Personal cyber risk – historically viewed as synonymous with “identity theft” – has evolved with the rise of internet-connected devices in the home. These devices can open the door to malware that can seize control of a homeowner’s data and expose them to extortion and other threats. Phishing and financial scams have been found to generate the greatest losses for homeowners.
Insurance for these perils exists, but adoption has not grown in line with the increasing peril. Triple-I and Hartford Steam Boiler (HSB) recently conducted research to better understand why and what insurers can do about it. The survey found that personal cyber insurance – while presenting a sales opportunity – involves educational challenges for agents and consumers.
Triple-I surveyed retail agents of homeowners insurance, since personal cyber coverage is commonly sold as an endorsement to homeowners’ policies. These agents are very knowledgeable of homeowners’ risks that can result in physical damage to property, as well as theft and liability coverages.
“Agents see the storm,” said Neil Rekhi, product manager for personal cyber insurance at HSB, “but homeowners can’t envision the damage until it’s too late.”
While 84 percent of agents surveyed said they recognize the value of personal cyber insurance, the survey found a notable gap between agents who feel comfortable selling it and those who don’t.
This hesitation is mirrored by consumer skepticism. The study found that 56 percent of agents report their customers either don’t understand or don’t agree with the value proposition of personal cyber insurance products.
“There’s a significant disconnect between agent perceptions of customer needs and actual customer perceptions of product value,” noted Dale Porfilio, Chief Insurance Officer at Triple-I.
Sales efforts remain robust, with 77 percent of agents having presented personal cyber insurance options to homeowners in the past month. However, consumer adoption rates continue to lag, highlighting a fundamental communication breakdown.
Closing the personal cyber protection gap will require a three-pronged approach: consumer education, agent/broker training, and a data-driven approach to product development,” says Triple-I CEO Sean Kevelighan.
Cyber Security Data Protection Business Technology Privacy concept.
Cyber insurance claims are showing alarming trends in both frequency and severity, with U.S. businesses experiencing particularly steep increases while markets outside the U.S. show declining rates, according to a report from Chubb.
The comprehensive claims analysis, based on Chubb’s cyber claims data through December 2024, reveals critical insights about ransomware incidents driving claim severity, privacy-related liability becoming increasingly complex, and widespread cyber events contributing to rising frequency—all factors that are fundamentally reshaping the cyber risk landscape for businesses of all sizes.
U.S. Market Trends
The cyber insurance landscape in the U.S. continues to evolve at a concerning pace, with both frequency and severity of claims showing upward trajectories over the past three years. While claim frequency remains below the peak levels observed in 2020-2021, severity has increased significantly from 2020 through 2024, with notable volatility in recent years, Chubb reported.
Particularly alarming is the sharp increase in claim severity for mid-sized companies with revenues of $100 million to $999 million, and large companies with revenues exceeding $1 billion. These organizations have experienced substantial losses that have made headlines across business media. Interestingly, many of these attacks weren’t the result of sophisticated malware evading robust cybersecurity systems, but rather social engineering attacks targeting IT help desks and involving SIM card swaps in mobile phones, according to the report.
Another troubling trend is the rise in widespread cyber events—incidents that simultaneously affect numerous companies. These events, which can stem from attacks, software malfunctions or human error, increased to 5.3% of total reported claims in 2024, up from 4.0% in 2023, contributing significantly to the overall frequency of cyber claims.
International Market Contrast
The cyber risk scenario outside the U.S. tells a markedly different story. International markets are experiencing declining trends in both the frequency and severity of cyber claims. For medium and large revenue accounts outside the U.S., severity has decreased over the past three years, while small revenue accounts have seen only modest increases in severity, Chubb reported.
This divergence can be attributed to several factors. International businesses have increased cyber risk awareness at executive and board levels, improved business continuity planning, developed more robust incident response protocols, and focused on compliance with new regulatory frameworks such as the EU’s Digital Operational Resilience Act.
Perhaps most striking is the difference in ransom payment behavior. The willingness to pay ransoms is substantially lower outside the U.S., with only 8% of companies paying ransoms in 2024 compared to 35% of U.S.-based companies. This trend has remained consistent over the past five years, Chubb reported.
Notable Claims Statistics
The financial impact of cyber incidents continues to grow, with ransomware remaining the primary driver of losses. In 2023 and 2024, ransomware-related losses accounted for nearly 72% of all cyber claim dollars, up from an average of 63% between 2020 and 2022. The frequency of subsequent third-party litigation from ransomware incidents has also increased dramatically, up approximately 75% in 2024 compared to the 2020-2021 average.
The July 2024 CrowdStrike incident provides a sobering example of how non-malicious events can cause widespread disruption, the report noted. When the cybersecurity company CrowdStrike sent a faulty software update to customers worldwide, it resulted in 8.5 million systems crashing and generated between $400 million and $1.5 billion in insured losses, the report stated.
This incident highlighted that system failures can be as devastating as malicious attacks, underscoring the importance of comprehensive incident response planning and resilience measures. Organizations with strong resilience capabilities in place were better positioned to weather this unexpected disruption, reinforcing the value of preparedness in today’s interconnected digital ecosystem, according to Chubb.
Evolution of Privacy-Related Claims
As digital footprints expand and consumer awareness grows, privacy-related claims have emerged as a significant concern for businesses across the U.S. Recent data reveals a troubling trend: the proportion of third-party claims related to privacy liability has doubled in 2023-24 compared to 2020-22. This surge reflects not only heightened consumer awareness but also the evolving regulatory environment that has created new avenues for litigation, the report explained.
Three key regulatory frameworks are primarily driving this increase in U.S. privacy claims, Chubb reported:
The Illinois Biometric Information Privacy Act (BIPA) has become particularly impactful, regulating how companies collect, use, and handle biometric identifiers and information.
The Video Privacy Protection Act (VPPA) has gained renewed relevance in the digital age. This law directly addresses how companies implement and use pixels—those tiny snippets of code embedded in websites that track user behavior.
State-level wiretapping laws have also contributed to the privacy claims landscape. The California Invasion of Privacy Act (CIPA), for instance, provides individuals with a private right of action against businesses for privacy violations, with potential statutory damages reaching $5,000 per violation—a figure that can quickly escalate to significant amounts in class action scenarios.
Beyond U.S. borders, international privacy regulations continue to reshape how global businesses approach data handling and privacy compliance. The European Union’s General Data Protection Regulation (GDPR) stands as the gold standard, comprehensively regulating the lawful collection, processing, use, retention and deletion of personally identifiable information.
For insurers, “customer” is one word that encompasses individual policyholders, business owners, risk managers, agents and brokers, and others, all with different (often divergent) priorities. For reinsurers – whose primary customers are insurers themselves – “understanding the customer” is particularly challenging.
This was part of the motivation behind RiskScan 2024 – a collaborative survey carried out by Munich Re US and Triple-I. The survey provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. It explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions.
“I get very excited when we have a chance to be in our customers’ shoes,” said Kerri Hamm, EVP and head of cyber underwriting, client solutions, and business development at Munich Re US, in a recent Executive Exhange interview with Triple-I CEO Sean Kevelighan. “To really understand how they feel about a broad range of issues from what are their most important risks to how they feel about the cost of insurance and the economic environment.”
Hamm discussed how more than one-third of respondents ranked economic inflation, cyber risk, and climate change as top concerns, identifying them as “increasing or resulting in rises of the cost of insurance.”
“When we really understand what our customers want, we can design a better product and think about whether the coverages we’re providing are meaningful to them,” Hamm said. “That can help us match pricing better to their expectations.”
One result that Hamm found “surprising” was that “legal system abuse” didn’t appear to be as widely accepted by respondents – apart from the insurance professionals – as driving up insurance costs. Kevelighan cited other research – including by Triple-I’s sister organization, the Insurance Research Council – that has found consumers to be aware of the growing influence of “billboard attorneys”.
Unfortunately, he said, “They don’t seem to be making the connection with how that’s affecting them. What we’re trying to do at Triple-I is to help them make that connection.”
Kevelighan talked about Triple-I’s education campaign around “the billboard effect” in Georgia. That campaign includes an actual billboard (“Trying to fight fire with fire,” he said), as well as a microsite called Stop Legal System Abuse. The campaign focuses on Georgia because the state tops the most recent list of places that the American Tort Reform Foundation calls“judicial hellholes”.
“We’re trying to help citizens in Georgia see that this is costing you,” Kevelighan said, adding that Triple-I has seen high engagement through the program with people in the state.
When I first wrote here about insurance coverage related to cryptocurrency theft, I discussed whether these digital assets were securities (as suggested by the SEC) or property (as suggested by the IRS) and how that might impact insurance coverage under a typical homeowners policy.
I also discussed whether the full policy limits for generic property were available for the theft of the assets or a policy sublimit for money would apply.
At that time, courts had provided little guidance on the issue, and few situations were analogous. In recent years, however, guidance has emerged, including from a line of cases that would not appear to have much relevance at first glance.
Wrestling over “physical” loss
Nearly every appellate court in the country has wrestled with the issue of whether economic losses experienced by businesses as a result of the COVID-19 pandemic were covered by their commercial property insurance policies. A commercial property policy typically covers the “physical” loss of or damages to property. Insurers uniformly denied those business interruption claims and thousands of businesses sued. Courts consistently rejected the businesses’ claims for coverage because the COVID-19 virus does not change the structure of the insured property, and purely economic losses are not “physical” loss or damage.
Similar to the commercial property insurance policies at issue in the COVID-19 claims, a typical homeowners policy covers the direct physical loss of covered personal property.
In 2021, Ali Sedaghatpour had approximately $170,000 of his cryptocurrency stolen and made a claim under his homeowners insurance policy. The insurer paid him the $500 limit for the theft of electronic funds, but denied coverage for the remainder of the loss. The homeowner sued and the federal district court for the East District of Virginia ruled in favor of the insurer. Recently, the United States Court of Appeals for the Fourth Circuit affirmed the decision in favor of the insurer. The case was titled Sedaghatpour v. Lemonade Insurance Co. (Case No. 23-1237).
The court ruled that the digital theft of the homeowners’ currency did not amount to direct “physical” loss and the insurer owed the homeowner nothing more than the $500 it had already paid. The appellate court did not disturb other findings by the trial court – including the lower court’s citation to dictionary definitions of cryptocurrency, which state that cryptocurrency exists “wholly virtually”
Looking ahead
In the Sedaghatpour case, the courts were applying Virginia law; however, given the uniform development of “physical loss” throughout the country in the COVID-19 context, I expect other courts around the country will come to the same conclusion when the issue of how to treat digital assets comes before them. I likewise observe that some insurers have revised their policy language to state expressly that the loss of “electronic currency” is not covered.
These recent court cases confirm that individuals owning cryptocurrency should take extra care to protect their digital assets and should not rely on standard language in homeowners insurance policies to hedge against theft.
Michael Menapace is a Triple-I Non-Resident Scholar, Co-chair of the Insurance Practice Group at Wiggin and Dana LLP, a professor of Insurance Law at the Quinnipiac University School of Law, and a Fellow of the American College of Coverage Counsel.
Cyber incidents, changes in climate, and business interruption are the chief risk concerns among key marketplace segments in the insurance industry, according to RiskScan 2024, a new survey from Munich Reinsurance America Inc. (“Munich Re US”) and the Insurance Information Institute (Triple-I) reveals.
RiskScan 2024 provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. The survey explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions.
Methodology
To produce a compelling snapshot of cross-market views, Munich Re US and Triple-I engaged independent market researcher RTi Research in the summer of 2024 to survey 1,300 US-based individuals.
Market surveys typically focus on a single audience, but RiskScan 2024 is a multi-segment survey offering a comprehensive view of risk perceptions and yielding comparative results between audiences. The key insights present a variety of commonalities and disparities across the five distinct target segments, covering the full range of insurance buyers and sellers across the United States.
This online survey was conducted across gender, age, geographic region, household income, business revenue, and company size.
Two primary cohorts make up five segments of participants in the RiskScan research:
consumers and small business owners (n=700) and
Insurance industry participants, which included carriers, agents, and brokers as well as middle market businesses (n=600).
Research participants were presented with various risks across five segments and then asked to select their top three risk concerns.
Key Insights
More than one-third of respondents chose economic inflation, cyber incidents, and climate change as their top three concerns based on insurance risks and market dynamics. All three of these reflect post-pandemic news topics. Economic inflation has increased over the last several years. Consumers and small business owners have experienced direct impacts with increased costs and industry participants have seen these impacts on increased replacement costs and P&C insurance premiums.
There are significant disparities in the ranking results between the two primary cohorts within the research. Insurance professionals tend to identify a variety of risks and have significant awareness of all risk categories, including emerging technologies. As expected, these audiences exhibit broader knowledge and awareness of risk transfer and mitigation of new and emerging risks. Consumers identified a smaller number of risks associated with more immediate and direct impacts on themselves.
The structure of RiskScan 2024 research yields a more complete understanding of the “white space” that exists between risk perception and action. The gaps were identified along three key risk areas:
Flood risk
cyber risks, and
legal system abuse
Flood risk was also indicated as one of the chief concerns for each audience. However, consumers lack awareness that flood events are typically excluded from homeowner’s policies. Industry professionals are more aware of flood coverage exclusions, the importance of purchasing flood coverage before a flood event, and the likelihood of these events occurring.
Cyber incidents are a primary concern in all five market segments. Most audiences in the research, both consumer and commercial, feel unprepared as this threat vector is constantly emerging, expanding, and changing. Many people are knowledgeable about cyber risks and are concerned about how to mitigate new cyber threats. Troubling stories have come to light as the frequency and severity of cyber threats grow.
“The knowledge gap about insurance risks demonstrates the continued need for education of consumers and businesses, especially about flood, cyber, and legal system abuse,” says Triple-I CEO Sean Kevelighan. “Increasing knowledge will be instrumental for the collective work needed to better manage and mitigate future risks.”
The report includes additional results for each of the five primary audiences: consumers (n=500), small business owners (n=200), insurance carriers (n=200), insurance agents and brokers (n=200), and middle market businesses (n=200).
Download the full RiskScan 2024report to review the details. Triple-I aims to empower stakeholders by driving research and education on this and other key insurance topics. Follow our blog to keep abreast of these essential conversations.
Targeting of the demographic with the most to lose increases.
In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.
The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:
Call Center/Tech Support Scam
Confidence/Romance Scams
Cryptocurrency Scams
Investment Scams
The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.
A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively.
Increasing digital lives and advancing technology create new threats.
The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.
However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.
Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.
New tools and methods increase cyber security threats.
A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.
This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.
Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.
The options for managing personal cyber risk can differ in crucial ways.
Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.
Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.
In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.
“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).
HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.
“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.
Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.
The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.
A new conversation about personal cyber insurance begins.
Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.
Cyber incidents reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023 totaled 880,418. These attacks caused a five-year high of $12.5 billion in losses, with investment scams making up $4.57 billion, the most for any cybercrime tracked. Phishing, with 298,878 incidents tracked (down from its five-year high in 2021 of 323,972), continues to reign as the top reported method of cybercrime.
The 2023 Data Breach Report from Identity Theft Resource Center (ITRC) reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals. Meanwhile, supply-chain attacks increased, and weak notification frameworks further increased cyber risk for all stakeholders.
Email compromise, cryptocurrency fraud, and ransomware increase
In addition to record-high financial losses from cybercrimes overall in 2023, the report revealed trends across crime methodology and targets. Investment fraud was the costliest of all incidents tracked. Within this category, cryptocurrency involvement rose 53 percent, from $2.57 billion in 2022 to $3.94 billion. Victims 30 to 49 years old were the most likely group to report losses.
Ransomware rose 18%, and about 42 percent of 2,825 reported ransomware attacks targeted 14 of 16 critical infrastructure sectors. The top five targeted sectors made up nearly three-quarters of the critical infrastructure complaints: healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).
Adjusted losses for 21,489 business email compromise (BEC) incidents climbed to over 2.9 billion. The IC3 noted a shift from dominant methods in the past (i.e., fraudulent requests for W-2 information, large gift cards, etc.). Now scammers are “increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”
The report disclosed a $50,000,000 loss from a BEC incident In March of 2023, targeting “a critical infrastructure construction project entity located in the New York, New York area.”
The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The FBI’s recommendations for solutions to minimize risk and impact include:
Ramping up cybersecurity protocols such as two-factor authentication.
More robust payment verification practices.
Avoiding engagement with unsolicited texts and emails.
The scale of 2023 data compromises is “overwhelming.”
According to the ITRC, the surge in breaches during 2023 is 72 percent over the previous record set in 2021 and 78 percent over 2022. To add more perspective, the ITRC notes that “the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020, except for 2017.”
Meanwhile, as the report highlights, two other outsized trends converged: increasing complexity and risk. The number of organizations and victims impacted by supply-chain attacks skyrocketed. The notification framework conspicuously weakened, too. Since some laws assign liability for notification to organizations owning the leaked data, the notification chain would stop there, leaving downstream stakeholders unaware. For example, a software company servicing nonprofits might duly notify its direct B2B customers but not the individuals served by the nonprofit organization.
The ITRC has been reviewing publicly reported data breaches since 2005, and it now has a database of more than “18.8K tracked data compromises, impacting over 12B victims and exposing 19.8B records.” This ninth report forecasts a bleak outlook for the coming year. Specifically, “an unprecedented number of data breaches in 2023 by financially motivated and Nation/State threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.”
The faster a breach is identified and reported, the faster all potentially affected parties can take measures to minimize impact. However, reporting regulations can vary across jurisdictions and businesses, and their supply chain partners may hesitate to disclose breaches for fear of impacting revenue and brand reputation. ITRC outlines its forthcoming uniform breach notification service designed to enable due diligence, emphasizing swift action and coordination with business and regulatory authorities. The service will be offered for a fee to companies looking to better handle cyber risk in their supply chains and regulatory requirements. Other recommendations include the increased use of digital credentials, facial identification/comparison technology, and enhancing vendor due diligence.
The increased risk and rising financial losses from cyber risk likely drive growth for the cyber insurance market, which tripled in volume in the last five years. Gross direct written premiums climbed to USD 13 billion in 2022. For a quick rundown of how cyber insurance coverage supports risk management for organizations of all sizes, take a look at our cyber risk knowledge hub. To learn more about the fastest-growing segment of property/casualty, look at our recent Issues Brief.
As the number of cyber security breaches soars, direct written premiums (DPW) for cyber insurance worldwide could rise to $23 billion by 2025, with U.S. businesses paying about 56 percent of the total, according to Triple-I’s latest Issues Brief.
Cyber Insurance: State of the Risk, published last week, says the most recent data shows standalone policies have emerged as the preference for larger insureds, accounting for more than 70 percent of DPW – an increase of 61.5 percent from the prior year. These growth trends may signify that businesses recognize the growing threat of cyber risk requires mitigation beyond the typical coverage limitations of packaged options. Loss ratios also improved over 2021 rates, with declines of 23 percentage points, to 43 percent, on standalone policies and 18 percentage points, to 48 percent, on packaged policies. These improvements are evidence of improved cost-containment strategies.
A two-edged sword
The brief outlines how technology can foster opportunities for cyber attackers and deliver ways for cybersecurity managers to predict, prevent, and manage threats. Increased use of cloud storage, remote working, and the “bring your own device” IT approach has amplified points of organizational vulnerability. And, as more companies and their employees are increasingly leveraging AI to boost operational efficiency, cyber attackers have created large language models (LLMs) to mimic the functionalities of ChatGPT and Google’s Bard to aid in phishing and malware attacks.
Even the smallest businesses face threats that can incapacitate an organization. However, organizations can manage breaches more efficiently using AI for faster breach detection and implementing requirements for two-factor authentication, VPN use on external Wi-Fi networks, and data-wiping processes for lost or stolen devices.
Cyber insurance has become an integral part of robust prediction and prevention.
The bulk of cyber insurance claims by volume and frequency stem from ransomware and extortion-based attacks, according to an October 2023 report from Allianz. The report also says the annual proportion of cases in which data is stolen has consistently risen from “40 percent of cases in 2019 to around 77 percent of cases in 2022, with 2023 on course to surpass last year’s total.”
The Allianz report highlights the growing need for businesses to improve prediction and prevention strategies, internally and with external partners and supply chain relationships. It makes practical sense that indemnification for cyber risk has become a common requirement for vendors doing business with frequently targeted sectors.
The Triple-I brief states that as insurers refine policy terms to make the scope of coverage more understandable, business risk managers are better able to comprehend how cyber insurance can mitigate their risks. In turn, insurers may have been able to gain improvements in cost containment and rate stability.
Triple-I supports increased awareness of the threat landscape
Cyber insurance can play a pivotal role in liability management. Sean Kevelighan, Triple-I’s CEO, participated on a panel during the Small Business Cyber Summit, a series hosted by the U.S. Small Business Administration (SBA). Discussions offered insights and tips for cybersecurity risk managers and other experts. Kevelighan explained how cyber insurance can allow “businesses to more strategically allocate their resources” in the battle against cyber threats.
Kevelighan participated in another fall 2023 cyber risk panel hosted by The Institutes Griffith Foundation in collaboration with Indiana University. The presentation, Cyber Risk: Exploring the Threat Landscape and the Role of Risk Management, focused on risks to national infrastructure and companies. Accordingly, panelists discussed how regulators and businesses have responded to the inevitable threat of cyberattacks. Speakers shared expertise in three core areas:
Ten states – Louisiana, Florida, Idaho, Kentucky, Mississippi, Montana, North Dakota, South Carolina, Texas, and Virginia – as well as additional plaintiffs, are suing the Federal Emergency Management Agency (FEMA) over its new methodology for pricing flood insurance, Risk Rating 2.0. On Sept. 14, a federal hearing lasted six hours as the plaintiffs sought a preliminary injunction to halt the new pricing regime while the lawsuit plays out.
Many residents of these states are understandably upset about seeing their flood insurance premium rates rise under the new approach. There may not be much comfort for them in knowing that the current system is much fairer than the previous one, in which higher-risk homeowners subsidized those with lower risks. Similarly, policyholders who have had their premium rates reduced under Risk Rating 2.0 are unlikely to take to the streets in celebration.
These homeowners aren’t alone in seeing insurance rates rise – or even having to struggle to obtain insurance. And these difficulties aren’t confined to holders of flood insurance policies. Florida and California are two states in which insurers have been forced to rethink their risk appetite – due in part to rising natural catastrophe losses and in part to regulatory and litigation environments that make it increasingly difficult for insurers to profitably write coverage.
Even before the COVID-19 pandemic and Russia’s invasion of Ukraine – and the supply-chain and inflationary pressures they created – the property/casualty insurance market was hardening as insurers adjusted their pricing and their risk appetites to keep pace with conditions that were driving losses up and eroding underwriting profitability – topics Triple-I has written about extensively (see a partial list below).
“Rising insurance rates are not the problem,” says Dale Porfilio, chief insurance officer at Triple-I. “They are a symptom of rising losses related to a range of factors, from climate and population trends to post-pandemic driving behaviors and surging cybercrime to antiquated policies, outdated building codes, fraud, and legal system abuse.”
In short, we are not experiencing an “insurance crisis,” as many media outlets tend to describe the current state of the market; we are experiencing a risk crisis. And even as the states referenced above push back against much-needed flood insurance reform, legislators in several states have been pushing measures that would restrict insurers’ ability to price coverage accurately and fairly – rather than addressing the underlying perils and forces aggravating them.
Triple-I, its members, and a range of partners are working to educate stakeholders and decisionmakers and promote pre-emptive risk mitigation and investment in resilience. We are using our position as thought leaders and our unique non-lobbying role in the insurance industry to reach across sector boundaries and drive constructive action. You will be hearing more about these efforts over the next few months.
The success of these efforts will require a collective understanding among stakeholders and decisionmakers that for insurance to be available and affordable frequency and severity of risk must be measurably reduced. This will require highly focused, integrated projects and programs – many of them at the community level – in which all stakeholders (co-beneficiaries of these efforts) will share responsibility.
Want to know more about the risk crisis and how insurers are working to address it? Check out Triple-I’s upcoming Town Hall, “Attacking the Risk Crisis,” which will be held Nov. 30 in Washington, D.C.
Artificial intelligence is helping to limit the costs associated with data breaches, a recent study by IBM and the Ponemon Institute found. While these costs continue to rise, they are increasing more slowly for some organizations – in particular, those using less-complex, more-automated security systems.
According to the study, the average cost of a data breach was $4.45 million in 2023, a 2.3 percent increase from the 2022 cost of $4.35 million. The 2023 figure represents a 15.3 percent increase from 2020, when the average breach was $3.86 million.
However, not all organizations surveyed by the study experienced the same kinds of breaches – or the same costs. Organizations with “low or no security system complexity” – systems in which it is easier to identify and manage threats – experienced far smaller losses than those with high system complexity. The average 2023 breach cost $3.84 million for the former and a staggering $5.28 million for the latter. For organizations with high system complexity, this is an increase of more than 31 percent from the year before, amounting to an average of $1.44 million.
As David W. Viel, founder and CEO of Cognoscenti Systems, put it: “The size and complexity of a system directly results in a greater number of defects and resulting vulnerabilities as these quantities grow. On the other hand, the number of defects and cybersecurity vulnerabilities shrinks as the system or component is made smaller and simpler. This strongly suggests that designs and implementations that are small and simple should be very much favored over large and complex if effective cybersecurity is to be obtained.”
The research also noted that organizations that involve law enforcement in ransomware attacks experienced lower costs. The 37 percent of survey respondents that did not contact law enforcement paid 9.6 percent more than those that did, with the breach lasting an average of 33 days longer than those that did contact law enforcement. These longer breaches tended to cost organizations far more, with breaches with identification and containment times under 200 days averaging $3.93 million, and those over 200 days costing $4.95 million.
AI and automation are proving key
Security AI and automation both showed to be significant factors in lowering costs and reducing time to identify and contain breaches, with organizations utilizing these tools reporting 108-day shorter times to contain the breach, and $1.76 million lower data breach costs relative to organizations that did not use these tools. Organizations with no use of security AI and automation experienced an average of $5.36 million in data breach costs, 18.6 percent more than the average 2023 cost of a data breach.
Now, most respondents are using some level of these tools, with a full 61 percent using AI and automation. However, only 28 percent of respondents extensively used these tools in their cybersecurity processes, and 33 percent had limited use. The study noted that this means almost 40 percent of respondents rely only on manual inputs in their security operations.
Cyber insurance demand is growing
A recent study by global insurance brokerage Gallagher showed that the vast majority of business owners in U.S. – 74 percent – expressed extreme or very high concern about the impact of cyberattacks on their businesses. Indeed, a study by MarketsandMarkets found that the cyber insurance market is projected to grow from $10.3 billion in 2023 to $17.6 billion by 2028, noting that the rise in threats like data breaches, ransomware, and phishing attacks is driving demand.
Organizations are now responding more thoroughly to these threats, with increased underwriting rigor helping clients progress in cyber maturity, according to Aon’s 2023 Cyber Resilience Report. Aon states that several cybersecurity factors, including data security, application security, remote work, access control, and endpoint and systems security – all of which experienced the greatest improvement among Aon’s clients – must be continually monitored and evaluated, particularly for evolving threats.
Insurers and their customers need to work together to more fully address the risks and damages associated with cyberattacks as these threats continue to grow and businesses rely ever more heavily on technology.
