Cyber insurance is becoming a key part of corporate risk management as cyber losses rise, threats spread more quickly, and many companies are still unprepared. This is the main message from Strengthening Cyber Resilience Through Insurance, a new report from the Geneva Association. According to the report, the median annual loss from a cybersecurity breach has grown fifteen times over the last 15 years, from about $190,000 to nearly $3 million. Major incidents now result in average losses exceeding $28 million. The report explains why cyber insurance is important for more than just paying claims. It examines how insurers can help improve cyber hygiene, support incident response, accelerate recovery, and build resilience, especially for smaller firms that are often underinsured.
Quick Report Summary
The report says that cyber insurance offers more than just claim payments, building on its main message. It can help companies improve their basic security, respond to incidents, and recover more quickly. The authors, Darren Pain and Sasha Romanosky, state, “cyber insurance does not just cover losses.” They also note that insurers work with partners and policyholders “to anticipate risk and respond to cyber incidents.” The report defines cyber resilience as the ability to prevent, handle, and recover from disruptions. This idea shapes the main conclusion: companies need stronger resilience, and cyber insurance can help them achieve it.
Cyber Threats Keep Rising
The report commences by highlighting the growing threat. Publicly reported cyber incidents have increased over the last twenty years. In 2024, ransomware and distributed denial-of-service attacks made up nearly half of all events. The report also points out that many attacks are never reported, so the available data likely underestimates the true scale of cyber damage. Geneva Association Managing Director Jad Ariss said in a press release, “Cyber risk is no longer just an IT issue – it is a core business and economic risk.” This statement sums up the report’s message: cyber risk is now as important as supply chain, financial, and operational risks.
AI And Digital Dependence Expand The Attack Surface
The report connects rising cyber risk to geopolitics, cloud use, artificial intelligence (AI), digital supply chains, and more advanced attackers. It notes that while AI can help defend systems, it also lets attackers scale up quickly. The report points to risks such as malware creation, phishing, social engineering, attack automation, and finding system weaknesses as growing AI-driven threats. It also highlights that relying on outside vendors for IT infrastructure and services is a major vulnerability. In 2024, 23.3% of all cyber incidents came from breaches through third-party IT and technology providers, up from 10.9% in 2020. This trend is important for cyber insurance because it increases the range of possible losses and makes recovery more complex.
Basic Cyber Hygiene Still Falls Short
Even with the growing threat, many companies still miss basic security steps. The report says that many incidents begin with phishing, weak passwords, unpatched software, and misconfigured systems. It cites research showing that over 94% of data breaches in 2024 could have been stopped with simple measures like multifactor authentication. The report also points out a worrying gap: vulnerabilities are rising, but security budgets are not growing as fast. A chart on page 14 shows that while security budgets are increasing more slowly, common vulnerabilities and exposures keep going up. For those buying cyber insurance, this trend reinforces a key point. Prevention is still inconsistent, so insurance often has to fill the gaps left by weak internal controls.
How The Report Defines Cyber Resilience
The report features a “resilience triangle” to show what companies should aim for. Resilience means preventing incidents before they happen, responding effectively during an incident, and recovering afterward. The goal is to reduce both how bad and how long a disruption lasts. This requires better controls before an attack, stronger containment during it, and faster recovery after. The report also makes an important point about cyber insurance: risk management tries to limit losses before an event, while resilience measures how well a company can adapt once an incident begins.
Watch Out Podcast
Why Cyber Insurance Underwriting Is Moving to PROOF, NOT PROMISES
Cyber Insurance As A Resilience Tool
The insurance section is central to the report’s argument: cyber insurance has changed from just transferring risk to offering a wider range of services. Insurers now require basic security measures, monitor threats, send alerts, and connect policyholders with experts. The report calls this approach “cyber insurance-as-a-service.” By combining these services with financial coverage, insurance becomes more effective and helps build resilience. Darren Pain said, “Cyber insurance already contributes to resilience through underwriting standards, incident-response services, and claims support.”
What Insurers Actually Deliver
This service approach shapes what insurers do. The report says insurers can help increase resilience both before and after a breach. Before a loss, they might require penetration testing, vulnerability scans, endpoint protection, dark web monitoring, or multifactor authentication. They also share real-time information about current threats. For example, on page 26, the report notes that ransomware claims in 2024 often started with compromised VPN or remote desktop access. After a loss, insurers usually pay for forensic investigations, legal advice, public relations support, and system restoration. They also offer access to approved incident response firms, which are specialist teams that help organizations recover from breaches. These services can help companies recover faster and make crisis management smoother.
Claims Data Shows Real Value
The report backs up its points with market data. For instance, Willis Towers Watson looked at 4,650 cyber claims in over 90 countries and found that 92% of reported, potentially covered losses were included in cyber insurance coverage. The report also says that insurance payouts cover a large part of incident costs. For small and medium-sized businesses, average payouts have covered 70% of incident costs in recent years. It also notes that crisis costs, such as privacy counsel, digital forensics, notification support, and public relations, make up about 52% of expenses. Together, these numbers show why the report views cyber insurance as a practical support tool, not just financial protection.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
SMEs Remain The Weak Link
The report’s biggest warning is about smaller companies. Few small and medium-sized businesses (SMEs) have cyber insurance, even though many do not have strong internal cyber defenses. The report says only about 10% of SMEs worldwide have cyber insurance. For the smallest firms, the rate is even lower in North America and Europe. Meanwhile, 35% of small organizations say their cyber resilience is not good enough. Pain said many policyholders, “particularly SMEs, underuse the preventative services embedded in their policies.” The report suggests that better awareness, simpler products, clearer language, and easier claims processes could help fix this problem.
What Needs To Happen Next
The report ends with recommendations for improving the cyber insurance market. The last section acts as an action plan, calling for better education, more flexible coverage, simpler language, modern digital distribution, closer partnerships with technology providers, and stronger cooperation with governments. It also encourages support for systemwide resilience, such as automated defenses and coordinated efforts to find vulnerabilities. The main message is clear: cyber insurance can help companies prevent incidents, handle disruptions, and recover more quickly, but only if more firms understand and use all the services their policies offer.
Cyber Insurance FAQ: Cyber Resilience, SME Risk, And Claims Support
It says cyber insurance can improve prevention, response, and recovery.
Cyber losses are rising fast, and attacks are growing more complex.
Median annual breach losses rose from about $190,000 to nearly $3 million.
It is a firm’s ability to prevent, absorb, and recover from cyber disruption.
It provides claims payments, risk guidance, and incident response support.
Policies may include threat alerts, forensics, legal help, and recovery support.
Many SMEs face cyber risk but still lack coverage and internal resources.
The report says only about 10% of SMEs globally carry cyber insurance.
Yes. Insurers often require stronger controls during underwriting.
Cyber insurance can strengthen resilience, but firms must use it more fully.
Related Cyber Liability Insurance Posts
- CISO: AI Risk Reshapes Cybersecurity Strategy In Retail And Hospitality
- At-Bay 2025 InsurSec Rankings Reveal Email Security Weaknesses Amid Rising Cyber Insurance Claims
- Cyber Insurance Claims 2025: Ransomware Costs and Downtime Surge in NetDiligence Report
- Cyber Insurance Glossary
- Cybersecurity Exposed: Ransomware, AI Deepfakes & the Threat We Can’t Ignore – New Podcast
