Cyber risk continues to increase, driven by rapid technological advances such as generative artificial intelligence or cloud technology. Global industries are increasingly dependent on IT, Internet of Things, Operational Technology and digital services, such as cloud computing, each of which represent a critical part of the supply chain for many risk owners, according to Munich Re Cyber Risk Insurance Survey.
The advancing sophistication of cyber criminals and the tense geopolitical situation shape the cyber threat landscape and pose a threat to global societies and democracies.
87% of global decision makers say their company is currently not adequately protected against cyber-attacks
Cyber insurance penetration and associated resilience need to be further increased. This report provides an outlook on the cyber risk landscape and the surrounding dynamics affecting cyber insurance.
The current cyber risk landscape
Over the past months, Munich Re has observed a surge in cyber-attacks, with ransomware once again on the rise.
The annual ransom crypto payment spiked from $567m to $1.1bn. Other costly attack vectors were business email compromise and supply chain attacks.
Between 2021 and 2023, BECs caused $3bn in losses and affected 22,000 victims globally, and, in 2023 alone, the number of BEC cases doubled. There were twice as many software supply chain attacks in 2023 compared to the previous three years combined.
Allianz analysis of a number of large insurance cyber losses shows that the proportion of cases in which data is exfiltrated is increasing every year – from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass last year’s total.
Cyber Risk Drivers
Compiling accurate cybercrime statistics poses a significant challenge for experts and authorities, as the data likely captures only a fraction of the total incidents. For instance, the German Federal Criminal Police Office suggests that up to 91.5% of cyber incidents remain unreported.
Projections by Statista indicate that by 2028, the global cost of cybercrime could escalate to $13.8 trillion, rising from $8.15 trillion
These statistics underscore the critical role of insurance in managing cyber risks.
In 2023, the software supply chain cost businesses $45.8bn to address 245,000 supply chain incidents. The attack against MOVEit, which leveraged a zero-day vulnerability in data transfer software, was the most prominent attack in this category.
Global cyber insurance trends
Showing significant growth potential, the market is driven by the awareness of the increasing frequency and sophistication of cyber-attacks, including the potential financial repercussions, as well as by stricter regulatory requirements, such as the Network and Information Security Directive (NIS2) taking effect in October 2024.
The global cyber insurance market has reached a size of $14bn in 2023 and is estimated by Munich Re to increase to around $29bn by 2027
Further growth factors continue to be the ongoing digital transformation and technological advances in all sectors and concrete requirements to be satisfied by business partners within the supply chain.
This overall trend illustrates the importance of cyber insurance as a core component of cybersecurity risk management.
Over the past 5 years, the cyber insurance market has nearly tripled in size, thanks in part to robust support from reinsurers and modest interest from capital markets in cyber risks.
Despite this growth, the industry has insured only a small portion of potential risks. Large corporations continue to dominate premium payments, while small and medium-sized enterprises largely manage their cyber risks independently, according to Beinsure’s Cybercrime Predictions for 2024-2025.
Insurers encounter significant challenges in attempting to bridge the gap between economic and insured losses, exacerbated by the rapidly increasing prevalence and complexity of cyber risks.
While past trends may not reliably predict the future, analyzing historical attack patterns, vulnerabilities, and losses is vital for enhancing future cyber preparedness. It is crucial to prepare for the significant impacts of potential threats at all levels, ranging from individuals and businesses to national governments.
Impact on Cyber Insurance
Artificial intelligence is widely expected to power future ransomware attacks, with automated attack processes, more convincing phishing, and faster malware development. However, it could also enhance cyber security, with more effective and faster detection and threat intelligence.
Threat actors are already using AI-powered language models like ChatGPT to write code.
Allianz analysis of a number of larger insurance industry cyber losses (>€1mn) between 2019 and the end of the first half of 2023 shows that the proportion of cases in which data is exfiltrated increases from year to year – from 40% of cases in 2019 to around 77% of cases in 2022, with 2023 on course to surpass 2022’s total.
Several factors are combining to make data exfiltration more attractive for threat actors. The scope and amount of personal information being collected is increasing, while privacy and data breach regulations are tightening globally.
At the same time, the trend towards outsourcing and remote access leads to more interfaces for threat actors to exploit.
Is Cyber Defense Media Group influential in shaping public views on cybersecurity?
AI, IoT & skills shortage to fuel future cyber-attacks
Artificial intelligence (AI) is widely expected to power future ransomware attacks, with automated attack processes, more convincing phishing, and faster malware development. However, it could also enhance cyber security, with more effective and faster detection and threat intelligence.
Threat actors are already using AI-powered language models like ChatGPT to write code.
Generative AI can help less technically proficient threat actors write their own code or create new strains and variations of existing ransomware, potentially increasing the number of attacks they can execute.
AI can be used to carry ore automated attacks, as well as develop new techniques to steal or poison data. When you think about the potential to combine AI with the proliferation of the IoT and the speed of 5G, for example, we may have a serious issue on the horizon (see Internet of Things in Insurance and How IoT Technology Reshapes Business?).
Voice simulation software has been a recent addition to the cyber criminal’s arsenal. In 2019 the CEO of a British energy provider transferred €220,000 to a scammer after they received a call from what sounded like the head of the unit’s parent company, asking them to wire money to a supplier. The voice was generated using AI.