Unlike any other type of insurance risk, cyber risk has agency – if you harden your defenses, a cyber attacker will change tactics to find another weakness. The organizations that survive these battles have cultivated operational resilience by fostering a proactive cyber security culture, with well-defined policies and up-to-date technology. Preparing for cyber risk in advance allows firms to react quickly as new threats emerge.
A Brief History
The first cyber insurance policy was developed about 20 years ago – before the cloud, the internet of things, online email platforms, and iPhones. IT departments were focused on protecting personal computers and on-site servers and networks.
Today, cloud computing and cloud storage has become the norm, creating a $1 trillion industry by the end of 2028. There are more than 75 billion connected devices around the globe, and 7.2 billion smartphones – figures that continue to grow, providing more and easier access to the internet. Managed security service providers are not so concerned about a single computer being infected, but rather viruses that spread quickly across entire organizations. Interconnectedness has become a component of critical infrastructure, and governments must grapple with how to minimize disruptions.
With the emergence of AI – which has benefits in terms of cybersecurity, but also creates a host of different threats – it’s a much different landscape than 20 years ago, and one that is evolving very rapidly.
Five Emerging Cyber Threats
Cyber risk is the defining risk of the 21st century. The rise of cyber dependency is connected to a whole range of potential knock-on effects with repercussions that can destabilize whole economies. Cyber-attacks are increasing in frequency and sophistication, positioning cyber as a top business risk. The evolution of cybersecurity has tried to keep pace, nevertheless, even large institutions (like JP Morgan, which spent $600 million in cybersecurity defenses) are victims of cyber-attacks. So, what types of threats are we looking at for 2025?
1 | AI-Powered Cyber Attacks
AI is being applied to increase the sophistication of the cyber-attacks. Hackers are tracking employee behavior (searches, communications, social media) to generate names and predictive email text that can trick individuals into providing key details, clicking on links, or sending money. Deep fakes are also being utilized by AI – either videos or voice recordings – to elicit access to a network or a server via phone calls, emails or online.
Responses to cyber-crime have evolved from antivirus software 20 years ago, to firewalls, password protection, spam filters, endpoint security, access management, data protection, multi-factor authentication, advanced detection and assessments. And, now we’re seeing utilization of AI in cybersecurity protocols. Implementation of AI in cyber is another area that we really need make space for in our cybersecurity defenses going forward.
2 | Geopolitical Cyber Crime
Attacks from nation states – Iran, North Korea, Russia and China – are not just disinformation campaigns to sway elections, they are also sowing disruption in our critical infrastructure, energy grids, and transportation networks. These attacks intend to create the highest level of chaos possible for their adversaries, but they have the additional consequence of disrupting business productivity. There’s an economic and GDP toll from these types of attacks, but businesses need to be prepared for the fallout, because they are the unintended secondary victims.
Zero Trust is a new security model that takes a higher level of verification; there’s literally a zero trust of any user. The model requires verification of every device, every access point into a network, regardless of location, regardless of how many times credentials have been verified previously. Strict data lockdown is one way that to mitigate both the AI and the geopolitical cybercrime components.
3 | Access to Cyber Insurance
As a result of escalating cyber risks, cyber insurance markets are more stringent in underwriting and available coverage. Just to get a quote, an organization must meet increased requirements, like multi-factor authentication, data backups, redundancies, and staff training. Without them, underwriters are denying to even issue quotes.
Additional exclusions pertaining to nation state attacks and reduced limits for ransomware attacks are also becoming commonplace. So, the risk into 2025 and beyond is that the cyber insurance market may become less accessible. Ultimately, the greatest defense mechanism an organization could have often lies between the chair and the keyboard, making training, cybersecurity culture, and cyber hygiene a critical strategy for combatting this risk.
4 | Supply Chain Vulnerability
Third party risk remains a key avenue for potential cyber intrusions. Software suppliers are a critical source of this vulnerability. For example, in the healthcare space, legacy systems and outdated platforms create inherent vulnerabilities. Those should be monitored to ensure they’re not creating an entry point for would-be cyber criminals.
From the cyber insurance perspective, as well as cybersecurity in general, heightened scrutiny of all suppliers and vendors is critical – especially if there’s any access to data and networks – including their cybersecurity practices, ability to withstand a cyber breach, cyber insurance, or financial ability to remediate a potential issue.
5 | Cybersecurity Talent Shortage
There’s a gap between the number of cybersecurity professionals with the skills required to really deal with cyber threats at the pace at which they’re evolving and the demand for these workers. Companies often have to outsource their cybersecurity services because they don’t have the budget to hire the talent needed in-house, or their IT staff may not be able to adequately manage the firm’s cybersecurity needs. This is going to be a continued risk, and organizations need to prepare a realistic strategy to fund and procure these essential services.
Mitigating Your Risk
There is a persistent education gap in how to quantify cyber risk and the value of cyber mitigation investments, like cyber insurance, which brings a whole host of services and solutions with it. In fact, a recent survey found that most c-suite executives were not aware of the details of their cyber insurance coverage.
The first step to taking control of risk is to take stock of the organization’s risk mitigation strategy, which is generally comprise of four approaches: avoid, transfer, reduce, accept. In cyber, avoidance is unrealistic because most organizations are going to use some form of computer or digital component in their business. Risk transfer can include moving your data storage to the cloud where they have more security and resources to deploy, or cyber insurance – which shifts the financial impact of a cyber incident to the insurance carrier. Eliminating or limiting stored data is a risk reduction strategy, as are data access controls and limiting what data is collected. Lastly, accepting some level of risk for engaging with the internet and utilizing computers is unavoidable. The question becomes, how can we leverage the other strategies to lessen the impact?
There are a range of different cyber insurance products that have flooded the market and not all of them are created equal. Bundled products, meaning cyber coverage is tied into a business owner’s policy or property policies, really only provide only a financial component.
The average breach is coming in at roughly about $4.8 million in total costs – including notifications and credit monitoring services, forensics and data analysis. To ensure the right level of protection, a standalone cyber insurance product that includes all the different layers of cyber insurance protection that you need for liability, business interruption, and breach response is essential.
Conclusion
Continual monitoring of cyber risk and cybersecurity to keep pace with the ever-changing cyber threat landscape is, unfortunately, the new normal. While cyber insurance is one tool to minimize the financial impact, underwriting requirements are also increasing, so investing in the bare minimum cybersecurity standards is non-negotiable for businesses that intend to build the operational resiliency required to withstand the increasing frequency and sophistication of cyber-related incidents.
