Technology adds as many problems as it solves.
AI can be both a curse and a savior for corporate executives intent on protecting sensitive business and customer data from the onslaught of cyber risks bombarding today’s business world.
AI systems can help multinational companies protect themselves from attacks, providing stronger capabilities to assess threats and automate company defenses, while improving the speed of responses after a breach. However, AI also lowers barriers to attackers, giving bad actors without high-tech experience the ability to launch sophisticated attacks. “AI is a double-edged sword,” says Peter Miller, president and CEO of The Institutes, a Malvern, Pennsylvania, risk management and insurance nonprofit. “It is accelerating innovation in the market, but it is also amplifying the power of cyber risks on an unprecedented scale.”
Darren L. Payne, research director at the Geneva Society, a global insurance industry think tank based in Zurich, adds that malicious actors could weaponize and poison the AI models used by companies, which raises concerns about the accuracy of the models and their results. Hackers can use AI tools to create convincing phishing emails, fake websites, and even deepfake videos to insert malicious claims or code, he says. “This allows cybercriminals to craft personalized, realistic messages and tactics that bypass traditional detection mechanisms,” Payne says.
This means that AI risk management has become a major issue for corporate boards. “Large organizations continue to purchase cyber coverage, with an emphasis on catastrophic risk, as boards now increasingly view cyber as an operational risk, on par with weather and political turmoil,” says Bob Parisi, head of North American cyber solutions at Munich Re Facility & Corporate.
As a result, the cyber insurance market has grown to address emerging AI risks, as well as data breaches and IT outages that accompany the digitization of business and society. According to the Geneva Association, global cyber insurance premiums increased tenfold, to $15 billion, in the decade ending in 2023, up from $1.5 billion in 2013. Munich Re expects total global cyber insurance premiums to reach $16.3 billion by 2025, as premiums continue to grow and more companies adopt tailored coverage in the coming years. The Germany-based reinsurer expects average annual growth rates of 10% until 2030.
Although the use of cyber insurance is relatively stable among large multinational companies, especially those based in the United States, a 2024 survey of risk managers conducted by the brokerage On Risk reveals a significant degree of underinsurance in cyber coverage. The results showed that less than 20% had cyber coverage, compared to 60% that had property insurance. “This is despite cyber being assessed as having a higher probability and severity of loss than property,” says Rory Egan, head of cyber and analytics for the global respecialization business at Aon’s Reinsurance Solutions unit in London.
“Internet prices can change rapidly in response to new loss trends that may emerge.”
rory Egan, ON Reinsurance Solutions
Parisi says today’s cyber insurance coverage is significantly broader than the product first introduced 25 years ago. Coverage terms have become more consistent in recent years as insurance companies have adopted more standardized terminology. “However, this does not mean that the market is stable to the point of failing to respond to new or expanding risks such as artificial intelligence and quantum computing or the return of privacy risks, caused by biometrics and an active regulatory environment,” he adds.
According to the Insurance Information Institute (Triple-I), an insurance trade association, insurers are meeting the needs of policyholders by adding clearer language around AI-related exposures and tightening or clarifying exclusions and conditions for state/nation-state-sponsored attacks and war/hostile acts. Insurers are also changing how they measure business interruption losses after cyberattacks. Availability rates and limits have generally improved even as insurers demand stronger controls and identification or clarification of exposures considered ambiguous. However, typical coverage components remain: The policyholder’s first-party coverage can include forensics indemnity, data recovery, business interruption, ransomware payments, and crisis public relations. Third-party coverage helps compensate insurance companies for costs associated with notifying customers of privacy violations; organizational defence; Fines when insurable; Media responsibility and network security responsibility.
Gerald Glombicki, a senior director in Fitch Ratings’ insurance group in Chicago, agrees that cyber coverage is constantly responding to evolving threats. “The Internet is a very personalized production line,” says Glombicki. “No two policies in the same industry are alike, and if policies in two different industries are compared, there are often night and day differences.”
However, not all sectors face cyber risks – and any subsequent need for coverage – equally. Government-run energy sites and critical infrastructure face the greatest exposure because service outages or delays “can impact not only quality of life, but life itself,” says Glombicki. The most profitable sectors for hackers, such as financial institutions, are also a bigger sign. Triple-I cites the healthcare industry, with patient data and critical services, and manufacturers who use operational technology and industrial control systems to monitor and manage industrial processes and machinery, among other high-risk industries. “However, anything connected to the Internet is a target,” Glombucki points out.
Greater capacity and stable premiums
Fortunately for multinational buyers, insurers and reinsurers are not facing capacity constraints at the moment, so premiums are still falling after nearly tripling in 2021 and 2022. Egan says interest rate cuts of 10% on an annual basis between 2022 and 2024 have slowed to 5% this year. Corporate buyers can expect a flat to slight downward movement in premiums if current claims trends continue. “However, internet prices can change quickly in response to new loss trends that may emerge,” he adds.
Rates could also increase as coverage expands to other sectors and countries, “as companies and individuals become more aware of cyber exposures and increasingly recognize the degree to which they are underinsured,” says the Geneva Association’s Payne.
Payne points out that insurers rely on reinsurers to offload cyber risks at peak times and avoid overburdening their balance sheets. While estimates vary by year and country, Bain estimates primary insurers cede about 50% of their cyber premiums to reinsurers, much more than other lines of insurance. “Reinsurers remain cautious about the scale of losses that could result from a major cyber incident, including an accidental single point of failure,” Payne says, pointing to the July 2024 CrowdStrike outage as an example. (On July 19, 2024, a single content update from CrowdStrike, a cybersecurity software company, took down more than 8.5 million systems, including hundreds of Fortune 1000 companies. The incident is estimated to have cost insurers about $1.5 billion in payouts, under business interruption, cyber and system failure coverage.)
“Any cluster of cyber incidents also raises the possibility that reinsurance will occur unexpectedly if a cluster of cyber incidents occur within a single treaty period,” Payne says.
To meet expected market demand for greater capacity, experts say alternative risk transfer mechanisms could play a role.
In a December 2024 Geneva Assembly report, “Stimulating the Transfer of Cyber Risk to Capital Markets: Catastrophe Bonds and Beyond,” the authors examine how alternative risk transfer mechanisms, including insurance-linked securities, such as cyber catastrophe bonds, can help spread these risks to financial markets.
“The Internet is a very detailed production line. No two policies in the same industry are alike.”
gerald Glombicki, Fitch Ratings
Although participation in the cyber ILS market is increasing, the authors point out that investor appetite is hampered by uncertainties related to potentially large-scale cyber exposures, differences in insurance policy language, and liquidity concerns. “Market growth will likely depend on its ability to attract additional capital outside the insurance and reinsurance sector to absorb potential unexpected losses,” says Payne.
