The cyber insurance market has further matured. Looking to the future, the focus remains to meet increasing demand and manage dynamic risk exposures, while focussing on the sustainable insurability of cyber risks and market functionality. 

Thomas Blunck, CEO Reinsurance: “There is still too high a proportion of uninsured cyber risks. According to our current global cyber survey, 87% of managers surveyed state that their company is not adequately protected against cyber risks.  Risk awareness and demand will continue to rise, also against the backdrop of a rapidly growing threat from aggressive cyber criminals, new technologies and dependencies, as well as geopolitical crises.”

Cyber risk continues to increase, driven by rapid technological advances such as (generative) artificial intelligence or cloud technology. Global industries are increasingly dependent on IT, IoT (Internet of Things), OT (Operational Technology) and digital services, such as cloud computing, each of which represent a critical part of the supply chain for many risk owners. Furthermore, the advancing sophistication of cyber criminals and the tense geopolitical situation shape the cyber threat landscape and pose a threat to global societies and democracies.

In a digitalised global economy, insurers contribute significantly when protecting businesses against the cyber risks they face. Through its expertise, strong collaborative networks and clear focus on data analytics, risk quantification and accumulation modelling, the insurance industry has a deep understanding of the threat landscape and a discernment of the limits of insurability. Despite the fact that today’s value chains are largely dependent on digital assets, the level of protection appears to remain inadequate. According to the Munich Re Cyber Risk and Insurance Survey 2024, 87% of global decision makers say their company is currently not adequately protected against cyber-attacks. Cyber insurance penetration and associated resilience need to be further increased. This report provides an outlook on the cyber risk landscape and the surrounding dynamics affecting cyber insurance.

Over the past months, Munich Re has observed a surge in cyber-attacks, with ransomware once again on the rise. According to Chainalysis, the annual ransom crypto payment spiked from US$567m in 2022 to US$1.1bn in 2023. Other costly attack vectors were business email compromise (BEC) and supply chain attacks. Between 2021 and 2023, BECs caused US$3bn in losses and affected 22,000 victims globally (Symantec), and, in 2023 alone, the number of BEC cases doubled (Verizon). There were twice as many software supply chain attacks in 2023 compared to the previous three years combined. In 2023, the software supply chain cost businesses US$45.8bn to address 245,000 supply chain incidents (Juniper Research). The attack against MOVEit, which leveraged a zero-day vulnerability in data transfer software, was the most prominent attack in this category. Data breaches remained at a high level, with the average cost of a breach reaching an all-time high of US$4.45 million (IBM).  

Experts and authorities face challenges in compiling adequate statistics on cybercrime and it is likely that the data represent only a small proportion of total cybercrime. For example, the German Federal Criminal Police Office (BKA) estimates that up to 91.5% of criminal cyber incidents go unreported. Statista forecasts that the annual global cost of cybercrime will reach US$ 13.8 trillion by 2028, an increase from US$ 8.15 trillion in 2023.

These figures clearly show that insurance has never been more vital in the cyber risk management process. Companies and organizations affected by a cyber-attack are exposed to costs and losses due to business interruption, incident response expenses (forensics and data recovery), as well as expenses and damages related to data breaches. A cyber insurance policy can protect against these financial losses.

Past trends may not always be indicative of future ones. Nevertheless, lessons learned from attack patterns, vulnerabilities and losses are important for future cyber readiness. Equally, it is essential to anticipate major impacts of potential threats on all levels - from private individuals to single companies to nation-states. According to Munich Re experts, the following key risks and trends will shape the threat landscape in 2024 and beyond:

With the launch of ChatGPT, large language models (LLMs) and generative artificial intelligence have become mainstream. However, the era of (generative) AI has only just started, and its long-term impact on economies, societies and geopolitics remains difficult to predict. AI will almost certainly be deployed by state and commercial actors in multiple domains. In terms of AI's impact on cybersecurity, Munich Re experts expect cyberattacks to become increasingly automated and personalized, as well as cheaper and faster to distribute at scale in all languages. For example, attackers are using AI driven phishing e-mails and vishing calls to scam victims. The development of new malicious LLMs such as WormGPT will also equip less tech-savvy actors with attack capabilities.  

On a positive note, it is anticipated that AI capabilities will also increasingly augment the efforts of cyber defenders. AI and related technologies can be utilized to specifically strengthen detection and response capabilities and to improve attribution of cyber-attacks to adversaries by mapping their techniques, tactics and procedures.

While initial steps, such as the EU Artificial Intelligence Act, are being taken, more state-driven efforts will follow in the field of AI governance and regulation.

In the insurance sector, AI will almost certainly be widely deployed along the entire value chain. Some of the examples Munich Re expects are:  

• Enhanced risk assessment – e.g. by virtual agents that may support or undertake exposure quantification or cybersecurity recommendations 
• More efficient, customized and responsive offerings with optimized and actively risk-based coverage creation
• Improved incidence monitoring and responses as well as faster claims processing
• Increased awareness on cybersecurity and risk management solutions offerings to further increase resilience
• Streamlining of operations, fostering of relationships with clients and intermediaries / broker and efficiency in underwriting processes and sales
• Advanced data analytics, telematics & predictive modelling

Despite these very promising use cases and developments, AI cannot replace the expertise and knowledge required for excellent understanding and underwriting of cyber risk at present. 

Stefan Golling, Board of Management member responsible for Global Clients and North America: “Technological developments, especially the potential use cases of AI, will also change the insurance industry. Nevertheless, our investment in talent, expertise and knowledge to ensure an excellent understanding and underwriting of cyber risks remains a central pillar of Munich Re's business.”  

The rise in nation-state (sponsored) cyber activities and attacks poses a serious threat to cybersecurity globally. There is a very real danger that the opportunities offered by Gen AI and LLMs will also be exploited by nation-states, particularly in the area of disinformation and information warfare to undermine democracy. The potential social, economic and geopolitical impact could be enormous, as the lines between the physical and virtual worlds, and between truth and fakery, become even more blurred.

A major focus of malicious state-driven attacks will likely be on disrupting elections in a propagandistic and manipulative manner, and to cast doubt on their integrity. The main headline elections in 2024 will, of course, be the US-presidential elections. However, more than 40 other major elections with over 4 billion eligible voters (WEF) will be held around the globe, including in the EU, India, South Korea, Indonesia and Mexico. Countering disinformation and exposing fake content will be a challenge for any democracy, as will protecting the electoral process with all its digital components.

In addition to disinformation (deliberate creation of false content or manipulation), malinformation (the deliberate publication of damaging data or private information) will become a costly threat to risk owners: by 2028, corporate spending on countering malinformation will surpass $30 billion, consuming 10% of cybersecurity and marketing budgets (Gartner).

Nation-state activities are likely to extend beyond sophisticated disinformation and influencing elections to encompass economic, military and political espionage. In some instances, cyber criminals are either actively supported or at least tolerated by nation-states authorities. The arsenals of nation-states are growing and now typically include as standard destructive wiper attacks designed to permanently delete or corrupt data on systems. State-sponsored attackers are also widely expected to invest more and more in researching zero-day vulnerabilities, allowing attackers to exploit such vulnerabilities until patches are released. Overall, this allows nation-state (supported) actors to conduct highly effective and severely damaging cyber operations while evading detection. In addition, the future development of nation-state large language models could in some cases be undertaken specifically for malware.

Due to increasing global competition in and heavy reliance on space, satellite and communication security, this sector will be a crucial factor in all cyber security considerations – both for nation-states and large commercial satellite operators. Unsurprisingly, 95% of defense and aerospace decision makers agree that ongoing digitalization has led to a more dynamic and complex battlefield (BAE Systems).

Munich Re loss data and experience paint a clear picture of cyber risks and their impact on cyber insurance. This is particularly true for ransomware, business email compromise and business communication compromise, data breaches and supply chain vulnerabilities.

Ransomware will continue to be the dominant risk and loss driver for cyber insurance. Advances in applied technological progress and tactics point to a more complex and damaging ransomware landscape, where more and stronger ransomware groups will shorten their dwell times, including through the use of prompt injection tactics. Ransomware-as-a-Service (RaaS) models will become even more competitive in dark web markets, partly because AI can drive or enhance them. AI will encourage a high degree of automation in hacking processes and lead to a strong individualization of attacks - with tailored phishing or email extortion that can be easily translated into multiple languages in high quality by AI and thus scaled in many regions simultaneously.

Munich Re experts also expect a further diversification of extortion methods beyond encryption, continuing the shift already observed from a focus on data for extortion towards exploitable data for sale, potentially targeting employees, suppliers, customers and other third parties.

Munich Re data shows the proportion of ransomware losses by industry sector:  

The Munich Re Cyber Data Analytics Team observed that ransomware was, by far, the leading cause of cyber insurance losses. Manufacturing was identified as the industry with the highest number of ransomware claims.  

For 2024 and beyond, Munich Re experts anticipate a sharp increase in BCC and BEC attacks. These will deceive people within companies into performing harmful actions, such as making unauthorized payments or sharing sensitive data externally. As scammers seek to harvest comparatively low-hanging fruit, BEC remains a top attack vector, especially since it is easy to carry out and requires virtually no technical knowledge while reaping very high rewards. It is not only email that is used as a gateway, but also all communication platforms and social media channels. Needless to say, BEC and BCC attacks not only cause high financial losses, but also lead to an erosion of trust and reputational damage.

Examples include CEO fraud attacks, where hackers pose as executives and instruct employees to transfer money. Since AI tools and deepfake technologies have become part of the mainstream criminal’s toolbox, convincing fake phone calls or digital meetings as well as videos are broadly and cheaply available for scams. In early 2024, a Hong Kong based employee of a multinational company transferred nearly $26 million to scammers after attending a video call with deepfakes of their co-workers, including the company’s CFO. The employee was the only human being who attended the video call, while fake participants were impersonated with AI-driven technology. 

By the end of 2024, privacy regulation will cover three quarters of consumer data worldwide, but 60% of all regulated global entities will struggle to comply with intensifying data protection regulation and privacy requirements (Gartner), given the high rates of data growth driven by technology. 5G will continue to be the driving force behind mobile data growth: By 2029, 5G’s share of mobile data traffic will have surged to 76%. Video traffic will account for the majority of mobile data, escalating from currently slightly above 70% of all mobile data traffic to 80% by 2029 (Ericsson).

Amidst all technological developments, one factor should not be forgotten when discussing data breaches or other cyber incidents: The value and criticality of data, together with governing data regulation and underlying issues regarding liability, will further push the emergence of more groups offering hack-for-hire and data theft services. Nevertheless, even the most advanced data breaches with AI enhanced spear phishing will still involve the human element in approximately 90% of instances (Forrester). Multifaceted efforts to create awareness and implement proper defence that goes beyond technology are and will be a must.

Munich Re claims data shows the following ranking in terms of the proportion of privacy claims including wrongful disclosure and wrongful collection by industry sector:

This ranking also reflects the criticality of finance and healthcare data and the respective exposure for data breaches.

Dependencies on software and hardware supply chains and digital services will continue to rise tremendously. As the obvious Achilles' heel of organizations, the supply chain consequently attracts attackers. Munich Re experts expect hacks across networks of suppliers, manufacturers and providers within digital supply chains (IT/OT/IoT) to increase further. Organizations will also witness a greater number of “supply chain attacks as a service”, opening up this field to other less tech savvy hacker groups.

To put the potential impact in perspective: According to a World Economic Forum study (WEF 2024), 41% of companies surveyed have been affected by a third-party cyber incident. Small and medium-sized suppliers are being increasingly targeted with the aim of later hacking into their larger customers' systems. The expected rise in costs incurred by businesses globally due to software supply chain attacks is estimated to grow from US$46bn in 2023 to US$60bn in 2025 (Juniper Research).

In the space of a decade, cyber insurance has become an essential important component of cyber risk management for organizations and households. Against an extremely dynamic threat landscape, where geopolitical and technological stressors are setting new priorities, tackling insurability challenges and managing accumulation risk is key to the long-term sustainability and functionality of a still maturing market. Insurers and risk modelers continue to explore the limits and possibilities of insurability. Prudent further development of the market is necessary, with anticipated future global demand requiring sufficient capacity from insurance and alternative capital markets.

Cyber risk must be managed properly and collectively. This is also true of those risks that cannot be managed, or at least not fully, by the private sector.

Accumulation exposure has to be adequately controlled in order to secure and allocate the requisite capacity for sufficient coverage. Risk models inform a healthy risk appetite for insurers and must therefore adequately reflect potential catastrophic systemic cyber events in their maximum loss consideration. The more accurate the modelling, the less uncertainties the insurer must provide for.

Munich Re invests in initiatives and resources that deepen both its own and the industry’s understanding of aggregate cyber exposure and further advance risk modelling. The need for robust accumulation modeling underpins all underwriting and risk management activities at Munich Re. Our multidisciplinary cyber expert teams lie at the core of those activities.

Jürgen Reinhart, Chief Underwriter Cyber: “Our mission is clear and essential to a thriving economy: we work with clients, partners and brokers to provide effective cyber insurance solutions that safeguard the digital landscape and make it more resilient. Ensuring the fit-for-purpose cyber accumulation models required for a profitable, sustainable cyber insurance market is a core challenge for our industry. Munich Re continues to strive for excellence in its own modelling and to support initiatives that progress modelling across the industry.”

Munich Re also actively engages with industry stakeholders on a variety of aspects regarding accumulation modelling, with the objective of reconciling differences in risk perception and ensuring ever-improving model reliability across the market. For example, Munich Re experts work with third party data providers, service providers and model vendors to improve data quality and quantity, better understand risks, develop risk quantification and further advance modelling. Sophisticated, fit-for-purpose cyber accumulation models are fundamental to ensuring a profitable, sustainable cyber insurance market, a challenge faced by the entire industry. Clarity regarding the limits of insurability is a pre-requisite for model reliability. If the long-term sustainability of the cyber insurance market is to be ensured, then necessary exclusions, in particular regarding cyber war must be in place. Munich Re’s stance regarding the requirement for modern cyber war exclusions remains steadfast. It supports both, market initiatives, adapted to local legal requirements, and appropriate bespoke solutions for individual clients. Implementation-wise Munich Re’s portfolio activities are particularly successful in the large industrial segment. However, there are also cases where Munich Re is abandoning business. On the treaty side, Munich Re’s guardrail concept will further accelerate transition as it clearly defines risk appetite but allows for a variance of clauses and concepts on the original side of business. 

Cyber insurance has undoubtedly helped to build an effective layer of resilience. However, the insurance industry’s risk-bearing capacity has natural limitations. The damage from catastrophic systemic events like cyber war or outage of critical infrastructure would far exceed the industry’s capacity. Such scenarios pose a threat to macroeconomic stability which is why  societies need the involvement of governments to manage these potentially catastrophic cyber risks. Munich Re can and will support the development of solutions and clearly advocates for the implementation of economic cyber protection as a precautionary measure of last resort. The dialogues on so-called "governmental backstops" have already begun.

Jürgen Reinhart, Chief Underwriter Cyber: “The risks presented by digitization pose a challenge to society at large. The insurance industry plays its part in mitigating those risks. However, the most severe systemic cyber risks, such as the failure of critical infrastructure or damage from cyber warfare, cannot be borne by the private sector. We are prepared to help governments to jointly manage these potentially catastrophic, systemic risks for our societies, by seeking alternative solutions.”

The global cyber insurance market has reached a size of US$ 14bn in 2023 and is estimated by Munich Re to increase to around US$ 29bn by 2027. Showing significant growth potential, the market is driven by the awareness of the increasing frequency and sophistication of cyber-attacks, including the potential financial repercussions, as well as by stricter regulatory requirements, such as the Network and Information Security Directive (NIS2) taking effect in October 2024. NIS2 is a key development in elevating European cybersecurity and resilience to higher levels. Further growth factors continue to be the ongoing digital transformation and technological advances in all sectors and concrete requirements to be satisfied by business partners within the supply chain. This overall trend illustrates the importance of cyber insurance as a core component of cybersecurity risk management.

The cyber insurance market has almost tripled in size over the past five years. This is also due to the strong commitment of reinsurers and the recent - albeit low-level - interest shown by the capital markets in cyber risks. However, to date only a fraction of the risks has been insured. Large companies still account for the majority of premiums; small and medium-sized enterprises bear most of their cyber risks on their own.

Insurers face a major challenge in their endeavors to close the gap between economic losses and insured losses. Given the very dynamic growth of risks in a digitized economy, higher insurance penetration for cyber risks is the paramount aim. By helping to safeguard the digital world, insurers will once again demonstrate the industry’s relevance to the resilience of the economy and society. The insurance industry offers a variety of attractive solutions which continue to convince the uninsured. At the same time, the focus lies on ensuring that insurance cover is sufficient and offered on a sustainable basis. Using our expertise and stability Munich Re remains committed to addressing the growing demand from our cedents and insureds as relevant partner.

Sources:

• Munich Re Cyber Risk and Insurance Survey 2024
• Chainalysis www.chainalysis.com/blog/ransomware-2024/
• Symantec www.symantec.broadcom.com/ransomware-threat-landscape-2024
• Verizon www.verizon.com/business/resources/reports/dbir/2023/summary-of-findings/
• Juniper Research www.juniperresearch.com/press/study-reveals-staggering-cost-of-software-supply/
• IBM newsroom.ibm.com/2023-07-24-IBM-Report-Half-of-Breached-Organizations-Unwilling-to-Increase-Security-Spend-Despite-Soaring-Breach-Costs
• BKA www.bka.de/SharedDocs/Downloads/DE/Publikationen/JahresberichteUndLagebilder/Cybercrime/cybercrimeBundeslagebild2022.pdf
• Statista www.statista.com/forecasts/1280009/cost-cybercrime-worldwide
• WEF www.weforum.org/agenda/2024/01/ai-democracy-election-year-2024-disinformation-misinformation/  and   www3.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2024.pdf
• Gartner www.gartner.com/en/newsroom/press-releases/2023-10-17-gartner-unveils-top-predictions-for-it-organizations-and-users-in-2024-and-byond and  www.gartner.com/en/newsroom/press-releases/2022-05-31-gartner-identifies-top-five-trends-in-privacy-through-2024
• BAE Systems www.baesystems.com/en/digital/blog/the-role-of-space-in-the-future-digital-battlefield
• Ericsson www.ericsson.com/en/reports-and-papers/mobility-report/dataforecasts/mobile-traffic-forecast and www.ericsson.com/en/reports-and-papers/mobility-report/mobility-calculator/innovative-video-formats-on-the-horizon
• Forrester www.forrester.com/blogs/the-future-is-now-introducing-human-risk-management/