Cyber Insurance
In July 2024, a faulty update from cybersecurity provider CrowdStrike caused widespread disruptions to millions of Windows systems worldwide. Although it was not a malicious attack with the intent to cause harm, the effects of the event led to one of the largest IT outages in history, affecting critical operations in key industries and sectors such as airlines and airports, banks, stock exchanges, technology companies, and healthcare. The total damage caused is enormous and is still unknown. It is also unknown whether and how much damage has been paid out by insurance. We are not talking about standard insurance here, but about a special, rapidly growing cyber insurance.
Expect the global cyber insurance market to reach $16.3 billion in 2025. To date, the market has proven capable and effective in protecting those insured critical digital assets needed to run the day-to-day operations of organizations of all types and sizes – from micro, small or medium-sized enterprises to large corporate enterprises. The global insurance industry can withstand multiple scenarios of extreme cyber exposure, such as those that can arise from widespread malware attacks or major outages of cloud service providers. Rapid, simultaneous changes in risk due to technological, geopolitical and market-specific factors present both challenges and opportunities for insurers.
Severe ransomware attacks are no longer just a cybersecurity or cybersecurity issue – they have become a national and global security threat. Advanced persistent threats (APTs) remain one of the most serious challenges in cyberspace. APT groups, often supported by state actors, use sophisticated methods to infiltrate critical infrastructure and strategic companies over an extended period of time.
Stefan Golling, a member of the board responsible for global clients and North America says, “In today’s technology-dependent world, organizations can only succeed if they strengthen their digital defenses with robust, multi-layered risk management. Cyber insurance is an effective component in this approach.”
Regardless of industry, size or location, the analysis clearly shows that no organization is immune to becoming a victim of a cyberattack. Munich Re’s global survey found that 87 percent of C-level respondents consider their organization’s protection to be inadequate.
The global cyber insurance market continues to mature and is stable. This assessment by S&P Global Ratings recognizes the solid profitability of risk coverage over the past two years and its expected trajectory into 2025, despite increased competition and the rise in the sophistication, severity and frequency of cyber attacks in an increasingly hostile environment. The insurance market offers reliable capacity for commercial and private cyber policies.
According to Munich Re, the global cyber insurance market totaled $15.3 billion in 2024. This corresponds to less than one percent of global property and casualty insurance premium volume in 2024, highlighting the huge potential of the cyber insurance industry going forward. Although cyber premium growth has slowed in the past two years, global premium volume is expected to more than double by 2030, growing at an average annual growth rate of more than 10 percent.
With all types of cyber attacks constantly evolving, overarching trends are strongly influencing the cyber risk landscape. Most notably, AI is seen as the biggest challenge for cybersecurity. Regulation, IT skills shortages, technological advancements and geopolitical tensions are also identified as key “trend drivers” for cybersecurity (in)security. Companies are adopting AI primarily to drive efficiency and innovation,
Among the most significant challenges and threats, insurers cite the impact of AI on the claims experience. Since AI-enhanced cyberattacks can particularly increase the frequency of claims, this can impact events that are typically covered by cyber insurance, such as business interruption, data breach liability, data recovery or the effects of ransomware attacks. While losses from AI-enabled cyberattacks are typically covered by cyber policies, the implications of other risks associated with AI adaptation – such as model manipulation or IP infringement – are often not explicitly mentioned in insurance wording.
Taking out a cyber insurance policy is not easy. There may be problems with payouts due to unclearly stated cybersecurity risks involved. It is necessary to carefully study the text of the contract, what is included, what is excluded, what are the obligations of the contractor under the contract or related documents. Before signing, it must be clear what happens with (un)intentional damage for which the insured's employee is responsible. Due to a bad insurance policy, the damage can be significant.
Ivica Zvonko Miljak, MSc, CIA, member of ASIS and CSO Center. Participated and presented at ASIS annual conferences (now GSX). From 2023, reviewer for GSX. Frob 2024, ASIS Community Administrator and member of the CSO Center Content Committee. Permanent contributor to the leading regional security monthly.
