Aon plc - (AON)
10-K Filing Date: February 16, 2024
Item 1C. Cybersecurity
Aon has from time-to-time experienced cybersecurity incidents. In the event of a cybersecurity incident, Aon responds in accordance with our policies, processes, applicable laws and regulations. When necessary, Aon also engages third parties, such as external cybersecurity advisors to investigate and remediate incidents. To date, the cybersecurity incidents have not had a material impact on our business strategy, results of operations, or financial condition. For additional information regarding the risks from cybersecurity threats, please see the risk factors entitled “We rely on complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, operations, sales and operating results” and “Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation” in Part I, Item 1A of this report.
Aon strives to protect the personal and confidential data of our clients and our colleagues. To do so, Aon engages in a risk-based approach to adopting and implementing technical, organizational, administrative, and physical safeguards for cybersecurity. One key component to safeguard against risks facing Aon’s technology and security is Aon’s enterprise risk management (“ERM”) program. Aon’s management carries out the processes, controls, and practices of the Company’s ERM program, including the identification, assessment, prioritization, and mitigation of cybersecurity risks.
The Company’s Board of Directors (“Board”) oversees Aon’s ERM program and allocates certain oversight responsibilities to its committees and any sub-committees, as appropriate. The Board has delegated to the Audit Committee the primary responsibility for the oversight of the Company’s ERM program. The Audit Committee also has primary responsibility for the oversight of cybersecurity risk and engages in regular discussion with management regarding cybersecurity and privacy risk mitigation and incident management. Cybersecurity matters are an important focus of our Board’s oversight of risk. The Company’s management, including the Chief Security Officer (“CSO”), regularly presents to the Audit Committee of the Board regarding cybersecurity matters. In addition, members of senior management attend Board and committee meetings to address any questions or concerns raised by the Board related to risk management, including relating to cybersecurity, and any other matters.
In addition, Aon maintains a Global Security Services (“GSS”) organization, led by the CSO, with dedicated security personnel responsible for protecting Aon’s people, property and information. Aon’s CSO reports to Aon’s Chief Operating Officer and is an experienced technology and cybersecurity professional, with over 20 years’ experience in information security and technology.
The Company’s Global Emergency Operations Center (“GEOC”) serves as a single point of control, coordination, and communication for protecting Aon's people, property, and information. The GEOC is responsible for triage of all incidents pertaining to the confidentiality, integrity, and availability of customer data. The GEOC monitors threat intelligence reporting and receives alerts and reports from Aon colleagues and IT systems. In coordination with the Global Privacy Office (“GPO”) and GSS, the GEOC reports significant cybersecurity incidents to the Cyber Incident Governance Committee (“CIGC”).
The CIGC is comprised of members of management, and is responsible for reviewing significant cybersecurity incidents. The CIGC includes the CSO, the Chief Privacy Officer (“CPO”), and other representatives from the Company’s GPO and GSS, as well as leaders from the Company’s operations, risk management, law & compliance, controllership, internal audit, and communications functions. The CIGC reviews and assesses cybersecurity incidents and is responsible for coordinating the mitigation and remediation of such incidents.
The Company regularly conducts security scanning and reviews of regulatory IT controls (including Sarbanes Oxley). Additional security reviews may be triggered in connection with the assessment of new projects, business initiatives or third-party/supplier engagements. The Company’s Internal Audit function follows a risk-based approach to evaluating controls over key enterprise risks, including cybersecurity, as well as compliance with select regulations and corporate policies.
Aon has established a third-party risk governance program that creates guidelines for selecting and managing its suppliers, including assessing of their operational capabilities, adherence to the Company’s data security requirements, and technical, organizational, and physical safeguards. Contractual requirements and periodic reviews are designed to promote compliance with Aon’s security requirements. Aon’s GPO and Law & Compliance Department work with business units to incorporate appropriate controls into supplier contracts.
28
The Company’s controls align to the National Institute of Standards and Technology (“NIST”) Framework. This does not imply that we meet technical specifications or requirements at all times but that the aforementioned frameworks help us identify, assess, and manage cybersecurity risks relevant to our business.
We use the aforementioned risk-based approach to cybersecurity to promote accountability for all of our functions across our businesses as well as our third parties to monitor for and prevent any adverse consequences from cybersecurity risks. These risks are continuously evolving, and our program is designed to evaluate these risks on an ongoing basis.