The cybersecurity landscape has undergone a dramatic transformation in recent years, with artificial intelligence emerging as both a powerful defensive tool and an increasingly sophisticated weapon in the hands of cybercriminals. While large enterprises have responded with comprehensive security strategies, a concerning trend has emerged: The vast majority of small to midsized businesses may remain vulnerable to cyberattacks, with most reportedly choosing to forgo cyber insurance coverage despite escalating threats.

Recent industry data reveals a striking disconnect between the growing cyber risk environment and protection adoption rates. This gap represents not just a business continuity challenge, but a fundamental market maturation issue that the insurance industry is working to address through enhanced education and product development.

“The omnipresence of AI, particularly in the form of ‘dark LLMs,’ has transformed the threat landscape,” said Florian Happ, PhD, Cyber Underwriting Manager at Munich Reinsurance America, Inc. (Munich Re US). “Think of these as the evil twins of conventional LLMs — like a FraudGPT instead of ChatGPT. These tools have made it much easier for threat actors to generate malicious code and automate their activities, enabling them to scale their operations significantly.”

This technological evolution has fundamentally changed the economics of cybercrime. Where attackers previously could only execute one attack at a time, AI automation now enables them to cast a much wider net with significantly less manual effort.

The impact extends beyond simple automation. Modern AI-powered attacks have eliminated many of the traditional warning signs that previously helped potential victims identify threats.

“They can now produce incredibly convincing phishing attacks tailored to specific addresses and even across language barriers, making them much more successful,” Happ said. “In the past, phishing attempts were often easily detectable due to broken English or obvious errors. Today’s AI-generated attacks have eliminated these telltale signs.”

The financial incentives driving this transformation are substantial. The considerable money involved in ransomware criminal activity, combined with AI decreasing entry barriers into cybercrime, has attracted numerous new actors seeking profit. This has created a more complex and unpredictable threat environment that challenges traditional response strategies.

“On the loss settlement side, insurers must now navigate a more scattered landscape of threat actors,” Happ said. “The expansion has had a significant impact. Identifying hacker groups has never been easy, but in the past, we could more easily identify who we were dealing with. We knew the channels and how to reach them.”

Despite the escalating threat environment, the adoption of cyber insurance among small to midsized businesses remains surprisingly low. A recent Munich Re survey found that more than 70% of small to midsized businesses in the US do not have cyber insurance in place, creating what industry experts characterize as a significant protection gap.

This disconnect becomes even more pronounced when considering the potential impact of cyber incidents on smaller organizations, which typically have fewer resources to recover from attacks compared to larger enterprises.

“From a reinsurer perspective, we see losses on the rise and becoming more costly for the insurance industry as a whole, which underlines the value of cyber coverage,” Happ said. “Cyber continues to be a threat that is difficult for businesses to predict and poses a significant risk.”

Research into the underlying causes of this protection gap has identified three primary factors that may explain why small to midsized businesses do not have cyber insurance.

The first factor is simple awareness. Many business owners may not realize that insurance protection is available for cyber risks, or they may not understand that such coverage is critical for their operations.

The second factor relates to product comprehension. Cyber insurance is a relatively complex product that requires specialized knowledge to explain it and transfer that knowledge effectively.

“The cyber coverage might be too complex to understand, which is why companies aren’t buying it,” Happ said. “Consequently, agents might not be pushing it because the product requires specialized knowledge and cannot be easily handled in the normal insurance purchasing process.”

The third factor involves risk perception — perhaps the most fundamental challenge in the market. Unlike traditional risks such as fire or theft, cyber risks can appear abstract and difficult to quantify.

“One hypothesis is that cyber risk is intangible compared to a risk like fire,” Happ said. “The risk of fire affecting your business is simple to imagine. It is much harder to imagine how customer data might become inaccessible, production data encrypted, or external software you rely on, such as payment processing, becoming non-operational.”

This perception challenge is compounded by the prevalence of basic technical security solutions. Many business owners feel adequately protected because they have purchased cybersecurity software. The State of SMB Cybersecurity in 2024 reveals that 94% of small to midsized businesses have experienced at least one cyberattack.

“People feel protected because they’ve purchased a cybersecurity solution that they believe ‘protects everything,'” Happ said. “When an agent brings up the topic and people don’t see the risk, it becomes a difficult conversation. You cannot sell an insurance policy if people don’t completely understand the risk.”

Successfully addressing the cyber insurance protection gap requires a multi-layered approach that begins with education but extends to fundamental changes in how the industry approaches product development and distribution.

The challenge starts with agent and broker education. Insurance professionals need sufficient comfort with cyber risk concepts to engage in meaningful conversations with their clients about protection needs.

“You need a certain level of comfort to sell a product,” Happ said. “My feeling is, if you’re not able to communicate the value, customers will not trust your insurance purchasing advice. If you don’t understand the risk profile of your client, you can’t effectively discuss the topic.”

This education must be practical and scenario-based. Agents need to understand not just the technical aspects of cyber risks but also how to translate those risks into concrete business impact terms that resonate with small to midsized business owners.

The product development side requires equal attention. For the cyber insurance market to achieve long-term sustainability, the products must be and remain relevant.

“For long-term sustainability, the product needs to be available and adequately address the protection needs of potential buyers and policyholders,” Happ said. “At Munich Re US, we are actively working to examine and address this topic, understanding what drives business owners’ purchasing behaviors and which products will best help mitigate their cyber risk.”

Data and insights play a crucial role in this educational process. Reinsurers like Munich Re US support the broader market by sharing loss trend information and risk assessment expertise with primary insurers, enabling more informed product development and distribution strategies.

“We use data to support the understanding of loss trends and share insights about our observations,” Happ said. “When we discuss with insurers how the loss environment is changing and what that means for our cedants’ portfolios, it helps our clients provide cyber protection in the long term.”

The market maturation process requires coordination across the entire ecosystem. Carriers, purchasers, agents, and data providers all need to develop expertise simultaneously to create a sustainable foundation for growth and to support the protection of an ever-increasing digitized global economy.

“This is fundamentally about learning and market maturation,” Happ said. “The entire ecosystem is evolving simultaneously — carriers, purchasers, and data providers all gaining experience together.”

Looking ahead, the cyber insurance market faces both significant challenges and substantial opportunities. As AI continues to transform the threat landscape and business dependence on digital systems deepens, the need for comprehensive cyber protection will only grow.

“The resiliency aspect and availability of insurance are very important for a sustainable market,” Happ said. “We are committed to making cyber insurance available in the market.”

For insurance professionals and business owners ready to address the evolving cyber risk environment, the key lies in building a foundation of mutual understanding that translates complex digital risks into concrete business protection strategies.