Insurers bring considerable expertise to the cybersecurity landscape to help their commercial customers manage this growing risk, but even they are not immune to the threat. A new study from Triple-I and breach recovery company Fenix24 explores how insurers are managing cyber risk within their own operations and where gaps remain as attacks evolve.
Based on interviews with insurance industry executives across various organizational sizes and market segments, the study explains that, while most firms have invested in robust security practices, vulnerabilities persist in areas such as security testing and recovery readiness.
Though many insurers, for instance, reported maintaining immutable backups – i.e., files that cannot be altered and are thus protected from malicious action – definitions for such backups are not universally accepted, meaning standards for one company may not meet those of another. System updates to security weaknesses are similarly variable, with half of the participants indicating they deploy security patches monthly.
“Traditional compliance frameworks don’t move at the velocity of ransomware actors,” said Mark Grazman, Fenix24 CEO and co-founder, in a recent Executive Exchange with Triple-I CEO Sean Kevelighan. “When an organization gets on the phone and tells us, ‘Don’t worry, our data was immutable and therefore survived,’ there’s an 84 percent chance they’re wrong.”
While effective cyber resilience strategies will balance investments in both threat resistance and recovery, Grazman pointed out that “over 90 percent of budgets” are allocated to resistance alone, further reflecting organizations’ false sense of security in preexisting infrastructure against dynamic attacks.
“I’d liken it to, you have a fire extinguisher in the building, but you also have a fire escape,” Grazman said. “Having the focus to resist the attack does not preclude the need to make sure that, if an attack is successful, the organization can bring itself back online and keep its data.”
For large ransomware incidents as well as smaller-scale email compromises, Grazman emphasized that most attacks begin with identity hacking. Though all insurers in the report said they use corporate password vaults and require multi-factor authentication or hardware tokens for administrative accounts, several revealed they still allow less secure methods, exacerbating systemwide exposure.
Noting the convenience of such practices, Grazman encouraged organizations to “assume if the administrator can do it, so too will the threat actor.” He added, “You’ve got to make it so even your own team couldn’t delete data without a very fixed time clock.”
Grazman recommended insurers uphold security practices that meet or exceed the minimum requirements they impose on policyholders, saying, “We need our carriers to continue doing what they’re doing and lead the pack in terms of resiliency, recovery, and setting a standard for themselves and their insureds that keep us all safer.”
Consumers and government also play a role in managing cyber risks, Kevelighan said, especially as businesses become more globally interconnected. He explained that just one sophisticated attack “could potentially generate billions and billions of dollars of losses, if not trillions,” as the disruption propagates across multiple businesses along a supply chain.
While cyber insurance can help mitigate these impacts, Kevelighan noted that many remain unaware of the coverage, necessitating greater outreach to stakeholders on coverage options and benefits.
Despite a 34 percent decline in cyber insurance claim frequency for large U.S. businesses in 2025, average claim severity doubled to more than $4.4 million, according to Chubb’s 2026 Cyber Claims Report. Though AI-driven detection systems helped stabilize claim frequency across several global markets, advanced cyberattacks – alongside liability litigation challenges – ranked among the top cost drivers.
Drawing on historical claims data, the report explained how bad actors have begun leveraging AI for increasingly sophisticated attacks capable of “compromising multiple systems in a matter of minutes,” including large-scale incidents that involve minimal human oversight. Data-breach claims alone exceeded a historic $10.2 million in the U.S., propelled in part by the outsized impact of individual ransomware encounters.
Becoming faster and more difficult to detect, ransomware incidents can propagate across multiple businesses along a supply chain with just one attack, especially as markets become more globally interconnected. One such event in the U.K. led to roughly $568 million in losses for the targeted company but a $1.4 billion loss for the entire supply chain as manufacturing “halted for five weeks across sites in the U.K., Slovakia, Brazil, and China.” Over 5,000 U.K organizations in total were affected, Chubb said.
Consequences of cyber incidents extend beyond these losses, the report noted, as incidents increasingly escalate to legal action, often within days and “irrespective of the size of the entity or any controls perceived to be lacking.” Federal legislation enacted in 1988 to protect physical video privacy has helped lead the trend, as plaintiff attorneys continue to reinterpret the law to apply to modern streaming and social media platforms.
Similar applications of a 1967 statute in California – originally intended to prevent wiretapping – now target businesses that use website technologies such as cookies and tracking pixels, generating thousands of lawsuits in recent years. A bill that would remove these prohibitions for businesses has garnered strong bipartisan support, though faces an uncertain future after stalling in the state legislature last year.
“At a time when affordability is already one of California’s greatest challenges, these lawsuits are quietly making life more expensive for everyone,” wrote Scott Miller, president and CEO of the Fresno Chamber of Commerce, for The Fresno Bee. “[SB 690] would restore balance, reduce abusive litigation, and allow small businesses to focus on serving their customers, not defending against opportunistic lawsuits.”
A “growing body of privacy laws” are further “imposing complex, layered obligations for companies that store and/or transfer personal data,” Chubb reported, highlighting new laws in Indiana and Kentucky aimed at implementing stricter opt-in mechanisms for personal information. Companies may struggle to navigate these emerging regulations as privacy and cyber risks continue to evolve, creating compliance concerns and potentially exacerbating losses and broader supply-chain disruptions when cyberattacks occur.
Investing in threat detection, AI governance, and employee cybersecurity education are among the many ways organizations can boost their cyber resilience. A separate Chubb survey also suggests interest in cyber insurance to mitigate these risks is rising. Leaders across lower, core, and upper middle market segments identified cybersecurity and advancing technology as their chief risk concerns, with 47 percent of respondents indicating they were considering adding or increasing cyber coverage.
Technology trends – particularly the rise of artificial intelligence – have become the top priority for global insurance executives in 2025, according to the International Insurance Society (IIS) Global Priorities Survey.
IIS – like Triple-I, an affiliate of The Institutes – found that AI has overtaken inflation as the top priority of respondents, with two-thirds now ranking AI as their leading focus for technology and innovation. Executives cite AI’s potential to streamline operations, enhance analytics, and drive new product innovation, while inflation and climate risk remain significant concerns. Operational efficiency and cybersecurity remain high on the priority list, but the narrowing gap between climate risk and technological advancement highlights the growing influence of digital priorities.
Nearly 20,000 insurance executives worldwide participated in the 2025 survey.
“These tools enhance forecasting capabilities by allowing for deeper insights into trends and potential future risks,” on executive said, characterizing the bottom-line impact of AI. “By empowering themselves with robust analytics, organizations can improve their strategic planning and risk management efforts, ultimately driving better business outcomes.”
Beyond AI, insurance executives’ emphasis on technology generally has continued to grow. Forty-one percent of respondents now view technological advancement as a top social and environmental priority, continuing its rise from only 12 percent in 2021. This increased focus reflects a desire to harness innovations ranging from machine learning tools to sophisticated cybersecurity solutions.
Other challenges also remain top-of-mind. Inflation is the highest economic priority for the fourth consecutive year, with 63 percent of respondents citing it among their top three issues. Climate risk also continues to top the social and environmental category. Concerns over an aging workforce have almost doubled year-over-year but, generally speaking, employment issues – such as workforce readiness, workforce structure, DEI, and employee health and safety – remain lower priority issues, according to the survey.
Economic shifts, geopolitical uncertainties, cybersecurity trends, and mounting climate perils have created an increasingly severe and interconnected risk crisis, according to participants in a members-only Triple-I webinar.
In an environment constrained, for instance, by frequent natural disasters and rising replacement costs, risks no longer develop in isolation. They collide with and compound each other. Their combined impact exceeds the sum of individual risks’ effects. Such interdependence complicates identifying, let alone mitigating, the forces underpinning a specific risk.
“Under this new system that’s emerging, risk can propagate very rapidly through a host of otherwise disconnected networks,” TradeSecure president and cofounder Scott Jones told webinar host Michel Léonard, Triple-I’s Chief Economist and Data Scientist. “This new reality fundamentally challenges the core principles that insurance has relied on for centuries.”
Jones emphasized the growing unpredictability of risk on a global scale, particularly as nations impose export controls, sanctions, investment restrictions, and tariffs for purposes like economic competition. Companies with global footprints may struggle to ascertain these interwoven, sometimes competing regulations, creating compliance concerns and potentially exacerbating supply-chain disruptions.
With the frequency and severity of U.S. cyber claims on the rise, cyberattacks also carry substantial transnational implications. Sophisticated ransomware encounters can exploit businesses of all sizes, propelling privacy liability claims and related third-party litigation.
TradeSecure vice president and cofounder Michael Beck explained how the almost universal accessibility of malware – harnessed by criminal syndicates, activist groups, or even lone hackers – presents “a new class of systemic non-physical disruption” that could undermine “the entire system’s liquidity and stability.”
“A coordinated non-state cyberattack wouldn’t just steal money – it could stop the flow of money, causing many transaction failures and possibly triggering a wave of claims far beyond what traditional cyber policies are designed to handle,” Beck said.
Though insurers as well as business owners and consumers consider cyber incidents a chief risk concern, personal cyber take-up rates remain low, with the broader cyber insurance market facing its third consecutive year of declining rates. Misunderstandings surrounding cyber risk and benefits of coverage fuel this discrepancy, revealing a gap between agent perceptions of product value and that of their customers.
Personal cyber risk – historically viewed as synonymous with “identity theft” – has evolved with the rise of internet-connected devices in the home. These devices can open the door to malware that can seize control of a homeowner’s data and expose them to extortion and other threats. Phishing and financial scams have been found to generate the greatest losses for homeowners.
Insurance for these perils exists, but adoption has not grown in line with the increasing peril. Triple-I and Hartford Steam Boiler (HSB) recently conducted research to better understand why and what insurers can do about it. The survey found that personal cyber insurance – while presenting a sales opportunity – involves educational challenges for agents and consumers.
Triple-I surveyed retail agents of homeowners insurance, since personal cyber coverage is commonly sold as an endorsement to homeowners’ policies. These agents are very knowledgeable of homeowners’ risks that can result in physical damage to property, as well as theft and liability coverages.
“Agents see the storm,” said Neil Rekhi, product manager for personal cyber insurance at HSB, “but homeowners can’t envision the damage until it’s too late.”
While 84 percent of agents surveyed said they recognize the value of personal cyber insurance, the survey found a notable gap between agents who feel comfortable selling it and those who don’t.
This hesitation is mirrored by consumer skepticism. The study found that 56 percent of agents report their customers either don’t understand or don’t agree with the value proposition of personal cyber insurance products.
“There’s a significant disconnect between agent perceptions of customer needs and actual customer perceptions of product value,” noted Dale Porfilio, Chief Insurance Officer at Triple-I.
Sales efforts remain robust, with 77 percent of agents having presented personal cyber insurance options to homeowners in the past month. However, consumer adoption rates continue to lag, highlighting a fundamental communication breakdown.
Closing the personal cyber protection gap will require a three-pronged approach: consumer education, agent/broker training, and a data-driven approach to product development,” says Triple-I CEO Sean Kevelighan.
Cyber Security Data Protection Business Technology Privacy concept.
Cyber insurance claims are showing alarming trends in both frequency and severity, with U.S. businesses experiencing particularly steep increases while markets outside the U.S. show declining rates, according to a report from Chubb.
The comprehensive claims analysis, based on Chubb’s cyber claims data through December 2024, reveals critical insights about ransomware incidents driving claim severity, privacy-related liability becoming increasingly complex, and widespread cyber events contributing to rising frequency—all factors that are fundamentally reshaping the cyber risk landscape for businesses of all sizes.
U.S. Market Trends
The cyber insurance landscape in the U.S. continues to evolve at a concerning pace, with both frequency and severity of claims showing upward trajectories over the past three years. While claim frequency remains below the peak levels observed in 2020-2021, severity has increased significantly from 2020 through 2024, with notable volatility in recent years, Chubb reported.
Particularly alarming is the sharp increase in claim severity for mid-sized companies with revenues of $100 million to $999 million, and large companies with revenues exceeding $1 billion. These organizations have experienced substantial losses that have made headlines across business media. Interestingly, many of these attacks weren’t the result of sophisticated malware evading robust cybersecurity systems, but rather social engineering attacks targeting IT help desks and involving SIM card swaps in mobile phones, according to the report.
Another troubling trend is the rise in widespread cyber events—incidents that simultaneously affect numerous companies. These events, which can stem from attacks, software malfunctions or human error, increased to 5.3% of total reported claims in 2024, up from 4.0% in 2023, contributing significantly to the overall frequency of cyber claims.
International Market Contrast
The cyber risk scenario outside the U.S. tells a markedly different story. International markets are experiencing declining trends in both the frequency and severity of cyber claims. For medium and large revenue accounts outside the U.S., severity has decreased over the past three years, while small revenue accounts have seen only modest increases in severity, Chubb reported.
This divergence can be attributed to several factors. International businesses have increased cyber risk awareness at executive and board levels, improved business continuity planning, developed more robust incident response protocols, and focused on compliance with new regulatory frameworks such as the EU’s Digital Operational Resilience Act.
Perhaps most striking is the difference in ransom payment behavior. The willingness to pay ransoms is substantially lower outside the U.S., with only 8% of companies paying ransoms in 2024 compared to 35% of U.S.-based companies. This trend has remained consistent over the past five years, Chubb reported.
Notable Claims Statistics
The financial impact of cyber incidents continues to grow, with ransomware remaining the primary driver of losses. In 2023 and 2024, ransomware-related losses accounted for nearly 72% of all cyber claim dollars, up from an average of 63% between 2020 and 2022. The frequency of subsequent third-party litigation from ransomware incidents has also increased dramatically, up approximately 75% in 2024 compared to the 2020-2021 average.
The July 2024 CrowdStrike incident provides a sobering example of how non-malicious events can cause widespread disruption, the report noted. When the cybersecurity company CrowdStrike sent a faulty software update to customers worldwide, it resulted in 8.5 million systems crashing and generated between $400 million and $1.5 billion in insured losses, the report stated.
This incident highlighted that system failures can be as devastating as malicious attacks, underscoring the importance of comprehensive incident response planning and resilience measures. Organizations with strong resilience capabilities in place were better positioned to weather this unexpected disruption, reinforcing the value of preparedness in today’s interconnected digital ecosystem, according to Chubb.
Evolution of Privacy-Related Claims
As digital footprints expand and consumer awareness grows, privacy-related claims have emerged as a significant concern for businesses across the U.S. Recent data reveals a troubling trend: the proportion of third-party claims related to privacy liability has doubled in 2023-24 compared to 2020-22. This surge reflects not only heightened consumer awareness but also the evolving regulatory environment that has created new avenues for litigation, the report explained.
Three key regulatory frameworks are primarily driving this increase in U.S. privacy claims, Chubb reported:
The Illinois Biometric Information Privacy Act (BIPA) has become particularly impactful, regulating how companies collect, use, and handle biometric identifiers and information.
The Video Privacy Protection Act (VPPA) has gained renewed relevance in the digital age. This law directly addresses how companies implement and use pixels—those tiny snippets of code embedded in websites that track user behavior.
State-level wiretapping laws have also contributed to the privacy claims landscape. The California Invasion of Privacy Act (CIPA), for instance, provides individuals with a private right of action against businesses for privacy violations, with potential statutory damages reaching $5,000 per violation—a figure that can quickly escalate to significant amounts in class action scenarios.
Beyond U.S. borders, international privacy regulations continue to reshape how global businesses approach data handling and privacy compliance. The European Union’s General Data Protection Regulation (GDPR) stands as the gold standard, comprehensively regulating the lawful collection, processing, use, retention and deletion of personally identifiable information.
For insurers, “customer” is one word that encompasses individual policyholders, business owners, risk managers, agents and brokers, and others, all with different (often divergent) priorities. For reinsurers – whose primary customers are insurers themselves – “understanding the customer” is particularly challenging.
This was part of the motivation behind RiskScan 2024 – a collaborative survey carried out by Munich Re US and Triple-I. The survey provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. It explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions.
“I get very excited when we have a chance to be in our customers’ shoes,” said Kerri Hamm, EVP and head of cyber underwriting, client solutions, and business development at Munich Re US, in a recent Executive Exhange interview with Triple-I CEO Sean Kevelighan. “To really understand how they feel about a broad range of issues from what are their most important risks to how they feel about the cost of insurance and the economic environment.”
Hamm discussed how more than one-third of respondents ranked economic inflation, cyber risk, and climate change as top concerns, identifying them as “increasing or resulting in rises of the cost of insurance.”
“When we really understand what our customers want, we can design a better product and think about whether the coverages we’re providing are meaningful to them,” Hamm said. “That can help us match pricing better to their expectations.”
One result that Hamm found “surprising” was that “legal system abuse” didn’t appear to be as widely accepted by respondents – apart from the insurance professionals – as driving up insurance costs. Kevelighan cited other research – including by Triple-I’s sister organization, the Insurance Research Council – that has found consumers to be aware of the growing influence of “billboard attorneys”.
Unfortunately, he said, “They don’t seem to be making the connection with how that’s affecting them. What we’re trying to do at Triple-I is to help them make that connection.”
Kevelighan talked about Triple-I’s education campaign around “the billboard effect” in Georgia. That campaign includes an actual billboard (“Trying to fight fire with fire,” he said), as well as a microsite called Stop Legal System Abuse. The campaign focuses on Georgia because the state tops the most recent list of places that the American Tort Reform Foundation calls“judicial hellholes”.
“We’re trying to help citizens in Georgia see that this is costing you,” Kevelighan said, adding that Triple-I has seen high engagement through the program with people in the state.
When I first wrote here about insurance coverage related to cryptocurrency theft, I discussed whether these digital assets were securities (as suggested by the SEC) or property (as suggested by the IRS) and how that might impact insurance coverage under a typical homeowners policy.
I also discussed whether the full policy limits for generic property were available for the theft of the assets or a policy sublimit for money would apply.
At that time, courts had provided little guidance on the issue, and few situations were analogous. In recent years, however, guidance has emerged, including from a line of cases that would not appear to have much relevance at first glance.
Wrestling over “physical” loss
Nearly every appellate court in the country has wrestled with the issue of whether economic losses experienced by businesses as a result of the COVID-19 pandemic were covered by their commercial property insurance policies. A commercial property policy typically covers the “physical” loss of or damages to property. Insurers uniformly denied those business interruption claims and thousands of businesses sued. Courts consistently rejected the businesses’ claims for coverage because the COVID-19 virus does not change the structure of the insured property, and purely economic losses are not “physical” loss or damage.
Similar to the commercial property insurance policies at issue in the COVID-19 claims, a typical homeowners policy covers the direct physical loss of covered personal property.
In 2021, Ali Sedaghatpour had approximately $170,000 of his cryptocurrency stolen and made a claim under his homeowners insurance policy. The insurer paid him the $500 limit for the theft of electronic funds, but denied coverage for the remainder of the loss. The homeowner sued and the federal district court for the East District of Virginia ruled in favor of the insurer. Recently, the United States Court of Appeals for the Fourth Circuit affirmed the decision in favor of the insurer. The case was titled Sedaghatpour v. Lemonade Insurance Co. (Case No. 23-1237).
The court ruled that the digital theft of the homeowners’ currency did not amount to direct “physical” loss and the insurer owed the homeowner nothing more than the $500 it had already paid. The appellate court did not disturb other findings by the trial court – including the lower court’s citation to dictionary definitions of cryptocurrency, which state that cryptocurrency exists “wholly virtually”
Looking ahead
In the Sedaghatpour case, the courts were applying Virginia law; however, given the uniform development of “physical loss” throughout the country in the COVID-19 context, I expect other courts around the country will come to the same conclusion when the issue of how to treat digital assets comes before them. I likewise observe that some insurers have revised their policy language to state expressly that the loss of “electronic currency” is not covered.
These recent court cases confirm that individuals owning cryptocurrency should take extra care to protect their digital assets and should not rely on standard language in homeowners insurance policies to hedge against theft.
Michael Menapace is a Triple-I Non-Resident Scholar, Co-chair of the Insurance Practice Group at Wiggin and Dana LLP, a professor of Insurance Law at the Quinnipiac University School of Law, and a Fellow of the American College of Coverage Counsel.
Cyber incidents, changes in climate, and business interruption are the chief risk concerns among key marketplace segments in the insurance industry, according to RiskScan 2024, a new survey from Munich Reinsurance America Inc. (“Munich Re US”) and the Insurance Information Institute (Triple-I) reveals.
RiskScan 2024 provides a cross-market overview of top risk concerns among individuals across five key market segments: P&C insurance carriers, P&C agents and brokers, middle-market business decision makers, small business owners, and consumers. The survey explores not only P&C risks, but also how economic, political, and legal pressures shape risk perceptions.
Methodology
To produce a compelling snapshot of cross-market views, Munich Re US and Triple-I engaged independent market researcher RTi Research in the summer of 2024 to survey 1,300 US-based individuals.
Market surveys typically focus on a single audience, but RiskScan 2024 is a multi-segment survey offering a comprehensive view of risk perceptions and yielding comparative results between audiences. The key insights present a variety of commonalities and disparities across the five distinct target segments, covering the full range of insurance buyers and sellers across the United States.
This online survey was conducted across gender, age, geographic region, household income, business revenue, and company size.
Two primary cohorts make up five segments of participants in the RiskScan research:
consumers and small business owners (n=700) and
Insurance industry participants, which included carriers, agents, and brokers as well as middle market businesses (n=600).
Research participants were presented with various risks across five segments and then asked to select their top three risk concerns.
Key Insights
More than one-third of respondents chose economic inflation, cyber incidents, and climate change as their top three concerns based on insurance risks and market dynamics. All three of these reflect post-pandemic news topics. Economic inflation has increased over the last several years. Consumers and small business owners have experienced direct impacts with increased costs and industry participants have seen these impacts on increased replacement costs and P&C insurance premiums.
There are significant disparities in the ranking results between the two primary cohorts within the research. Insurance professionals tend to identify a variety of risks and have significant awareness of all risk categories, including emerging technologies. As expected, these audiences exhibit broader knowledge and awareness of risk transfer and mitigation of new and emerging risks. Consumers identified a smaller number of risks associated with more immediate and direct impacts on themselves.
The structure of RiskScan 2024 research yields a more complete understanding of the “white space” that exists between risk perception and action. The gaps were identified along three key risk areas:
Flood risk
cyber risks, and
legal system abuse
Flood risk was also indicated as one of the chief concerns for each audience. However, consumers lack awareness that flood events are typically excluded from homeowner’s policies. Industry professionals are more aware of flood coverage exclusions, the importance of purchasing flood coverage before a flood event, and the likelihood of these events occurring.
Cyber incidents are a primary concern in all five market segments. Most audiences in the research, both consumer and commercial, feel unprepared as this threat vector is constantly emerging, expanding, and changing. Many people are knowledgeable about cyber risks and are concerned about how to mitigate new cyber threats. Troubling stories have come to light as the frequency and severity of cyber threats grow.
“The knowledge gap about insurance risks demonstrates the continued need for education of consumers and businesses, especially about flood, cyber, and legal system abuse,” says Triple-I CEO Sean Kevelighan. “Increasing knowledge will be instrumental for the collective work needed to better manage and mitigate future risks.”
The report includes additional results for each of the five primary audiences: consumers (n=500), small business owners (n=200), insurance carriers (n=200), insurance agents and brokers (n=200), and middle market businesses (n=200).
Download the full RiskScan 2024report to review the details. Triple-I aims to empower stakeholders by driving research and education on this and other key insurance topics. Follow our blog to keep abreast of these essential conversations.
Targeting of the demographic with the most to lose increases.
In 2023, total losses reported to the FBI’s Internet Crime Complaint Center (IC3) by people over the age of 60 topped $3.4 billion, an almost 11 percent increase in reported losses from 2022. The number of complaints, the highest attributed to a single age group, increased by 14 percent. The average dollar loss per complaint was $33,915, with nearly 6,000 people losing over $100,000 per claim.
The IC3 report outlined several common cyber fraud activities that impact individuals over 60, including:
Call Center/Tech Support Scam
Confidence/Romance Scams
Cryptocurrency Scams
Investment Scams
The IC3 notes the actual figures around these and other cyber crimes targeting the elderly may be higher since only about half of the more than 880,000 total complaints it received (with total losses exceeding $12.5 billion) included age data.
A major reason for the proliferation of elder fraud may simply be that members of this age group are plentiful while also having comparatively the most to steal. Adults 65 and up are expected to make up 22 percent of the US population by 2024. Federal Reserve data indicates that their asset accumulation outpaces that of other age groups, with median and average net worth figures for adults 65-74 at $409,900 and $1.8 million, respectively, and for adults 75 and over, $335,600 and $1.6 million respectively.
Increasing digital lives and advancing technology create new threats.
The transition to the smart mobile and app economy, along with the rise of big data and predictive analytics/AI, and (due to the pandemic) remote working, have transformed the way we engage with the world on a social, professional, and financial level. The Internet of Things (IoT) and each person’s expanding network of personal devices — smart TVs, video game consoles, appliances, home climate control systems, etc. — have propelled the digitization of our existence. All these advancements can make life easier but also increase points of cybersecurity vulnerability for people of all ages.
However, data indicates that different age groups can be susceptible to different methods of targeting by cyber scammers. For example, phishing, which relies on the human tendency to repay what another person has provided, can be more effective for targeting older vs younger adults. Also, today’s consumer under age 25 may never have the need to write a paper check, but many over 65 today have spent a significant portion of their lives handling their financial affairs that way. Thus, the trust placed in tech support people and other personnel whom they are supposed to rely on for assistance is understandable.
Unfortunately, according to the IC3, people over 60 lost more to call center and tech support scams than all other age groups combined, with this group reporting 40% of these incidents and 58% of the related financial losses (about $770 million). Common schemes involved using phone calls, texts, emails, or pop-up windows (or a combination of these) to connect with victims, manipulating them to download malicious software, reveal private account information, or transfer assets. The fallout included remortgaged homes, emptied retirement accounts, and, in some cases, suicide.
New tools and methods increase cyber security threats.
A financial services professional at a Hong Kong-based firm sent US$25 million to fraudsters after she believed she was instructed to do so by her chief financial officer on a video call that also included other colleagues. Deepfakes, one of 2024’s increasingly common cyber risks for businesses and organizations, is on track to become a major threat to personal cyber liability. A technology known as “deep” learning (hence the name) can generate images, videos, texts, or sound files specifically designed to be highly convincing despite being entirely made up.
This content can turn up anywhere on social media, the internet, or even in emails and phone calls, fooling unsuspecting humans, and, all too often, even detection software. Deepfakes aren’t always produced for malicious activities; some are used widely for entertainment. However, the growing sophistication of deepfakes and the availability of the technology needed to make it may have serious implications for cyber risk.
Cyber criminals can leverage this technology to trick victims into divulging sensitive information, transferring money, or performing other activities. Reputations can be damaged by fabricated images of victims engaged in illegal or controversial acts. This type of deep fake can also enable blackmail in exchange for not releasing the material. In addition to impersonating individuals, cyber criminals can use deep fakes to bypass biometric verification or create false advertising.
The options for managing personal cyber risk can differ in crucial ways.
Personally identifiable information (PII) is the primary driver of identity theft and most other cyber fraud. Major data breaches are becoming common place, such as the incident that happened in 2023 (but wasn’t reported until August 2024) that credit exposed 2.7 billion records. Bad actors exploit this kind of information to directly engage in fraudulent transactions or create trust with their targets in more complex schemes.
Thanks to heavy marketing and wide availability from banks and card issuers, consumers tend to be familiar with Identity Theft Protection (ITP). As the name implies, such plans revolve around the risk of stolen identity and can alleviate some of the work and costs related to monitoring and mitigating the fallout from identity theft.
In contrast, Personal Cyber Insurance (PCI) offers coverage for a broader range of losses. Covered risks, in addition to ITP, can include cyber extortion, online fraud and deceptive transfers, data breaches, cyberbullying, and more. An important aspect of PCI is that it can help provide financial reimbursment from covered “cyber scams” or related social engineering risk not directly tied to identity theft, cyber crimes which are on the rise. It also offers assistance and financial reimbursment for compromised devices. For example, if a policyholder is hacked, personal cyber insurance may help cover the costs of hiring a professional to reformat the hard drive, reinstall the operating system, and restore data from the backup.
“Social engineering and other cyber-related threats against consumers continue to grow and evolve, and insurance carriers are offering affordable personal cyber coverage that can be easily added to a homeowners or renters insurance policy,” says James Hajjar, Chief Product Officer at Hartford Steam Boiler (HSB).
HSB, which has been offering personal cyber insurance since 2015, has evolved its coverage multiple times over the years to stay ahead of cyber risk trends and the dynamic threat landscape. Given the increasing complexity of cyber risks and the rise of sophisticated scams — such as phishing and ransomware — that kind of protection shouldn’t be limited to identity theft. Robust PCI coverage safeguards against a range of other cyber-related issues and provides critical support to ensure policyholders aren’t left to deal with the financial aftermath of a cyber incident alone.
“It’s crucial that cyber insurance is specifically designed to help individuals protect themselves against these evolving threats and provides financial security and additional programs and services if someone is hacked,” Hajjar says.
Historically, ITP has been widely offered through banks, credit unions, credit card issuers, and credit reporting agencies. Either product type may be purchased as either standalone or optional add-on coverage for homeowners, rental, or condo insurance policies.
The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The 2023 Data Breach Report, which details the larger dataset of cyber crime complaints to the FBI’s Identity Theft Resource Center (ITRC), reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals.
A new conversation about personal cyber insurance begins.
Triple-I and HSB are teaming up to uncover ways to enhance support and resources for insurance agents while improving personal cyber insurance options for policyholders. If you are an agent, please take three minutes to help by participating in our survey. Your contribution will be invaluable in shaping the future of personal cyber insurance.
