Cyber Insurance: Risks and Trends 2025

Cyber Risks

Cyber Insurance

Risks and Trends 2025

20.5 minutes read

Published 04/03/2025

Downloads
Experts
Related Articles
Share
LinkedIn

Facebook

Whatsapp

E-Mail

Copy Link
Sharing

In July 2024 a faulty update of cybersecurity service provider CrowdStrike caused widespread disruptions across millions of Windows systems globally. Although not a malicious attack intended to cause harm, the effects of the event led to one of the largest IT outages on record, hitting critical operations in key industries and sectors such as airlines and airports, banks, stock exchanges, technology companies and healthcare services. The shockwaves from this event brought into sharp focus the vulnerability of our digital world.

Key stressors in our highly dynamic cyber landscape include supply chain dependencies, the effects of geopolitical conflicts and the increasing sophistication of cyber threat actors – the culmination of which is the capacity to heavily impact economies and societies.

Munich Re expects the global cyber insurance market to reach USD 16.3bn in 2025. To date, the market has proven itself to be capable and efficient in sheltering those insured critical digital assets needed to run the daily operations of organizations of all types and sizes - from micro-, small- or medium-sized businesses to large corporate enterprises. The global insurance industry can withstand multiple extreme cyber exposure scenarios, such as those that may arise from widespread malware attacks or large-scale outages of cloud service providers. Rapid, simultaneous risk changes due to technological, geopolitical and market-specific factors present insurers with both challenges and opportunities.

Stefan Golling, Board of Management member responsible for Global Clients and North America: “In today's technology-dependent world, organizations can only be successful if they strengthen their digital defenses with robust, multi-layered risk management. Cyber insurance is an effective component in this approach. Munich Re provides cyber capacity and expertise so that our clients can grow their business with confidence.”

This report provides an outlook on the cyber risk landscape and the surrounding dynamics affecting cyber insurance and market demand.

Cyber Risk Landscape - major loss drivers

The cyber risk landscape shows an increase in the scale and impact of cyber-attacks and cybersecurity incidents, with four types of attack making up the lion’s share of cyber losses:

Munich Re and Mandiant Cyber Underwriting Threat Intelligence data shows that, in an analysis of industries and sectors, the government, manufacturing and technology sectors seem particularly prone to cyber-attacks. The following ranking highlights sectors affected by cyber-attacks from financially motivated threat actors, hacktivists and state sponsored actors.

Regardless of industry, size or location, the analysis clearly shows that no organization is immune to falling victim to a cyber-attack. Comparably, a global survey by Munich Re found that 87% of C-level respondents consider their organization’s protection to be inadequate. Many micro and small sized businesses fall prey to cybercrime, not because they are singled out by threat actors, but because opportunistic attackers widely take advantage of weak cyber-security implementation by simply harvesting “low hanging fruit”.

Ransomware attacks: high in profile and scale

With regards to ransomware, there is an unrelenting trend of Cybercrime-as-a-Service, with offerings ranging from platforms to subscription-based malware or AI-enabled hacking tools. These developments will continue to lower the barriers for entry for the criminal ransomware business. A further increase in the frequency, automation and sophistication of ransomware attacks is to be expected. AI, in particular, will drive the scale, speed and precision.

Facts and figures

In 2024, ransomware attacks showed a significant year-over-year increase of approximately one quarter. Only a mere 15% of ransomware attacks are made public. The level of data exfiltration nearly doubled.
2024 saw the emergence or rebranding of 33 threat actors, contributing to a total of more than 5,000 leak site posts from 75 active groups. The landscape remains rather dynamic, despite targeted law enforcement operations, e.g. in February 2024, authorities from the US, UK, and Europe successfully disrupted LockBit, a leading ransomware group, and took down 34 servers worldwide.
Major attacks in 2024: Victims of AlphV (BlackCat) were US health company Change Healthcare, with hundreds of disruptions to applications in pharmacy services and hospitals and the medical records of over 190 million of patients being hacked. The ransom paid was $22 million, but the overall impact on UnitedHealth Group is expected to be in the region of USD 2.4bn. In another attack, BlackSuit demanded ~USD 25m from software provider CDK Global, the attack disrupting operations at thousands of car dealerships in North America. Collective losses were estimated at a record sum of approximately USD 1bn. In yet another incident, more than USD 370,000 was paid in cryptocurrency after the ShinyHunters group demanded ransom from AT&T for millions of stolen customer call records.
A record ransom of USD 75m was reportedly paid by a Fortune 50 company to the Dark Angels ransomware gang.

Munich Re claims data shows the following ranking of ransomware losses by industry sector:

Furthermore, the Munich Re Cyber Data Analytics Team observed that ransomware was the leading cause of cyber insurance losses. Manufacturing was again identified as the industry with the highest proportion of ransomware claims among all claims for that segment; the healthcare segment ranks second. For ransomware losses, business interruption (BI) accounts for the largest share of costs (51%) among all cost components. The BI risk due to cyber-attacks is increasing across all sectors.

Online scam: Fraud from factory

In what is known as Business Email or Business Communication Compromise (BEC/BCC), attackers deceive individuals in organizations in order to obtain money or sensitive information by spoofing, posing as trusted entities (e.g., CEO, supervisor, person of authority). Attackers utilize multiple channels (emails, phone calls and messaging apps), with the intention of enticing the targeted individuals to act on using a less secure personal device, bypassing corporate-level security controls, and ultimately swapping sensitive information without corporate oversight. From small local businesses to larger enterprises and in-person transactions, BEC and BCC scams continue to thrive. The following key facts underline the level of urgency:

Facts and figures

Incidents surged in 2024, after a 9% increase in identified global losses in 2023. Email remains the number one threat vector, and the advent of GenAI-powered attacks makes BEC/BCC even more dangerous. The FBI estimates that global losses over the last decade have been in excess of USD 55bn.
The United States Institute of Peace (USIP) estimated that approximately 500,000 people work directly - although not always voluntarily - as scammers in agile networks, mostly from fraud factories in South-East-Asia.
AI-driven BEC scams: Gen-AI tools exacerbate personalized social engineering attacks by scaling them up to be extremely targeted(e.g., by language). The tools mimic real interaction; in the future they may even be able to mimic local accents.
Vishing (voice phishing), insider threat operations and VEC attacks (Vendor Email Compromise) saw a particular increase in the second half of 2024, all of which threaten normally trusted relationships.

Data breach: Logins for sale

Data breaches remained at a high level, with the average cost of a breach rising by 10% to an all-time high of USD 4.88m. Particularly (but by no means exclusively) in the US, lawsuits following sensitive data breaches have become common, typically resulting in settlements with individual victims receiving small payments, which in the context of a class action can amount to millions. More regulation and tighter compliance requirements are expected to further drive this development.

Following data breaches, leaked PII-data (personal identifiable data) and critical information such as login credentials are frequently offered for sale on dark web forums. This often paves the way for further cyber-attacks or fraudulent activities.

Facts and figures

Taking known instances into account, it is estimated that the exploitation of data leaks increased eightfold in 2024, with approximately 5.5 billion accounts compromised.
The magnitude and high profile of “mega-hacks” such as the far-reaching incident at Change Healthcare may give a distorted picture, since every size of business is at risk. New levels of automation will increasingly enable actors to easily focus on vulnerable spots including micro- and small sized businesses.
More than a third of the data breaches involved shadow data, i.e. data created, stored or shared without being formally managed or controlled by responsible IT teams. Those breaches generally take longer to be contained, and also lead to higher costs.

Supply chain vulnerabilities: Societies’ Achilles’ heel

One of the most pressing cyber risks lies in the vulnerabilities of supply chains, which have been identified by criminals and state-sponsored actors alike as the “Achilles' heel” of economies and social infrastructure. Digital bottlenecks will continue to pose major risks from software compromise, managed service provider compromise or single service disruption – to name just a few but very common supply chain risks.

Facts and figures

The WEF indicated that 45% of organizations expect to face significant cyber-attacks on their supply chains by 2025. 54% of large organizations highlight supply chain challenges as the greatest barrier to achieving cyber resilience.
The cost of software supply chain attacks to businesses is anticipated to rise to USD 138bn by 2031, a significant increase from USD 60bn expected in 2025.
Critical providers that are prone to systemic vulnerabilities, such as cloud providers with a high degree of global dominance, should be given particular attention. The underlying challenge is highlighted by the fact that an estimated 75% increase in cloud intrusions was observed during 2023, mostly rooted in weak credentials and misconfigurations.

Major cyber trends in 2025 and beyond

In addition to the evolving types of cyber-attacks, overarching trends strongly influence the cyber risk landscape. Most notably, AI ranks as the top major challenge for cyber-security. Regulation, IT skills shortages, technological advances and geopolitical tensions are also identified as key “trendsetters” for cyber (in)security.

Artificial intelligence: Both weapon and target

Companies are adopting AI first and foremost to boost efficiency and innovation. The phase of mere experimentation clearly seems to have come to an end; it is time to scale up in defined fields. Most common use cases are customer service, digital assistance, research and development, content production, product recommendation, and, last but not least, cyber-security.

Perspective: Organization's approach to adopting AI

Unfortunately, this surge in AI adoption also supports criminal groups and other cyber threat actors; they test, implement and develop AI technologies to increase their efficiency and gain a competitive advantage.

In the future, attackers will significantly innovate their “value chain” and further automate and enhance all phases of a cyber-attack – the so-called cyber kill-chain – for example, through phishing campaigns, zero-day exploitations or malware coding leveraged by using AI. The emergence and application of multi-agent AI systems for good and evil will evolve. Cyber experts expect to see the democratization and commoditization of GenAI and machine learning related capabilities for offensive, but fortunately also defensive purposes. The adaptation of GenAI will lead to a new normal that challenges defenders with speed, scale, and prospectively with boosted sophistication.

Beyond AI driven cyber-attacks, Munich Re’s Internal Risk Management Department focusses on the following most significant challenges and threats:

Major threats and challenges along the adaption of GenAI

From a risk accumulation perspective, Munich Re’s cyber actuaries and accumulation experts see a requirement to closely monitor the impact of AI. Another crucial aspect to continuously analyze in future is the influence of AI on the claims experience. Since AI enhanced cyber-attacks can especially increase the frequency of claims, this may impact events usually covered by cyber insurance, like business interruption, data breach liability, data restoration or effects of ransomware attacks. While losses from AI driven cyber-attacks are typically covered in cyber policies, the implications of other risks associated with the adaptation of AI – such as model manipulation, data poisoning, liability arising from hallucinations or wrong output as well as IP infringement – are often not explicitly mentioned in insurance wordings. Innovative products like Munich Re´s aiSure™ – covering the performance of AI solutions – will close potential protection gaps.

Nation-state cyber activities: Digital battlegrounds

Geopolitical power plays, acute international crises and the impact of technology-induced nationalism add new dimensions and dynamics to the challenge posed by cyber threats. The activities of state-sponsored threat actors, hacktivists and criminals introduce a whole new array of tools and tactics. Some nations are temporarily allying themselves with criminals. Geopolitical adversaries are using cyber-attacks on critical infrastructure as a powerful addition to their digital arsenal. Such attacks are on the rise across the world, threatening to jeopardize national security and economic stability as they seek to access and disrupt control systems. The energy, transport and telecommunications sectors have become key targets. Between January 2023 and January 2024, critical infrastructure worldwide was exposed to over 420 million attacks – an increase of 30% since 2022.

The most common forms of nation state attacks include living-off-the-land attacks (LoL), in which intruders use legitimate software and system-specific functions to carry out malicious operations on the system. Other types of attack include cyber espionage, attacks on the supply chain, zero-day exploits, stealth implants and Distributed Denial of Service (DDoS) attacks, which remain effective by flooding a target server with fake traffic, rendering it unavailable. Both DDoS and severe ransomware attacks are no longer just a cybersecurity or cyber insurance issue –they have become a national and global security threat. Advanced persistent threats (APTs) remain one of the most serious challenges in cyberspace. APT groups, often backed by state actors, use sophisticated methods to infiltrate critical infrastructure and strategic companies over a prolonged period of time.

Wars and tensions will further drive cyber-attacks as a means of geopolitical warfare, and disinformation and unverified content will remain critical components of hybrid geopolitical power plays.

Mis- and disinformation: High stakes

According to this year's Global Risks Report by the World Economic Forum (WEF), mis- and disinformation, i.e. false information and maliciously deployed fake content, once again pose the greatest global risk for the immediate future. This conclusion is due to both geopolitical stress and the expectation that AI tools could facilitate attackers in massively amplifying manipulation. One extensive method analyzed is “LLM grooming”, in which large language models (LLMs) are deliberately flooded with propagandistic content to influence chatbot results.

Studies (e.g., from the Alan Turing Institute) analyzing the electoral environments of the past year show that it is difficult to differentiate between AI- and human-generated misinformation and disinformation. While a worldwide science-based dialogue on disinformation as a serious risk has recently been initiated, the attitude of global technology companies towards the necessity of fact-checking is subject to change.

Disinformation is also spreading to the corporate sector, with AI driving the risk and social media allowing for expansive reach. In addition to monitoring, anticipating campaign fields and, in an emergency, identifying sources of disinformation, companies must do good ground work by consistently building credibility in advance and ensuring transparency. While there is potential and justification to use AI tools for these tasks, humans remain crucial in building trust. Gartner anticipates that corporate spending on combating misinformation will exceed USD 30bn by 2028, and consume 10% of overall cybersecurity budgets.

Quantum computing security: The race is on

While the inception of quantum computing technology dates back to the early 20th century and it is still in its early stages, developments related to the associated decryption capabilities are undoubtedly accelerating. In August 2024, the U.S. National Institute of Standards and Technology (NIST) finalized its principal set of encryption algorithms to withstand cyber-attacks from a quantum computer. Traditional encryption methods like RSA (Rivest–Shamir–Adleman), a public key cryptosystem widely used for secure data transmission, will in future be vulnerable to quantum-based decryption, but should continue to offer sufficient protection through at least 2030. Transition to new standards is therefore imminent; attackers are said to be already stealing data today to get a head start on decryption once quantum computers are sophisticatedly powerful.

Robotics, OT and IIoT: Redefining boundaries

The number of devices in areas of IT (Information Technology), IIoT (Industrial Internet of Things) and OT (Operational Technology used in productive environments) will continue to increase. At the same time, the convergence between IT and OT and legacy OT-systems or machines poses a challenge to security. On the upside, risk owners will benefit from the ongoing integration of IT, IIoT and OT, e.g. in terms of advanced monitoring and analytics, real-time data sharing and optimized business operations.

The robotics industry will play an ever more significant role in many business operations. In recent development, robots were trained with large language models designed specifically to better steer them. As a result, robots have been able to improve their performance by adapting to new situations, reacting more quickly to verbal instructions and handling objects more skillfully. In future, the integration of AI empowered robots will add another unprecedented layer of autonomous business processes. The fusion of OT, IIoT and robotics will redefine the scope of possibilities across sectors ranging from healthcare (e.g. medical service or surgical robots) to neuro-robotics, environmental sustainability, manufacturing, defense and space. Tapping into the true potential of robotics while managing the risks, cyber insurance will be key to supporting long-term business performance.

In a deeply digital world, cyber threats remain by nature an extremely dynamic force. Financial and reputational stability for any organisation depends on sound cyber risk management, of which insurance has proven to be a key element. Munich Re has been taking a leading responsibility for over a decade, helping clients to build cyber resilience and by actively contributing to the development of a reliable cyber market offering. To that end, Munich Re considers five investments to be of lasting importance: the combination of multidisciplinary domain expertise, the focus on more and ever-better data on risk trends, losses and incidents, needed for continuous advancements in underwriting and modelling, a clear definition of security standards for insureds, and transparency with regard to insurers’ risk appetite.

Untapped potential: Significance of Cyber insurance on the rise

The global cyber insurance market is further maturing and is stable. This S&P Global Ratings' assessment recognizes solid profitability of risk coverage over the past two years and its expected trajectory in 2025, despite increased competition and a rise in sophistication, severity and frequency of cyber-attacks in a more hostile environment. The insurance market offers reliable capacity for commercial and private cyber policies. Rate increases, which boosted growth particularly in 2021 and 2022, have now led to a period of stabilization. However, the cyber insurance market is set to experience steady growth in the medium term, driven by the increasing digitization of businesses across all segments, more frequent and severe cyber events, digital interdependencies and heavier regulation.

Cyber insurance market trends

According to Munich Re estimates, the global cyber insurance market totaled USD 15.3bn in 2024. This corresponds to less than 1% of the global premium volume for Property and Casualty insurance in 2024, which underscores the enormous potential for the insurance industry going forward. Although cyber premium growth slowed in the past two years, Munich Re’s experts expect the global premium volume to more than double by 2030, growing at an average annual growth rate of more than 10%.

Thomas Blunck, CEO Reinsurance: “As digitalization advances, cyber protection against one of the biggest threats to economy and society is becoming more and more important. And yet, a large number of organizations lack adequate safeguards and coverage. Munich Re strives to reach the still un- and underinsured, we aim to increase cyber resilience and progressively close a critical protection gap.”

North America once again proves to be the largest cyber insurance market with total premium of USD 10.6bn and a 69% share of global premiums in 2024. Europe’s total premiums for 2024 were USD 3.3bn, accounting for 21% of global premiums and showing a compound annual growth rate (“CAGR”) of 26% (2020 – 2024). Europe and Asia/Oceania are expected to increase their share of the global market; by 2027, Europe is expected to account for 24% of global cyber insurance market premium and Asia/Oceania for 8%. Overall, experts at Munich Re expect cyber insurance to remain one of the most rapidly growing sub-sectors of the global insurance market. Large corporations continue to account for the majority of premiums, while small and medium-sized enterprises (SMEs) largely bear their cyber risks independently or simply lack sufficient awareness of the exposure to prompt them to buy adequate cyber insurance.

The capability of the cyber insurance industry, driven especially by knowledge and commitment of the reinsurance segment, to provide sophisticated risk modelling and stable capacity will remain one of the key pillars for the overall development of the market. Good judgement and discipline are mandatory for all players in the face of the enormous loss potential. Studies show that the modeled accumulation potential for the global industry (with a return period of up to 200 years) is currently estimated at between USD 20 and 46bn. Guesstimates of the global cybercrime costs are in an even higher range: from USD1 to USD 9.5 trillion by 2024.

Protection Gap

Given the huge loss potential and high virulence of the current risk landscape the fundamental value of insurance speaks for itself. Solid risk expertise and advanced accumulation modelling are required to ensure sufficient capacity in a sustainable market. Nevertheless, the vast majority of cyber risks are still uninsured. Whether inadvertently overlooked or overconfidently ignored, cyber risks can pose a threat to the very existence of an organization. In difficult economic times, the very real risk of not being able to recover from a security incident or cyber-attack should outweigh expenditure concerns by far.

The cyber protection gap has a direct impact on the well-being and economic prosperity not only of individuals and companies, but of society as a whole. Looking forward, the insurance industry will continue to focus on managing risk exposure for as many insureds as possible and on establishing the long-term insurability of cyber risk. To underwrite risks that have previously been uninsured or underinsured, providers need risk-adequate pricing, innovative products, well perceived services, risk transparency and robust risk modelling capabilities.

Jürgen Reinhart, Chief Underwriter Cyber: “Large-scale attacks, non-malicious outages and critical dependencies are cyber risks insurers are able to address. While challenging, understanding accumulation scenarios and systemic cyber risks is key to further industry growth. Munich Re keeps investing in cooperation, data analytics and modelling, as the solid groundwork for sustainable market expansion.”

The expansion of the cyber insurance offering is increasingly in line with greater risk awareness among businesses. More and more risk owners are recognizing the value of preventive cybersecurity; and in doing so are fulfilling one of the pre-requisites for insurance. Together, these risk management building blocks work efficiently and sustainably.

Munich Re’s priority is to further bridge the protection gap, especially for smaller and medium organizations. Strategic partnerships and risk understanding will play a vital role in driving innovation and offering comprehensive insurance solutions and services. By collaborating with tech vendors, cybersecurity experts, industry specialists and governmental bodies, our clients, brokers and insureds can tap into top expertise to stay ahead of technological advancements. Our collaborative networks will foster a culture of continuous learning and adaptation, enabling risk owners to respond adequately to emerging risks and challenges.