, which trails the global average, suggesting more needs to be done. 

Companies thus should ponder on the role of cyber insurance. They continue to invest in digital transformation, AI adoption, etc. However there is a misallocation of capital if companies aren't measuring the risk and then transferring that risk using insurance efficiently. 

Companies are working against themselves by suffering a loss and then paying off the balance sheet, or out of capital investment that should be going to greater AI adoption. According to data, companies are not investing enough on cyber insurance. Insurance adoption is only covering about 17 percent of the digital assets. 

What kind of stakeholder collaboration needs to happen on the various aspects of cyber risk management between the captain of the ship -- CRO with other CXOs like CEO, CFO, CIO, and CTO?

Cyber risk is not an IT issue. It is distributed across the organization. It has a legal aspect. In terms of contracts and regulations; operational too. Because technology is so ubiquitous across production, supply chain, go-to-market distribution and everything else including the operational technology (OT). 

On top of that, AI is now going to become so ubiquitous in how businesses are trying to reimagine how they operate in the future. This will only amplify how cyber is distributed across the organizations.

The challenge is, as everyone rushes to use AI, accountability needs to be fixed on who owns social engineering and deep fake risks within an organization. We see the rise in the amount of claims for social engineering and deep fake attacks. The cyber claims are up 233 percent, now is that an HR issue, a cyber and security issue, or an IT issue? Who owns that? So this is the distributed nature of the problem that needs an integrated solution. 

What’s the challenge in quantifying the cyber risks that companies are facing ? 

The reason why it's so distributed and hasn't been as well integrated is because everyone measures and manages cyber risk through silos. 

The legal and compliance will have their individual assessment. The technology team, in terms of total cost of ownership, will have a view of the crown jewels. Security will view the risk differently. Operations views it in terms of throughput, downtime, quality assurance, etc.

What we are advocating is to have an integrated view on cyber risk management. By using financial metrics, to understand what are the most important risks. 

Because if a consensus is arrived upon that here are our top 10 cyber risks that we face as an organization; these are the technical aspects; but here are the financial aspects, in terms of what the financial cost is to our organization; what is the balance sheet exposure that we face, the dialogue will suddenly drive a lot of convergent thinking about what are the priorities and who owns them?. 

We have seen the best engagement, which can drive divergent stakeholders to a convergent opinion, happens using the financial metrics to create prioritization. But only 12.3 percent of companies are doing that. 

Discuss some financial metrics that companies should agree upon as far as cyber risk quantification is concerned?

At Aon, we have a model that looks at the six key, potential cyber risk related events that can result in losses for any company: the crisis expenses and incident costs. For example, companies are critically dependent on cloud computing or an application provider. When  they go offline, it impacts their production or distribution processes. The first cost bucket, therefore, is the incident management, crisis management costs. The companies usually pay them out of pocket to manage the initial response to the event.

The second is the business continuity costs incurred after, say, a data breach or accidental outage. The affected company needs to take their systems offline because of a dependency on a third party cloud provider.

The third component would include the direct financial exposure and the associated reputational loss. In case a company is unable to transact with customers, take bookings, send goods to retail outlets, have a data breach, what is the impact in terms of the actual income loss associated with it. 

The last three are predominantly third party liabilities associated with any event. 

The next would be the legal costs. So the company would start involving legal advisors to speak to regulators, impacted customers or data subjects or partners, which involves costs.

Then there could be the actual regulatory costs. This is particularly relevant in light of the Digital Personal Data Protection Rules, 2025 (DPDP).