Cyber insurance: Risks and trends 2023
Future cyberattacks will be increasingly accelerated by key technology trends such as artificial intelligence like ChatGPT, the so-called “metaverse” and the expanding worlds of IT, Internet of Things (IoT) and operational technology (OT). All these converging technologies offer great opportunities for society, businesses and governments, though new attack surfaces, vulnerabilities and systemic risks will continue to emerge at the same time. The human factor will remain an encumbrance to cybersecurity. As a result, phishing, social engineering and business email compromise (BEC) are likely to remain successful attack vectors.
In addition to the growing sophistication of cyber-criminal activities, organisations worldwide face greater exposure than ever to geopolitical conflicts, which are already starting to have an unprecedented impact on cybersecurity. Awareness, understanding and preparation are vital in this context, as our Global Cyber Risk and Insurance Survey 2022 as well as the Cyber Threat Outlook 2022 have already shown.
Cyber risk management is core in a digitised world. Since cyber insurance is an essential part of this, demand continues to grow strongly. Facilitating a sustainable cyber insurance market remains a key task for the insurance industry.
Major cyber risk areas in 2023 and beyond
"Safeguarding our digital world is fundamental to societies and economies. The insurance industry has embraced the pivotal role of cyber insurance in this context since its infancy, and even more intensely as the line of business continues to mature. Stakeholders must be prepared for the challenges that the inevitable further intensification of digital dependencies will bring and, in particular, invest in cyber resilience. Munich Re continues to act as a key, long-term partner in this joint effort."
Geopolitical cyber risks
Supply chain will remain the preferred vehicle for threat actors, especially because the number of critical bottlenecks and systemic risk targets (e.g. cloud services) are on the rise, due to the rapid deployment of digital products, services and interconnectedness. According to Gartner, by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, corresponding to a threefold increase since 2021.
Going forward, transparency for risk owners with regard to interdependencies within their own critical assets inventory and the supply chain will be crucial, which is why more and more organisations will procure mission-critical software solutions that mandate software-bill-of-materials (SBOM) disclosure in their licence agreements. Munich Re expects and welcomes that cybersecurity will become a key determinant in business relationships. It is obvious that full protection will not be possible. But a change of mindset to see investment in cybersecurity not as a burden but rather as a business enabler that fosters digital business and limits the impact of a possible attack needs to occur in every organisation and at its business partners and suppliers.
Data breaches and liability
Once again, Munich Re expects dynamic activity around data breaches and liability in 2023. Projections from “AWS’ Security Predictions for 2023 and Beyond” suggest that 463 exabytes (EB) of data will be created in 2025, creating a vast universe of opportunity for those with ill intentions. Biometric data, in particular, will in future likely attract considerable attention from malicious actors. In addition, legislation and awareness will inspire higher customer expectations regarding data protection.
The gravity of these trends is indicated by the reality that, by the end of 2023, experts estimate that modern data privacy laws will cover the personal information of three-quarters of the world’s population. One possible immediate result is that privacy legislation violations due to wrongful collection of data may become as prominent as privacy breaches. According to the Munich Re Data Analytics Team, privacy violations by industry are currently most common in the finance sector, followed by public authorities/NGOs/non-profit organisations, utilities and healthcare.
The world of “connected things”
Having already touched upon critical digital bottlenecks, there is one sector that cannot be overlooked in this context, namely the world of connected devices. According to IDC’s “Internet of Things Ecosystem and Trends”, there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data by 2025. These devices and cyber-physical systems will improve efficiency, flexibility and redundancy, but they will also increase the return on investment for developing tools to exploit these internet-facing devices. The latter is underlined by Gartner, which estimates that the impact of attacks on cyber-physical systems will reach over US$ 50 billion by 2023.
This trend is becoming more critical as we observe an ongoing convergence between the “worlds” of IT and OT. And as already stated, the geopolitical situation will bring OT and critical infrastructure, in particular, into the direct line of fire.
Sustainability, sufficient capacity, expertise and innovation will drive cyber insurance
"Cyber insurance is coming of age, yet remains challenging. As we continue the path to ever more mature markets and products, expertise and reliability must be at the core of this fascinating line of business. Better exposure data, wording topics, cybersecurity trends and lessons learnt from previous losses are priorities for the entire industry. A thorough understanding of the risks provides the foundation for what our insureds need most: sustainable insurability and sufficient capacity."
Chief Underwriter Cyber
Is cybersecurity set to become as important as ESG?
Digitalisation cannot be separated from our private, professional and political activities – it is an ever-present feature of the modern world. It must therefore become a key consideration across the board. As a consequence, sources like the World Economic Forum are already demanding that cyber risk protection become an essential consideration for organisations, akin to environmental, social and governance (ESG) factors.
Cyber readiness and resilience are already playing a key role for stakeholders such as rating agencies, investors and analysts. In this context, it is not about adding a further layer of compliance and complexity – the development merely follows the logic of safeguarding essential business operations. Since the latter is clearly the most important return on cybersecurity investment, Munich Re welcomes such discussions.
Our key take-aways for future readiness
Building resilience and cybersecurity remains fundamental to the successful digitalisation of the economy. While full protection will never be possible, every organisation can limit the impact of cyberattacks to fully take advantage of the benefits of modern technologies. Our take-aways based on the 2023 threat outlook:
- Combine new technologies with a strong cybersecurity culture
- Continually increase resilience and preparedness
- Invest in cybersecurity and reap the associated return
- Build up strong networks, share and make use of data
- Integrate cyber insurance solutions
- Cybersecurity Ventures: Global Cybersecurity Spending To Exceed $1.75 Trillion From 2021-2025
- European Council / Council of the European Union: Cybersecurity: how the EU tackles cyber threats
- Bundesamt für Sicherheit in der Informationstechnik (BSI) Lagebericht 2021: Bedrohungslage angespannt bis kritisch
- Cybersecurity & Infrastructure Security Agency: 2021 Trends Show Increased Globalized Threat of Ransomware
- Chainalysis: 2022 Crypto Crime Report
- Ransomware Task Force (RTF)
- European Union Agency for Cybersecurity (enisa): Threat landscape for supply chain attacks
- World Economic Forum: Three reasons why cybersecurity is a critical component of ESG