If cybercrime were a country, it would be the third-largest economy in the world. With a projected global cost of US$ 14 trillion in 2028, cybercrime will have exceeded the combined economic output of Germany, Japan, and India. Only the US and China have a larger gross domestic product.

The cyber risk landscape continues to be shaped by an increase in the frequency and impact of cyberattacks and non-malicious cyber events alike. Overall, a great majority of cyber risks are unprotected.

From Munich Re’s perspective, the main drivers of insured losses are Ransomware, Data Breach, Business Email Compromise (BEC) and Distributed Denial of Service (DDoS).

While the public focus is still on large corporates, the majority of cyber incidents and claims affect micro-companies and SMEs.

When analysing incident patterns, insurers need to pay attention to the development of malicious and non-malicious events alike, as both are crucial for shaping the portfolio.

Munich Re claims data shows an overall ratio of 3 to 1 for malicious and non-malicious attributable loss events, while mid-sized and large companies have reported a higher proportion of non-malicious loss events, particularly in the areas of IT, Healthcare, and Finance. Both types of event can typically be insured and both can lead to extreme loss impacts. Looking at the claims trend since 2021, malicious cases have clearly remained dominant, with the overall picture until heavily influenced by increasing ransomware attacks. However, non-malicious claims are also gaining significance. They are often attributable to human error, flawed software, or increasingly to pixel litigation. 

In the context of extreme geopolitical tensions, which even culminate in armed conflicts and wars, cyberspace is a powerful arena for gaining political, economic and military advantages. Thus, geopolitical fault lines shape cyber threats, which are increasingly endangering the public and private sphere alike.

Generally speaking, attackers are becoming increasingly active and applying overlapping tactics, techniques and procedures (TTPs): the dividing line between state-sponsored (Advanced Persistent Threats (APTs) and state-tolerated groups and criminals is becoming increasingly blurred, as are their motives – which range from espionage, sabotage and campaigns to disrupt critical infrastructure and supply chains, to simply making money.

DDoS campaigns by hacktivists can support low-level geopolitical interests, while supply chain compromises and malware attacks can be attributed to state-sponsored groups operating together with new groups in scalable, specialised and agile ecosystems.

Increasingly, disruptions from ransomware attacks are the result of alliances that embed geopolitical objectives into financially motivated criminal ecosystems. In this context, AI systems become inherently dual-use technologies, in military regard blending in with cyber and kinetic tactics.

Around 64% of organisations expect to be a potential target of geopolitically motivated cyberattacks (WEF). Those involved in critical supply chains and infrastructure – e.g. in the defence, energy, finance and telecommunications industries – are particularly at risk.

Digital supply chains have become essential for global, national, and each organization’s security. Whilst more than two thirds of large organisations experienced at least one third-party cybersecurity incident in the past 12 months, experts provide a clear outlook: the next generation of cyberattacks will increasingly include the impersonation of suppliers, logistics and digital services providers, exploiting the implicit trust between organisations and their vendors. Spoofing platforms will evolve to clone login portals or payment forms and steal users’ credentials. Further, cyberattacks will increasingly be used to infiltrate and corrupt software and firmware supply chains with hard-to-detect modifications or malicious logic.

As hyperconnectivity, systemic dependencies and mono-structures increase – e.g., in relation to cloud providers, content delivery networks or productivity suites – accumulation modelling and budgets may also need to be adapted. The primary challenges and limitations in third-party risk management will continue to be visibility, assessing and assuring integrity, and security controls for suppliers.

Cybercrime continues to evolve as a hyper-organised, service-oriented ‘industry’, and one that the declining skill and capital requirements for this criminal activity are making attractive to new entrants. Ransomware-as-a-service (RaaS) providers deliver AI-powered turnkey packages, develop and offer affiliate models with tutorials, lead site hosting and encrypted money laundering, dark web markets, and closed forums offering stolen data and initial access, to name just a few examples.

Deepfakes, voice clones and synthetic identities, which combine real user data and fake information, are increasingly being used to circumvent traditional defences. In addition, markets for infostealers and initial access brokers are becoming mainstream and diversifying their access to target cloud environments, Software-as-a-service (SaaS) platforms, and Operational Technology/Internet of Things (OT/IoT) ecosystems. At a highly sophisticated level, criminals are cooperating with state actors, who can thus obscure attribution and accelerate global operations.

On this basis, more frequent and sophisticated attacks are putting pressure on potential victims and critical supply chains – a burden for all societies and economies.

As the use of agent-based AI is now becoming mainstream, it is poised to shape the scope, speed and precision of offensive and defensive cyber measures alike. Agentic AI will increasingly be able to plan and adapt multi-stage operations, more effectively exploit vulnerabilities, learn from detection responses, and operate with minimal human input.

Given that AI is already capable of generating deepfakes, realistic domains and websites, and of engaging in hyper-personalised social engineering and phishing, the existing attack surfaces will grow exponentially. Consequently, synthetic content and personas, as well as the rising level of misinformation, are expected to further undermine trust.

Further, AI models themselves will be the targets of attacks and have to be secured. Major attack vectors will include prompt injection and data poisoning, as well as the insertion of malicious data or instructions to manipulate outputs.

While agentic AI will not only enhance parts of the cyber kill chain and lower the barriers to entry for attackers, the use of autonomous systems could also greatly transform cyber security. 

But despite all this technology, the human factor remains – as a protective factor and potential gateway alike. Even with agentic AI, humans won’t be completely replaced. Therefore, some of the current discussions on agentic AI seem to be more like hype.

From Munich Re’s perspective, our experts expect agentic AI to affect the frequency of attacks more than their severity in the near term. Affected types of insurance cover could especially include, system failure and (C)BI, incident response, data restoration, and cyber extortion – all potentially covered by a first-party element. In addition, the industry may see more third-party losses from wrongful collection, privacy violations, as well as media liability and tech E&O.

Despite the fact that AI will be a double-edged sword – used for good and bad alike – risk owners’ overall perception and expectations are positive: only 23% of executives said that AI will have a  negative impact on their businesses, 66% expect AI to have a positive impact on their business, while 57% trust companies that use AI.

Both hindsight and foresight on the cyber threat landscape and trends indicate that threat scenarios will develop further, going far beyond ransomware. Especially against the backdrop of current geopolitical tensions and technological innovations, cyber threats are likely to become more diverse and far-reaching. This may further strengthen awareness for cyber risks and the substantial impacts on organisations’ reputation and core business activities. However, awareness alone can’t prevent financial losses; resilience and insurance can. What conclusions can be drawn from the insights gained for cyber insurance solutions?

• Though cyber threats aren’t always malicious, they must always be treated as a priority. Cyber risk management needs to be holistic, integrative, and reviewed on an ongoing basis.
• While the public focus is still on large corporates, the majority of cyber incidents and claims recorded by Munich Re affect micro-companies and SMEs. Cyber protection is an issue for companies and industries of all sizes.
• Deep-dive data analytics of cyberattacks and losses are crucial to better understand and quantify what is at risk.
• Cyber events involving digital supply chains seem more the norm than the exception, and can have significant impacts as a systemic risk.
• Not new, but different: AI technology is amplifying the scale of existing threats and can increase exposure. This applies in particular to AI agents that are increasingly being embedded in or connected to IoT and OT devices, further blending AI and the physical world.
• In 2025, natural hazards produced losses amounting to US$224 billion, including US$108 billion covered by insurance; 48% of the losses were insured. As we see, insurance is a relevant factor in risk management for the global economy when it comes to natural hazards. The same needs to be achieved for cyber insurance.

The cyber insurance industry’s goal is to support clients recognise, understand, and optimally mitigate their risks. Insurance doesn’t just provide compensation after a loss; it also helps to raise exposure awareness, increase cybersecurity, and protect companies and organisations of all sizes from the potentially massive disruptions that incidents can entail.

Looking ahead, Munich Re remains focused on challenges and opportunities in the strategic field of cyber insurance, working hand in hand with partners and clients. By increasing cyber insurance penetration and collaborating globally on this task, players can support insureds and protect global economies and societies.