Global cyber insurance market has further matured. Cyber risk continues to increase, driven by rapid technological advances such as generative artificial intelligence or cloud technology. Global industries are increasingly dependent on IT, Internet of Things, Operational Technology and digital services, such as cloud computing, each of which represent a critical part of the supply chain for many risk owners, according to Munich Re Cyber Risk and Insurance Survey 2024.
The advancing sophistication of cyber criminals and the tense geopolitical situation shape the cyber threat landscape and pose a threat to global societies and democracies.
87% of global decision makers say their company is currently not adequately protected against cyber-attacks, according to Munich Re
Cyber insurance penetration and associated resilience need to be further increased. This report provides an outlook on the cyber risk landscape and the surrounding dynamics affecting cyber insurance.
In a digitalised global economy, insurers contribute significantly when protecting businesses against the cyber risks they face.
According to Allianz Cyber Security Global Trends, hackers are increasingly targeting IT and physical supply chains, launching mass cyber-attacks and finding new ways to extort money from companies, large and small.
Technology trends with significant relevance for companies
Through expertise, strong collaborative networks and clear focus on data analytics, risk quantification and accumulation modelling, the insurance industry has a deep understanding of the threat landscape and a discernment of the limits of insurability.
Despite the fact that today’s value chains are largely dependent on digital assets, the level of protection appears to remain inadequate.
Improvements in cyber security and business continuity are helping to combat encryption-based ransomware attacks, yet the cyber threat landscape is continually evolving. 2023 has seen a worrying resurgence in ransomware and extortion claims, resulting in an uptick in costly incidents, demonstrating that although progress is being made, the threat posed by ransomware shows little sign of abating.
The current cyber risk landscape
Over the past months, Munich Re has observed a surge in cyber-attacks, with ransomware once again on the rise.
According to Chainalysis, the annual ransom crypto payment spiked from $567m to $1.1bn. Other costly attack vectors were business email compromise and supply chain attacks.
Between 2021 and 2023, BECs caused $3bn in losses and affected 22,000 victims globally, and, in 2023 alone, the number of BEC cases doubled. There were twice as many software supply chain attacks in 2023 compared to the previous three years combined.
Allianz analysis of a number of large insurance cyber losses shows that the proportion of cases in which data is exfiltrated is increasing every year – from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass last year’s total.
Major Cyber Risk Drivers
Compiling accurate cybercrime statistics poses a significant challenge for experts and authorities, as the data likely captures only a fraction of the total incidents. For instance, the German Federal Criminal Police Office suggests that up to 91.5% of cyber incidents remain unreported (see Cyber Insurance, Ransomware & Hybrid Warfare Outlook).
Projections by Statista indicate that by 2028, the global cost of cybercrime could escalate to $13.8 trillion, rising from $8.15 trillion
These statistics underscore the critical role of insurance in managing cyber risks.
In 2023, the software supply chain cost businesses $45.8bn to address 245,000 supply chain incidents. The attack against MOVEit, which leveraged a zero-day vulnerability in data transfer software, was the most prominent attack in this category.
Data breaches remained at a high level, with the average cost of a breach reaching an all-time high of $4.45 million, according to IBM.
Estimated cost of cybercrime worldwide
Companies suffering from cyber-attacks incur various financial losses, including business interruption, costs related to incident response, and liabilities from data breaches. Cyber insurance policies provide a financial safety net against these losses.
Global cyber insurance market trends
Showing significant growth potential, the market is driven by the awareness of the increasing frequency and sophistication of cyber-attacks, including the potential financial repercussions, as well as by stricter regulatory requirements, such as the Network and Information Security Directive (NIS2) taking effect in October 2024.
NIS2 is a key development in elevating European cybersecurity and resilience to higher levels.
The global cyber insurance market has reached a size of $14bn in 2023 and is estimated by Munich Re to increase to around $29bn by 2027
Further growth factors continue to be the ongoing digital transformation and technological advances in all sectors and concrete requirements to be satisfied by business partners within the supply chain.
This overall trend illustrates the importance of cyber insurance as a core component of cybersecurity risk management.
Over the past 5 years, the cyber insurance market has nearly tripled in size, thanks in part to robust support from reinsurers and modest interest from capital markets in cyber risks.
Despite this growth, the industry has insured only a small portion of potential risks. Large corporations continue to dominate premium payments, while small and medium-sized enterprises largely manage their cyber risks independently, according to Beinsure’s Cybercrime Predictions for 2024-2025.
Insurers encounter significant challenges in attempting to bridge the gap between economic and insured losses, exacerbated by the rapidly increasing prevalence and complexity of cyber risks.
Major cyber risks
While past trends may not reliably predict the future, analyzing historical attack patterns, vulnerabilities, and losses is vital for enhancing future cyber preparedness. It is crucial to prepare for the significant impacts of potential threats at all levels, ranging from individuals and businesses to national governments.
Impact on Cyber Insurance
Artificial intelligence is widely expected to power future ransomware attacks, with automated attack processes, more convincing phishing, and faster malware development. However, it could also enhance cyber security, with more effective and faster detection and threat intelligence.
Threat actors are already using AI-powered language models like ChatGPT to write code.
AI can be used to carry ore automated attacks, as well as develop new techniques to steal or poison data.
When you think about the potential to combine AI with the proliferation of the IoT and the speed of 5G, for example, we may have a serious issue on the horizon.
Large language models and generative artificial intelligence
With the launch of ChatGPT, large language models (LLMs) and generative artificial intelligence have become mainstream. However, the era of (generative) AI has only just started, and its long-term impact on economies, societies and geopolitics remains difficult to predict.
AI will almost certainly be deployed by state and commercial actors in multiple domains. In terms of AI’s impact on cybersecurity, Munich Re experts expect cyberattacks to become increasingly automated and personalized, as well as cheaper and faster to distribute at scale in all languages.
AI capabilities will also increasingly augment the efforts of cyber defenders. AI and related technologies can be utilized to specifically strengthen detection and response capabilities and to improve attribution of cyber-attacks to adversaries by mapping their techniques, tactics and procedures.
While initial steps, such as the EU Artificial Intelligence Act, are being taken, more state-driven efforts will follow in the field of AI governance and regulation.
In the insurance sector, AI will almost certainly be widely deployed along the entire value chain:
- Enhanced risk assessment – e.g. by virtual agents that may support or undertake exposure quantification or cybersecurity recommendations
- More efficient, customized and responsive offerings with optimized and actively risk-based coverage creation
- Improved incidence monitoring and responses as well as faster claims processing
- Increased awareness on cybersecurity and risk management solutions offerings to further increase resilience
- Streamlining of operations, fostering of relationships with clients and intermediaries / broker and efficiency in underwriting processes and sales
- Advanced data analytics, telematics & predictive modelling
Despite these very promising use cases and developments, AI cannot replace the expertise and knowledge required for excellent understanding and underwriting of cyber risk at present.
Nation-state (sponsored) cyber attacks
According to Future of Global Cyber Insurance Market, malicious state-driven attacks are increasingly targeting the disruption of elections through propaganda and manipulation to undermine their integrity.
The 2024 US presidential elections headline over 40 major global elections, affecting more than 4 bn eligible voters in regions including the EU, India, South Korea, Indonesia, and Mexico.
Democracies face significant challenges in countering disinformation, exposing fake content, and securing the digital aspects of electoral processes.
The rise in nation-state cyber activities and attacks poses a serious threat to cybersecurity globally. There is a very real danger that the opportunities offered by Gen AI and LLMs will also be exploited by nation-states, particularly in the area of disinformation and information warfare to undermine democracy.
The potential social, economic and geopolitical impact could be enormous, as the lines between the physical and virtual worlds, and between truth and fakery, become even more blurred.
Nation-state activities are expanding to include not only sophisticated disinformation campaigns and election interference but also economic, military, and political espionage.
Often, nation-states either actively support or tolerate cybercriminals. These adversaries are enhancing their capabilities with standard tools like destructive wiper attacks that irreversibly delete or damage system data.
There is a growing investment in exploring zero-day vulnerabilities, which attackers exploit before patches become available, allowing them to conduct potent cyber operations undetected.
The development of advanced large language models by nation-states may sometimes aim to create specific malware, enhancing their cyber warfare arsenals.
These developments underline the critical need for robust cyber defense mechanisms to protect against and mitigate these sophisticated threats.
Due to increasing global competition in and heavy reliance on space, satellite and communication security, this sector will be a crucial factor in all cyber security considerations – both for nation-states and large commercial satellite operators.
95% of defense and aerospace decision makers agree that ongoing digitalization has led to a more dynamic and complex battlefield (BAE Systems).
Major loss drivers in cyber insurance
Munich Re loss data and experience paint a clear picture of cyber risks and their impact on cyber insurance. This is particularly true for ransomware, business email compromise and business communication compromise, data breaches and supply chain vulnerabilities.
Ransomware
Ransomware will continue to be the dominant risk and loss driver for cyber insurance. Advances in applied technological progress and tactics point to a more complex and damaging ransomware landscape, where more and stronger ransomware groups will shorten their dwell times, including through the use of prompt injection tactics.
Reports note that the number of ransomware victims surged by as much as 143% globally during the Q1 of 2023 with January and February seeing the highest number of hack and leak cases in three years.
Ransomware alone is projected to cost its victims approximately $265bn annually by 2031.
Companies that are routinely and properly managing their data, making sure it is stored appropriately and deleted when it is no longer required, will reduce the amount of data at risk.
Protecting an organization against intrusion remains a cat and mouse game, in which the cyber criminals have the advantage.
Ransomware costs – double extortion changes the rules and cost
Indeed, there are very few cases where a company may believe that there is no other solution than paying the ransom to be able to re-access their systems or data. Any impacted company should always inform and cooperate with the police or national investigation authorities.
Ransomware-as-a-Service (RaaS) models will become even more competitive in dark web markets, partly because AI can drive or enhance them.
AI will encourage a high degree of automation in hacking processes and lead to a strong individualization of attacks – with tailored phishing or email extortion that can be easily translated into multiple languages in high quality by AI and thus scaled in many regions simultaneously.
Top industries affected by Ransomware
Munich Re experts also expect a further diversification of extortion methods beyond encryption, continuing the shift already observed from a focus on data for extortion towards exploitable data for sale, potentially targeting employees, suppliers, customers and other third parties.
Business email compromise and Business Communication Compromise
Munich Re specialists predict a significant rise in Business Email Compromise (BEC) and Business Communication Compromise (BCC) attacks from 2024 onwards. These scams trick company employees into unauthorized actions like making payments or leaking confidential information.
BEC attacks, in particular, are prevalent due to their low difficulty and high reward potential, despite requiring minimal technical skills.
Scammers utilize not just emails but all forms of communication platforms, including social media, to facilitate these frauds. Such attacks not only lead to substantial financial losses but also erode trust and damage reputations.
One common form of these frauds is CEO fraud, where attackers impersonate executives and direct employees to send money.
With the integration of AI and deepfake technologies into criminal activities, creating convincing fake communications through phone calls, digital meetings, and videos has become both simple and inexpensive.
A notable case in early 2024 involved a Hong Kong-based employee of a multinational corporation who sent nearly $26 million to fraudsters. This employee was deceived by a video call featuring deepfake representations of their colleagues, including the CFO, orchestrated using sophisticated AI technology.
Data Breaches
By the end of 2024, privacy regulation will cover three quarters of consumer data worldwide, but 60% of all regulated global entities will struggle to comply with intensifying data protection regulation and privacy requirements, given the high rates of data growth driven by technology.
5G will continue to be the driving force behind mobile data growth: By 2029, 5G’s share of mobile data traffic will have surged to 76%.
Video traffic will account for the majority of mobile data, escalating from currently slightly above 70% of all mobile data traffic to 80% by 2029, according to Ericsson.
Amid rapid technological advancements, it is crucial to remember the significant role of data value and criticality, compliance with data regulations, and liability issues in shaping the cybersecurity landscape.
These factors are driving the proliferation of hack-for-hire and data theft services.
Proportion Insurance Caims by Sector
Despite the use of AI-enhanced spear phishing in many sophisticated data breaches, about 90% of these incidents still involve human actions, underscoring the need for comprehensive awareness and robust defense strategies that extend beyond technological solutions, according to Forrester.
Supply Chain Vulnerabilities
Dependencies on software and hardware supply chains and digital services are set to increase sharply, making them prime targets for cyberattacks.
Experts from Munich Re anticipate a rise in hacks involving networks of suppliers, manufacturers, and service providers across IT, operational technology, and the Internet of Things in Insurance.
Reflecting on the potential impacts, a World Economic Forum study indicates that 41% of companies have experienced a cyber incident through third parties as of 2024.
Attackers increasingly target small and medium-sized suppliers to breach the systems of their larger clients subsequently.
The financial repercussions are substantial, with the global cost of software supply chain attacks projected to increase from $46 bn in 2023 to $60 bn by 2025, according to Juniper Research
Munich Re invests in initiatives and resources that deepen both its own and the industry’s understanding of aggregate cyber exposure and further advance risk modelling. The need for robust accumulation modeling underpins all underwriting and risk management activities at Munich Re.
Cyber insurance cornerstones
In the space of a decade, cyber insurance has become an essential important component of cyber risk management for organizations and households.
Against an extremely dynamic threat landscape, where geopolitical and technological stressors are setting new priorities, tackling insurability challenges and managing accumulation risk is key to the long-term sustainability and functionality of a still maturing market.
Insurers and risk modelers continue to explore the limits and possibilities of insurability. Prudent further development of the market is necessary, with anticipated future global demand requiring sufficient capacity from insurance and alternative capital markets.
Cyber risk must be managed properly and collectively. This is also true of those risks that cannot be managed, or at least not fully, by the private sector.
Governmental cyber protection
Cyber insurance has undoubtedly helped to build an effective layer of resilience. However, the insurance industry’s risk-bearing capacity has natural limitations.
The damage from catastrophic systemic events like cyber war or outage of critical infrastructure would far exceed the industry’s capacity. Such scenarios pose a threat to macroeconomic stability which is why societies need the involvement of governments to manage these potentially catastrophic cyber risks.
………………………..
AUTHORS: Axel Knesebeck – Corporate Underwriting Cyber at Munich Re, Martin Kreuzer – Senior Risk Manager Cyber Risks at Munich Re
