Major loss drivers in cyber insurance
Munich Re loss data and experience paint a clear picture of cyber risks and their impact on cyber insurance. This is particularly true for ransomware, business email compromise and business communication compromise, data breaches and supply chain vulnerabilities, according to Cyber Risk Insurance Market Global Trends 2024.
Over the past months, Munich Re has observed a surge in cyber-attacks, with ransomware once again on the rise.
Ransomware
Ransomware will continue to be the dominant risk and loss driver for cyber insurance. Advances in applied technological progress and tactics point to a more complex and damaging ransomware landscape, where more and stronger ransomware groups will shorten their dwell times, including through the use of prompt injection tactics.
Reports note that the number of ransomware victims surged by as much as 143% globally during the Q1 of 2023 with January and February seeing the highest number of hack and leak cases in three years.
Ransomware alone is projected to cost its victims approximately $265bn annually by 2031.
Companies that are routinely and properly managing their data, making sure it is stored appropriately and deleted when it is no longer required, will reduce the amount of data at risk.
Protecting an organization against intrusion remains a cat and mouse game, in which the cyber criminals have the advantage.
Ransomware costs — double extortion changes the rules and cost
Indeed, there are very few cases where a company may believe that there is no other solution than paying the ransom to be able to re-access their systems or data. Any impacted company should always inform and cooperate with the police or national investigation authorities.
Ransomware-as-a-Service (RaaS) models will become even more competitive in dark web markets, partly because AI can drive or enhance them.
AI will encourage a high degree of automation in hacking processes and lead to a strong individualization of attacks — with tailored phishing or email extortion that can be easily translated into multiple languages in high quality by AI and thus scaled in many regions simultaneously.
TOP 6 industries affected by Ransomware
Munich Re experts also expect a further diversification of extortion methods beyond encryption, continuing the shift already observed from a focus on data for extortion towards exploitable data for sale, potentially targeting employees, suppliers, customers and other third parties.
Business email compromise and Business Communication Compromise
Munich Re specialists predict a significant rise in Business Email Compromise (BEC) and Business Communication Compromise (BCC) attacks from 2024 onwards. These scams trick company employees into unauthorized actions like making payments or leaking confidential information.
BEC attacks, in particular, are prevalent due to their low difficulty and high reward potential, despite requiring minimal technical skills.
Scammers utilize not just emails but all forms of communication platforms, including social media, to facilitate these frauds. Such attacks not only lead to substantial financial losses but also erode trust and damage reputations.
One common form of these frauds is CEO fraud, where attackers impersonate executives and direct employees to send money.
With the integration of AI and deepfake technologies into criminal activities, creating convincing fake communications through phone calls, digital meetings, and videos has become both simple and inexpensive.
A notable case in early 2024 involved a Hong Kong-based employee of a multinational corporation who sent nearly $26 million to fraudsters. This employee was deceived by a video call featuring deepfake representations of their colleagues, including the CFO, orchestrated using sophisticated AI technology.
Data Breaches
By the end of 2024, privacy regulation will cover three quarters of consumer data worldwide, but 60% of all regulated global entities will struggle to comply with intensifying data protection regulation and privacy requirements, given the high rates of data growth driven by technology.
5G will continue to be the driving force behind mobile data growth: By 2029, 5G’s share of mobile data traffic will have surged to 76%.
Video traffic will account for the majority of mobile data, escalating from currently slightly above 70% of all mobile data traffic to 80% by 2029, according to Ericsson.
Amid rapid technological advancements, it is crucial to remember the significant role of data value and criticality, compliance with data regulations, and liability issues in shaping the cybersecurity landscape.
These factors are driving the proliferation of hack-for-hire and data theft services.
Proportion Insurance Caims by Sector
Despite the use of AI-enhanced spear phishing in many sophisticated data breaches, about 90% of these incidents still involve human actions, underscoring the need for comprehensive awareness and robust defense strategies that extend beyond technological solutions, according to Forrester.
Supply Chain Vulnerabilities
Dependencies on software and hardware supply chains and digital services are set to increase sharply, making them prime targets for cyberattacks.
Experts from Munich Re anticipate a rise in hacks involving networks of suppliers, manufacturers, and service providers across IT, operational technology, and the Internet of Things in Insurance.
Reflecting on the potential impacts, a World Economic Forum study indicates that 41% of companies have experienced a cyber incident through third parties as of 2024.
Attackers increasingly target small and medium-sized suppliers to breach the systems of their larger clients subsequently.
The financial repercussions are substantial, with the global cost of software supply chain attacks projected to increase from $46 bn in 2023 to $60 bn by 2025, according to Juniper Research
Munich Re invests in initiatives and resources that deepen both its own and the industry’s understanding of aggregate cyber exposure and further advance risk modelling. The need for robust accumulation modeling underpins all underwriting and risk management activities at Munich Re.
Cyber insurance cornerstones
In the space of a decade, cyber insurance has become an essential important component of cyber risk management for organizations and households.
Against an extremely dynamic threat landscape, where geopolitical and technological stressors are setting new priorities, tackling insurability challenges and managing accumulation risk is key to the long-term sustainability and functionality of a still maturing market.
Insurers and risk modelers continue to explore the limits and possibilities of insurability. Prudent further development of the market is necessary, with anticipated future global demand requiring sufficient capacity from insurance and alternative capital markets.
Cyber risk must be managed properly and collectively. This is also true of those risks that cannot be managed, or at least not fully, by the private sector.
Governmental cyber protection
Cyber insurance has undoubtedly helped to build an effective layer of resilience. However, the insurance industry’s risk-bearing capacity has natural limitations.
The damage from catastrophic systemic events like cyber war or outage of critical infrastructure would far exceed the industry’s capacity. Such scenarios pose a threat to macroeconomic stability which is why societies need the involvement of governments to manage these potentially catastrophic cyber risks.
