Cyber continues to live up to its dynamic reputation. With no sign of the risk landscape abating – as demonstrated by ransomware, geopolitical instability and the proliferation of Gen AI – market conditions offer businesses an opportunity to secure insurance cover at favourable terms, according to Howden’s 4th annual cyber report, titled Risk, Resilience and Relevance.

Following a major market correction off the back of surging ransomware claims in 2020 and 2021, conditions started to stabilise last year as improved cyber hygiene amongst insureds helped to prevent or mitigate the impact of attacks.

The foundations are now in place for the next phase of development, with opportunities in international geographies and other underserved areas poised to drive growth. Increased insurance penetration is the path to resilience and relevance.

Ransomware continues to stalk the threat landscape as the costliest form of cyber attack. The past 12 months have seen the splintering of ransomware groups, increased collaboration between hackers and tacit support from hostile governments.

These trends have sustained the heightened threat, with data from NCC Group showing attacks increasing by 85% last year relative to 2022 (when activity dipped due to Russia’s war of Ukraine) and by 30% from 1Q23 to 1Q24.

Cyber risk and insurance resilience

Data reveals an increasing severity of ransomware recovery costs after a brief decline in 2022. Recently, several high-profile attacks have targeted the healthcare sector, causing significant disruption and economic losses (see how Artificial intelligence presence increased since advent of generative AI tools).

Investments in cybersecurity and insurance are proving beneficial, as insured companies now face less prolonged disruption following an attack.

This is evident in the reduced number of victims paying ransoms over the past year.

Staying ahead of attackers enhances organizational resilience against financially motivated cyber attacks and better prepares them for larger incidents.

Strengthened cyber resilience is paying dividends for policyholders now attacks are reverting to the long run upward trend.

Recent hacks, such as those affecting MOVEit, Change Healthcare, and the NHS, show how attacks on a single point of failure can impact an entire organization’s customer base or IT network, indirectly affecting thousands.

Despite this, insured losses are expected to be manageable. These incidents highlight the potential for loss aggregation in future attacks, according to report Generative AI Change the Cyber Insurance.

The rise of Gen AI marks a significant new development since Howden’s last threat landscape assessment.

Experts in technology, cybersecurity, and insurance agree that this technology will revolutionize both offensive and defensive capabilities.

Howden’s research advances this debate by identifying how Gen AI will likely increase the frequency, severity, and aggregation of claims, while also showing how it, along with existing risk controls, can counteract threat actors (see Generative AI — Emerging Risks & Insurance Market Trends).

Cyber risk relevance

Cyber risk relevance

Over the past few years, carriers and brokers have undertaken important steps to enhance price stability, coverage clarity and the consistency of terms and conditions. Taken together, these actions present solid foundations for a new phase of development for the market.

The cyber insurance market trends has two key opportunities to maintain strong annual growth and ensure long-term relevance: expanding beyond the U.S. and serving a broader client base among small and medium-sized enterprises (SMEs) worldwide.

This report shows that over half of premium growth will likely come from outside the U.S. In major European economies like Germany, France, Italy, and Spain, the potential premium increase from reaching mature market penetration levels is significant, totaling hundreds of millions of euros.

The SME sector, which accounts for nearly half of GDP in advanced economies, presents a substantial opportunity. Brokers and insurers can better serve this currently underserved group by integrating them into the cyber market.

Cyber threat landscape in 2024

Cyber threat landscape in 2024
Source: Howden analysis using data from Coveware, NCC Group, Chainalysis, Splunk, House Committee on Energy and Commerce, FBI

According to Cyber Security Global Trends, significant progress has been made quickly, but more work is needed to meet global demand. Innovation is crucial for accessing new capital and reaching underserved markets.

Howden aims to achieve these goals. We look forward to helping new and existing clients find optimal risk transfer solutions and build cyber resilience in an ever-changing threat landscape.

Strengthened cyber resilience is paying dividends for policyholders now attacks are reverting to the long run upward trend.

After a temporary lull in 2022 due to Russia’s invasion of Ukraine, ransomware activity has returned to historic high levels (see How Russian War in Ukraine Impacts for Global Insurance?).

Cyber risk relevance

There has also been a steady increase in U.S. privacy claims due to increased biometric breaches and pixel litigation following some high-profile settlements whilst the resurfacing of aggregation risk continues to hang over the market.

Recent developments in both of these areas serve to talk to the tail-risk associated with cyber insurance.

All of which has led cyber to increasing its lead as the top global risk in this year’s Allianz Risk Barometer. Reflecting the pervasive threat landscape, respondents ranked data breaches as the cyber exposure of most concern (59%), followed by attacks on critical infrastructure and physical assets (53%) and the increase in ransomware attacks (53%).

Allianz Risk Barometer 2024

Allianz Risk Barometer 2024
Source: Allianz Commercial

This elevated awareness of risk tallies with the release of several cyber-related policymaking publications in recent years, alongside growing references to cyber risk in corporates’ earnings calls.

Growing profile of cyber risk amongst corporations and policymakers

Growing profile of cyber risk amongst corporations and policymakers
Source: Howden analysis using IMF data

Ransomware frequency

Ransomware continues to dominate the cyber loss environment. Given current levels of frequency and severity, ransomware looks set to be a source of significant losses for businesses for some time to come.

How the frequency of global ransomware attacks has trended since 2021? The availability of accessible (and low cost) ransomware kits, otherwise known as ransomware-as-a-service (RaaS), combined with the ongoing profitability of attacks, have been important factors in driving the proliferation of ransomware during this timeframe.

Frequency index for ransomware – 1Q21 to 1Q24

Frequency index for ransomware – 1Q21 to 1Q24
Source: Howden analysis using IMF data

Fears that Russia’s invasion of Ukraine in early 2022 would escalate ransomware activity proved unfounded. Both sides, hosting some of the worst ransomware groups, focused on kinetic warfare instead.

Ransomware activity has significantly increased since then. Established gangs, facing depleted funds after a revenue drop in 2022, and the emergence of new groups, led to a marked rise in activity last year.

Increased law enforcement pressure on gangs, including efforts against Russian groups like LockBit and BlackCat, has somewhat reduced activity from peak levels in 3Q23. Yet, this pressure has not decisively impacted overall trends.

Recorded incidents in the first five months of this year were up 18% from already high 2023 levels.

Law enforcement actions have also prompted cybercriminals to target critical infrastructure. U.S. healthcare providers Change Healthcare and Ascension experienced ransomware attacks in February and May, causing significant disruptions and substantial claims.

In June, a ransomware attack on Synnovis, a pathology services provider for the NHS, severely disrupted several UK hospitals

Cumulative global ransomware activity by month

Cumulative global ransomware activity by month
Source: Howden analysis based on data from NCC Group

Companies of all sizes continue to be targeted, with a noticeable bias towards the upper and lower bands of the revenue range.

Attackers’ tactics are predicated on maximising financial gain whilst minimising risks, with gangs weighing up victims’ ability to pay against security measures in place without provoking a response from law enforcement agencies.

Distribution of ransomware attacks by companies’ annual revenue

Distribution of ransomware attacks by companies’ annual revenue
Source: Howden analysis based on Black Kite data

Ransomware frequency impacts for insurance loss

Ransomware frequency only tells part of the story from a loss perspective. The severity side of the equation is primarily made up of downtime costs (business interruption and lost productivity), ransom payments and other expenses.

These can be more challenging to measure, particularly when factoring in intangible impacts such as reputational damage.

Companies that have invested in risk controls and crisis management are now less susceptible to material impacts, rebalancing cost-benefit considerations for some firms over whether to pay ransoms.

Revenue received by ransomware attacks

Revenue received by ransomware attacks
Source: Chainalysis

Furthermore, the increasing prevalence of double and even triple extortion has undermined the assumption that paying a ransom will put a stop to the hack.

Distribution of ransom payment amounts

Distribution of ransom payment amounts
Source: Howden analysis using Sophos data

Proportion of ransomware victims paying a ransom

Proportion of ransomware victims paying a ransom
Source: Howden analysis based on Coveware data

According to S-RM, business interruption is typically the biggest cost component of a significant event, making up to 70% of claims costs where a firm is heavily reliant on the availability of critical systems in sectors such as manufacturing and financial services.

Other ancillary costs can aggregate when there is significant regulatory exposure, or where multi-jurisdictional exposure brings the need to address various regulatory obligations.

Building cyber resilience

An increasing number of ransomware attacks now involve the theft of sensitive personal or commercial data for extortion purposes, which not only increases the complexity of incidents but also brings a greater risk of reputational damage.

Hardened cyber defences and secure backups have helped to mitigate business interruption losses, thereby insulating insured companies from prolonged disruption or outsized losses.

These conflicting dynamics continue to play out in the market, with peaks and troughs in ransomware frequency and severity indicative of fast-moving developments.

Ransomware claims frequency and severity for Coalition policyholders

Ransomware claims frequency and severity for Coalition policyholders
Source: Howden analysis based on Coalition Claims Report

Disclosures in 2023 and early 2024 reveal strong profitability in cyber insurance. This reflects adequate pricing for various incidents, successful risk controls mitigating losses, and the ability to quickly adapt terms due to the short-tail nature of the business.

These factors indicate favorable market conditions overall. As cyber insurance maintains its dynamic reputation, its value becomes clearer. It incentivizes better cyber hygiene, strengthens resilience, and indemnifies losses.

…………………….

AUTHORS: Julian Alovisi – Head of Research at Howden, Peter Evans – Research Director at Howden, Shay Simkin – Global Head of Cyber at Howden, Jean Bayon de La Tour – Head of Cyber at Howden International, David Rees – Head of Cyber at Howden UK, Sarah Neild – Head of Cyber Retail at Howden UK

You May Also Like