Cyber Insurance Protection Gap. Cyber Risk Survey

Munich Re estimates global cyber premiums at approximately $14 bn and expects the cyber insurance market to reach a size of around $29 bn by 2027. Given the continuing trend of more frequent and severe cyber-attacks, the survey indicates that the protection gap is still disproportionately huge.

Munich Re’s survey aim to better understand the challenges the global economy faces when it comes to cyber preparedness and the requirements for appropriate cyber insurance solutions. Global Cyber Risk Insurance report included over 7,500 participants from 15 countries, covering all industries and company sizes.

87% of all C-Level respondents report that their company is not adequately protected against cyber-attacks

Key topics covered included risk awareness, the role of cyber insurance with its cover elements and services as well as threat exposure for both companies and private individuals.

Alongside these developments, vulnerabilities, security gaps and cyber-attacks continue to increase, and our data shows on a global scale, attacks such as ran-somware and data theft have picked up.

Despite a high level of concern, uncer-tainty around protection is high as 87% of surveyed representatives say their own organization is not adequately protected against digital threats. Surprisin-gly this, already high proportion, has actually increased compared to the survey results (83%).

Everyone believes in digitalisation

Digitalisation is rapidly advancing across various business sectors, with nearly all surveyed companies focusing on innovative AI-technologies, cloud services, and data analytics.

These technologies are viewed as highly relevant for the near future by the vast majority of businesses, with only 2% of C-Level executives deeming them irrelevant, a significant drop from 12% in 2022. This shift underscores a growing reliance on advanced technologies.

However, while awareness of risk management measures has increased, it has yet to result in widespread action (see about Generative AI’s Impact on Cyber Threat).

On a positive note, 41% of decision-makers are now considering cyber insurance as a critical component of their risk management strategies. This interest spans multiple sectors, highlighting the universal concern over cyber risks.

Munich Re believes that the insurance industry represents a substantial part of the solution when it comes to cyber risks management, which is why we continue to actively advocate for efforts that help close the large gap between insured losses and economic losses in the field.

Respondents suggest that insurance providers need to enhance transparency, simplify conditions, and make products easier to evaluate. Effective risk management remains essential for cyber insurance and resilience. The ongoing digital transformation is bringing increased complexity, impacting even those not fully prepared.

Cyber risk awareness

According to the survey results, awareness of cyber risks varies considerably across the globe: Respondents from North American and Northern European as well as Australian and some Asian markets are quite concerned about a potential cyber-attack.

Southern European, Latin American, African, and Indian C-Level respondents are highly concerned. The most concerned market in the previous survey wave, India, was superseded by Spain, where 90% of C-Level respondents were concerned or extremely concerned about a cyber-attack.

Spain leads the list of concerned C-level executives with 90%, followed closely by India at 88%, South Africa at 86%, and Brazil at 84%.

This reflects a high level of anxiety regarding cyber threats in these regions. Conversely, Northern Europe, particularly Sweden, shows a markedly different attitude (see how Generative AI Change the Cyber Insurance). Only 35% of Swedish C-level executives express concern or extreme concern about potential cyber-attacks, indicating a more relaxed approach compared to other regions.

Potential cyberattack

The following world map illustrates the varying levels of concern among C-level executives about potential cyber-attacks on their companies:

1. Spain: 90%
2. India: 88%
3. South Africa: 86%
4. Brazil: 84%
5. Sweden: 35%

This data highlights the geographical disparities in cyber threat perception among top executives globally.

On a global average, 72% of C-Level respondents are concerned or extremely concerned. Regarding the company split according to annual revenue the highest level of concern can be constituted for the segment of $200 mn up to 1 bn.

According to Munich Re’s Personal Cyber Insurance survey, only 10% of respondents stated they did not need any precautionary services, and only 12% said they did not require assistive services in the event of a cyberattack.

Cyber threats

Publicly recognised attacks only reflect a fraction of the reality. However, countless low-threshold attacks are targeted against individuals and smaller companies every day. These are barely publicised, but in total cause damage running into the billions of dollars.

Little wonder that the still relatively young “business field” of cybercrime-as-a-service is booming, with the capability to inflict damage on virtually anyone in cyberspace.

For decision-makers it is key to understand the “what, why, and how” of attacks along with any potential exposure they might have – and then to arm themselves effectively through prevention, recovery, and risk transfer.

Companies affected by cyber crime

The survey ranks ransomware as the third most significant threat, yet the Munich Re Cyber Data Analytics Team found it to be the primary cause of cyber insurance losses. This discrepancy prompted the survey to focus more closely on ransomware.

Regarding ransomware attacks, 98% of C-level respondents reported an impact on day-to-day operations: 40% noted an immediate impact, and 25% experienced even more severe immediate consequences. These statistics underscore the substantial threat posed by ransomware.

Which of the following has your company ever been affected by?

Data breach tops the list of attack vectors at 47%, just ahead of online fraud (42%), followed by ransomware (30%). Significantly more than every second company, regardless of size, has already been affected by one of the three attack vectors.

The survey indicates that the impact and damage from ransomware incidents show little variation between small and large companies.

Specifically, 90% of companies with revenues up to US$ 1 million experienced direct negative impacts on their daily operations, often coupled with financial losses.

The status of the economy’s cyber threat defense

On average, 87% of all C-Level respondents surveyed worldwide report that their company is not adequately protected. Given the risk landscape and the frequency and severity of cyber incidents, this self- assessment of C-level participants is thought-provoking (see U.S. Cyber Insurance Generated Underwriting Profits).

The percentage of those who see their organisation as not adequately protected against cyber-attacks ranged from 80% (Italy) to 95% (China and Germany) and has increased almost across the board since the last survey.

Cyber threat defense

The human factor still plays the most important role in the eyes of the respon-dents when it comes to cyber protection and preparedness: unwary employees and too few or inadequately trained staff are the two top reasons, followed by poor integration of security solutions and lack of collaboration between depart-ments. In comparison to our 2022 survey, this sequence remained identical.

Commercial Cyber Insurance: A Growing Opportunity

The potential for growth within the cyber insurance sector remains substantial, as a significant number of risks continue to go uninsured. Despite increasing awareness, the insurance industry needs to intensify efforts in sales and education targeting potential policyholders.

Enhancing transparency and providing clear explanations about cyber risks are essential steps to fostering a better understanding among clients. Encouraging dialogue can help increase the adoption of cyber insurance.

Company cyber insurance status

A significant share of C-level respondents who have no cyber policy in place stated – after price, again the most frequently mentioned criterion (33%) – to be unaware of cyber insurance and affiliated solutions offer.

They either replied that they did not know that cyber insurance exists (26%) or that they did not understand the product (23%).

Again, lack of knowledge about risk transfer solutions was highest in the small business segment (revenue up to US$ 1million), at 34%.

The reasons feedbacked on insurance status emphasise the need of greater wording standardisation and transparency to reduce or best avoid ambiguity. In addition, the insurance industry needs to better explain its solutions to the market.

Why does your company have no cyber insurance in place?

On a positive note, the finance (39%) and IT (34%) sectors, which are among the sectors most affected by cyber-attacks, have the highest values in terms of insurance contracts already concluded.

At 48%, the manufacturing industry shows the highest share of respondents specifically considering taking out insurance.

Particularly in view of the increasing number of ransomware and supply chain attacks in recent years, this industry will continue to face an increasing pressure to deal with the threat situation.

Call to increase cyber resilience and insurance penetration

The supply and demand for cyber insurance have seen a modest increase, yet many respondents remain inadequately protected or prepared. Given the current market situation, insurers face growing demands to provide accessible products and solutions while ensuring the sustainability of this business line.

The potential for growth in the cyber insurance sector remains significant, but achieving this potential requires enhanced resilience and readiness.

Insurers must take an active role in educating clients about the importance of resilience measures in managing risk exposure. This includes discussing key factors such as premiums, prices, coverage options, limits, terms and conditions, and access to insurance.

By clearly explaining these aspects, insurers can help clients better understand the value of cyber insurance and the importance of being prepared for cyber threats.

Methodology of the Survey

The survey conducted by Munich Re and Statista, included over 7,500 respondents from 15 countries. This survey provided representative global results and country-specific insights. The countries surveyed included Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Netherlands, South Africa, Spain, Sweden, the UK, and the USA. It covered both commercial and private sectors, balancing responses from C-Level executives and employees.

Company sizes varied: 8% had 1-9 employees, 33% had 10-249 employees, 29% had 250-2499 employees, and 27% had over 2500 employees. Annual revenues of these companies ranged widely, with 13% earning over $1 mn, 30% between $1 mn and $200 mn, 14% between $200 mn and $1 bn, 10% between $1 bn and $5 bn, and 7% over $5 bn.

The industries surveyed included consumer products and services (15%), information technology (21%), finance (9%), transportation/communication/utilities (8%), industry/manufacturing (13%), education (9%), healthcare and pharma (7%), public authority/defense (6%), and other sectors (11%).

FAQ

..…………….

AUTHORS: Martin Kreuzer – Senior Risk Manager Cyber Risks at Munich Re, Axel von dem Knesebeck – Corporate Underwriting Cyber at Munich Re