Insurance Europe has released a new report titled “Insurers’ Role in EU Cyber Resilience,” highlighting the escalating frequency and severity of cyber threats and offering policy recommendations to bolster cyber resilience across the European Union.
As cyberattacks increased by 38% globally between 2022 and 2023, businesses face growing risks from ransomware, malware, phishing, and other sophisticated threats. The World Economic Forum ranks “cyber insecurity” the fourth most severe global risk for the next two years. It falls behind “misinformation and disinformation, “extreme weather events,” and “societal polarization.” Despite the rapid growth of the cyber insurance market, a significant protection gap remains, with underinsurance posing a critical issue for businesses and individuals. According to Munich Re, the global cyber insurance market has surged from $5.9 billion in 2019 to an estimated $14 billion in 2023.
Our further analysis of the report follows; you can read it all here.
Insurance Europe identifies five key challenges that complicate the quantification and assessment of cyber risks:
- Uncertainty of potential future losses: Predicting future losses is difficult due to the non-linear progression of cyberattacks and evolving regulations.
- Highly correlated risks: The widespread use of common operating systems creates highly correlated risks, as a single vulnerability can affect numerous users.
- Limited data on cyber incidents: Sparse historical and actuarial data hinder insurers’ ability to model losses effectively.
- Increasingly intangible losses: Cyberattacks often result in intangible damages like reputational harm, which are hard to quantify.
- Systemic catastrophic cyber risks: Large-scale cyberattacks pose systemic risks that could have devastating societal consequences beyond the capacity of insurers to cover alone.
To address these challenges, Insurance Europe offers several policy recommendations:
- Promote awareness-raising of cyber resilience: Policymakers and insurers should collaborate to increase businesses’ and individuals’ awareness of cyber risks and mitigation strategies.
- Facilitate access to comprehensive data on cyber incidents: Making cyber incident data available to insurers would enhance their ability to model risks and offer appropriate coverage.
- Support public-private cooperation on catastrophic risks: Joint efforts between public authorities and the private sector are necessary to develop solutions for catastrophic cyber risks.
- Avoid mandatory insurance schemes and rigid standardisation: Mandating insurance or imposing standardised products could hinder market growth and fail to meet the diverse needs of policyholders.
- Avoid ransomware payments: Companies should be encouraged to work with authorities rather than paying ransoms, which often fund organized crime groups.
The European insurance industry is pivotal in enhancing cyber resilience by supporting business continuity, assisting companies in implementing protective measures, increasing awareness of cyber risks, and advising policymakers. Cyber insurance policies offer varied coverage tailored to policyholders’ needs, including first-party cover for business interruption and digital asset damage, third-party cover for privacy liabilities, and technical services like risk assessments and incident response assistance.
Cyber insurance policies may include:
First-party coverage: Covers business interruption costs, damage to digital assets, and incident response expenses.
Third-party coverage: Addresses privacy and confidentiality liabilities arising from data breaches or other incidents affecting third parties.
Technical services: Offers risk exposure assessments and assistance with technical, legal, and public relations responses to cyber incidents.
However, the European cyber insurance market still lags behind North America, which accounts for approximately 70% of global cyber gross written premiums. The market in Europe faces difficulties due to underinsurance and a significant protection gap estimated at $0.9 trillion annually. Cybersecurity firm CYE reports an average coverage gap of 350% among surveyed companies in 2024, indicating that losses from breaches far exceed existing coverage levels.
Insuring cyber risks is complex due to the multifaceted nature of cyber threats. The lack of historical data and the rapidly evolving threat landscape make risk assessment challenging. Additionally, “silent cyber” risks—where cyber-related claims are made under policies not intended to cover cyber elements—have prompted insurers to review and clarify their coverage.
Insurance Europe cautions against mandatory insurance schemes and rigid standardization, arguing that they could stifle market growth and lead to policyholders purchasing inadequate or unnecessary coverage. Instead, the organization advocates for flexible solutions that can adapt to the evolving cyber threat landscape and meet businesses’ diverse needs.
Ransomware Payments and Collaboration
The report also emphasizes the importance of avoiding ransomware payments. By paying ransoms, companies may inadvertently fund criminal activities and encourage further attacks. Insurance Europe recommends that businesses work closely with authorities to address ransomware incidents, leveraging the support provided by cyber insurance policies.
In light of increasing cyber threats, the EU has enacted legislation such as the NIS2 Directive and the Digital Operational Resilience Act (DORA) to enhance cybersecurity across member states. These regulations aim to mitigate digital disruptions, improve resilience, and foster better coordination. However, legislation alone is insufficient; companies must proactively integrate cybersecurity measures and consider insurance as part of their risk management strategies.
As digital transformation accelerates, the insurance industry stands ready to support companies in mitigating cyber risks. By offering tailored insurance solutions and technical support, insurers can help businesses recover swiftly from cyberattacks and strengthen their overall resilience. Collaboration between insurers, businesses, and policymakers is essential to closing the protection gap and building a secure digital future.
Conclusion
The rapid growth of the cyber insurance market underscores the escalating cyber threats facing businesses today. The EU can enhance its cyber resilience by addressing the challenges in quantifying and assessing cyber risks and implementing the recommended policies. Insurers play a central role in this effort, but cooperation with policymakers and businesses is vital to manage and mitigate cyber risks effectively.
Other News: The Future of Cyber Insurance: Stand-Alone Coverage + M&A(Opens in a new browser tab).
Other News:Police: Thousands of Hackers Used RedLine, Meta Malware to Attack PCs.