Cyber: more severe and sophisticated

As digital footprints deepen, exposures to cyber risks increase, according to a major new report by Swiss Re.

The report, Cyber insurance: strengthening resilience for the digital transformation, says that the digital shift accelerated by the pandemic is anticipated to change how society functions over the coming decades: the way we work, do business, consume, educate our children, manage and source energy, entertain and seek medical support. 

But as digitalisation proliferates, it adds, so too do exposures to cyber-threats: the pace of technological change, the rising awareness of cyber risk and the adoption of cyber hygiene practices to keep data and networks secure, are not synchronised. Rather, it seems as if a legacy of outdated security protocols, IT systems and regulatory frameworks are only slowly catching up with technological realities. This opens the door to rogue actors seeking to exploit digital vulnerabilities for financial, reputational or geopolitical gain. 

According to Swiss Re, the scope and frequency of cyberattacks are increasing, and today ransomware is seen as the predominant risk for businesses. In 2022, cyber incidents top Allianz’s risk barometer for the first time, ahead of business interruption and natural catastrophes risks. Computer security firm McAfee estimated the total annual cost of cybercrime at $945 billion in 2020,2 two-thirds of which was attributable to intellectual property theft and financial crime, while the direct costs associated with the four most common types of cyber-incidents in the US quadrupled to an average of $100 000 per incident since 2016.


Looking at ransomware alone, NetDiligence finds that 70% of ransom attacks conducted since 2017 have occurred in the last two years, with severity at an all-time high in 2021 (average ransom of $750 000, more than twice the 2020 figure). In a recent survey of the world’s top cyber leaders, 50% indicated that ransomware attacks on their organisation are among their greatest cyber risk concerns, followed by social-engineering attacks and malicious insider activity.

With the advance of technology, the report adds, the sophistication of ransomware attacks has grown considerably: “The emergence of cryptocurrencies has provided an easy, but hard-to- trace method of receiving payments from victims, while advances in artificial intelligence (AI) analytics is expanding both attack and defence capabilities. Ransomware actors now employ up to three extortion techniques. They encrypt and extract a company’s data against two separate ransoms – the first to unblock the firm’s system and the second to not disclose the data (double extortion). Hackers can then leverage the stolen data to extract a third ransom from its primary owner (triple extortion). Sometimes hackers continue their attack until the company has fixed its security protocols (re- extortions).”

The types of financial loss associated with these attacks have also evolved, it adds: “Whereas traditional risks confronting businesses were concentrated around third-party data protection and privacy liability, in recent years claims have been largely dominated by ransomware attacks and there has been a shift towards the insured core business. Companies hit by a ransomware attack face several first-party loss elements such as the ransom itself, forensic and data restoration costs, and the business interruption (BI) suffered as a result of disruption to operations. Firms can also suffer reputational harm, undermining their relationship with customers12 and also their market capitalisation.”

Key takeaways:

The digital shift accelerated by COVID-19 has created new cyber vulnerabilities 

Reported ransomware incidents and their severity have skyrocketed in recent years, with monetary estimates of global 2020 cyberattack losses at around USD 945 billion. The types of attacks and targeted sectors have also evolved. Cyber criminals have small and medium enterprises on their radar, particularly in the healthcare, professional and financial services sectors. Digitalisation of industries, including the healthcare and critical infrastructure sectors have increased cyber-vulnerabilities across entire supply chains. 

Meanwhile, the cyber insurance market has been growing fast 

Risk management efforts and cyber insurance premiums have expanded in response to the surge in incidents, with $10 billion premiums written globally in 2021. Cyber risks originally centred around data breaches and third-party liability, but ransomware attacks have shifted damages to the core business and first-party liabilities. We expect premiums to grow to $23 billion by 2025 but even so, the market remains small relative to a fast-evolving risk. 

Cyber insurance profitability deteriorated as ransomware attacks skyrocketed and stabilised as underwriting actions took effect 

Loss ratios for US standalone cyber insurance policies spiked in 2020 before improving slightly in 2021 as a result of price increases, stricter underwriting standards such as requirements for multi-factor authentication, and tighter terms and conditions including sub- limits and coinsurance. But they remain elevated, especially considering the necessary catastrophe load for a potentially systemic loss. 

Undiversifiable aggregation risk and the fast-changing nature of cyber bring 

increased uncertainty, and a call for new solutions 

These solutions include coordinated industry efforts to standardise data and policy languages. Improved modelling capacity (both scenario-driven and data analytics-based) and upgraded cyber skills would help address quantification shortcomings. Altogether, this would help reduce uncertainty, lay the foundation to attract new sources of capital and thereby activate a market for cyber insurance- linked securities (ILS). 

This is an abridged and edited version of Cyber insurance: strengthening resilience for the digital transformation. To access the full report, click here.

Risk management efforts and cyber insurance premiums have expanded in response to the surge in incidents, with $10 billion premiums written globally in 2021.