Future cyberattacks will be increasingly accelerated by key technology trends such as artificial intelligence like ChatGPT, the so-called “metaverse” and the expanding worlds of IT, Internet of Things (IoT) and operational technology (OT). All these converging technologies offer great opportunities for society, businesses and governments, though new attack surfaces, vulnerabilities and systemic risks will continue to emerge at the same time.
According to Munich Re Survey, recent years have brought some of the largest and most scrutinized data breaches in history, resulting in billions of records lost, exposed or compromised. As businesses and consumers alike become more aware of the risks associated with cyber attacks, enterprise demand for cyber insurance continues to rise.
The cyber insurance market reached a record size last year. Cyberattacks and the volume of compromised digital assets increased simultaneously.
Ransomware and supply chain attacks dominated the cyber risk space over the past 12 months. With data breaches and ransomware attacks constantly in the news, organizations are seeking cyber insurance to mitigate the many unknown risks of doing business in the digital age (see Lloyd’s Systemic Cyber Risk Scenario).
Cyber insurance is a prevalent topic in Asia, with the market size in the region expected to triple by 2025. Compared to Europe and the US, cyber insurance is a comparably new product, and take-up is gaining momentum due to the different stages of development here.
Safeguarding cyber resilience
According to Cyber Insurance Market Dynamics Report, economic vitality, business continuity, and successful digitalization rely on cyber coverage – and a sustainable cyber insurance market demands transparency.
The human factor will remain an encumbrance to cybersecurity. As a result, phishing, social engineering and business email compromise (BEC) are likely to remain successful attack vectors.
- Economic costs of cyber-crime will reach $24 trillion by 2027
- 83% of C-level executives of global survey respondents felt inadequately protected against cybercrime
- 38% of C-level executives of survey respondents were extremely concerned about potential cyberattacks
By applying discipline and acuity to risk management, we can contribute to a sustainable cyber insurance market, protect businesses, and humanity’s interconnectedness into the future.
In addition to the growing sophistication of cyber-criminal activities, organisations worldwide face greater exposure than ever to geopolitical conflicts, which are already starting to have an unprecedented impact on cybersecurity.
Global cyber insurance market outlook
Cyber risk management is core in a digitised world. Since cyber insurance is an essential part of this, demand continues to grow strongly. Facilitating a sustainable cyber insurance market remains a key task for the insurance industry.
Many companies are focused on how to become as robust as possible and how you surround your company with an impenetrable fortress — which is a futile endeavor. Those companies need to shift their mindset to becoming as resilient as possible if they assume the adversary is going to get in no matter what (see How will Technology Impact Insurance? 16 New Technology Trend Evolution).
Yet achieving that resilience will require a clear strategy for cybersecurity investment — and that means executives will need to become conversant with the breadth and depth of technologies and solutions available in the cybersecurity industry.
After all, today’s cybersecurity defenses are diverse and the right combination of technologies is different for every organization.
Major cyber risk areas
Currently, 4.7 million experts worldwide are working in the cybersecurity field, trying to limit the global costs of cybercrime. These are expected to surge in the next five years, rising from US$ 8.44 trillion in 2022 to approximately US$ 11 trillion in 2023, and potentially reaching approximately US$ 24 trillion by 2027.
Safeguarding our digital world is fundamental to societies and economies. The insurance industry has embraced the pivotal role of cyber insurance in this context since its infancy, and even more intensely as the line of business continues to mature
Thomas Blunck, CEO Reinsurance Munich Re
Stakeholders must be prepared for the challenges that the inevitable further intensification of digital dependencies will bring and, in particular, invest in cyber resilience.
Cyber attack categories by region
As predicted by the Cybersecurity Workforce Study, a skills shortage still exists, with a gap of 3.4 million cybersecurity workers needed to adequately protect organisations, and this gap will not be closed in the near future. In particular, niche talent – to secure cloud environments or OT, for example – is scarcely available.
Geopolitical cyber risks
The extent to which cyber risks will accelerate is underlined by the geopolitical risks deriving not only from the Russian invasion of Ukraine but also from further afield. Going forward, this conflict and global powers jockeying for position will be a key driver of cyber (in)security and will make a systemic, catastrophic cyber event more likely.
The situation becomes particularly threatening for all affected parties if tactics, techniques and procedures of nation states are adopted by commercial cybercrime actors.
We will likely see advanced targeting of satellite technologies, producers and operators. The sophistication and scope of disinformation and destabilisation efforts will increase through the use of machine learning, AI, deep fakes, chatbots, social media and other digital channels. This will create an unprecedented threat for societies and governments.
Industry sectors targeted by nation state actors
As regards cyber warfare, it is important to state that risk transfer is not possible. There is clear alignment across the insurance industry sector to exclude warfare – this also needs to be unambiguously applied for cyber as is done in all other lines of insurance business. Munich Re supports initiatives to overhaul existing exclusion terminology. These revisions will add more clarity and transparency for all market participants. In order to better prepare society and the economy for cyber warfare scenarios, Munich Re is actively consulting and supporting governments and insurance bodies in promoting the establishment of effective public-private partnership solutions.
Ransomware
In terms of threats for businesses and individuals, ransomware will remain the primary loss driver in 2023, and very likely also beyond. The numbers are significant. According to Cybersecurity Ventures, ransomware will cost its victims approximately US$ 265 billion annually by 2031.
The situation is made more worrying by some emerging trends. Alarmingly, experts are seeing a trend towards data destruction rather than encryption, the pretence of data theft as a new successful form of extortion, and a concentration of ransomware attacks on cloud infrastructure.
In addition, the alarmingly specialist expertise of cyber criminals and the ongoing sophistication of services like reconnaissance-as-a-service will enable the unscrupulous to attack with greater precision.
Ransomware – share of number of claims by industry
While business and professional services was the industry with the highest number of overall claims, the financial impact by market loss was heaviest on the finance industry.
Cyber attack and supply chain
According to Beinsure Cyber Supply Chain Risk Report, supply chain will remain the preferred vehicle for threat actors, especially because the number of critical bottlenecks and systemic risk targets (e.g. cloud services) are on the rise, due to the rapid deployment of digital products, services and interconnectedness.
Companies are already at 99.999% uptime and anything higher than that would mean that they aren’t innovating, which is something that they must do in order to remain competitive
The digital supply chain is invisible. It operates in the background but is essential to the day-to-day functioning of most businesses. As data is increasingly transferred through extended global supply chains, and threat actors look to exploit vulnerabilities through single entry points, organisations need to manage and mitigate exposures in a fast moving risk landscape.
This means there will always be new services, a new payment system, a new cloud service, and humans are part of these processes. Human error is the leading reason for downtime so there is always going to be downtime and insurers & insurtechs will always have a business.
According to Gartner, by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, corresponding to a threefold increase since 2021.
Going forward, transparency for risk owners with regard to interdependencies within their own critical assets inventory and the supply chain will be crucial, which is why more and more organisations will procure mission-critical software solutions that mandate software-bill-of-materials (SBOM) disclosure in their licence agreements.
Munich Re expects and welcomes that cybersecurity will become a key determinant in business relationships. It is obvious that full protection will not be possible. But a change of mindset to see investment in cybersecurity not as a burden but rather as a business enabler that fosters digital business and limits the impact of a possible attack needs to occur in every organisation and at its business partners and suppliers.
Data breaches and liability
Projections from “AWS’ Security Predictions for 2023 and Beyond” suggest that 463 exabytes (EB) of data will be created in 2025, creating a vast universe of opportunity for those with ill intentions.
Biometric data, in particular, will in future likely attract considerable attention from malicious actors. In addition, legislation and awareness will inspire higher customer expectations regarding data protection.
The gravity of these trends is indicated by the reality that, by the end of 2023, experts estimate that modern data privacy laws will cover the personal information of three-quarters of the world’s population. One possible immediate result is that privacy legislation violations due to wrongful collection of data may become as prominent as privacy breaches.
Internet of Things Ecosystem
Having already touched upon critical digital bottlenecks, there is one sector that cannot be overlooked in this context, namely the world of connected devices.
According to IDC’s IoT Ecosystem and Trends, there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data by 2025.
The imperative to protect increasingly digitized businesses, Internet of Things (IoT) devices, and consumers from cybercrime will propel global spending on cybersecurity products and services to $1.75 trillion cumulatively for the five-year period to 2025
These devices and cyber-physical systems will improve efficiency, flexibility and redundancy, but they will also increase the return on investment for developing tools to exploit these internet-facing devices.
The latter is underlined by Gartner, which estimates that the impact of attacks on cyber-physical systems will reach over US$ 50 billion by 2023.
This trend is becoming more critical as we observe an ongoing convergence between the “worlds” of IT and OT. And as already stated, the geopolitical situation will bring OT and critical infrastructure, in particular, into the direct line of fire.
The insurance industry welcomes the provision of further cyber risk capacity through increased ILS and capital markets capacity backing.
Recent developments by policy makers are also a promising step in the right direction: in the wake of the latest geopolitical situation, the US government is considering the possibility of a cyber insurance backstop or public-private partnerships to cover areas of particular relevance to society.
The role of finance in developing societal resilience to cyber risk is capable of further growth. ILS vehicles are just one example of how. By their nature, however, some limits must be left to political decision-making, which should lead to new forms of cooperation between public and private actors for the sake of society.
However, digital sovereignty and security will not come without a cost to society. The insurance industry will continue to be a strong driver when it comes to increasing and improving cybersecurity and fostering digital business models.
……………………
AUTHORS: Martin Kreuzer – Senior Risk Manager Cyber Risks at Munich Re,
Axel von dem Knesebeck – Corporate Underwriting Cyber at Munich Re
