Those fighting against cybercrime and those providing insurance for it are in a constant race to keep up with new technologies and tactics used by cybercriminals. The landscape is always changing, and staying ahead is crucial.
According to a recent report by Guy Carpenter, the cyber insurance market saw significant increases in rates during 2021 and 2022. However, in 2023, the market began to stabilize. Some areas even experienced slight reductions in rates as the market adjusted throughout 2024. The global cyber insurance market is projected to be worth $16.6 billion in 2024. North America leads the way with $10.5 billion, followed by Europe at $3.9 billion, the Asia-Pacific region at $1.7 billion, and the rest of the world at $0.5 billion. This growth is fueled by industries that are still catching up, developing regions, new products, and a heightened awareness of cyber risks.
North America remains the top player in terms of insurance premiums, particularly in the IT sector. The U.S. is home to nearly 70% of the largest IT firms globally. Although growth in premiums has slowed in the U.S., this is more a sign of market maturity than a lack of interest. Most insurance policies now offer broader coverage with fewer restrictions, especially regarding contingent business interruption (CBI) and ransomware.
While North America shows signs of slowing growth, Europe and the Asia-Pacific regions are experiencing rapid expansion. This growth is beneficial for global reinsurers, as it helps diversify risk and opens up new market opportunities. Insurtech companies and carriers focusing on small and medium-sized enterprises (SMEs) that have been successful in the U.S. are now looking to expand into these growing markets.
However, this growth could also lead to higher aggregated losses. For 2024, the estimated potential for global losses ranges from $20 billion to $46 billion, indicating a possible market loss ratio between 120% and 277%. In Europe, insurance offerings tend to be more conservative, especially regarding contingent CBI and General Data Protection Regulation (GDPR) fines. These restrictions can impact recovery in the event of a cyber incident.
The Asia-Pacific region often has even stricter coverage regarding business interruption and CBI. Many policies do not cover ransom payments, which could significantly affect losses during a cyber event.
The evolving threat landscape has also seen an increase in ransomware activity in 2023 and 2024. Fortunately, improved cybersecurity practices among organizations have prevented a corresponding rise in the severity of these attacks. As a result, many attackers are now focusing on data theft instead of ransom payments, with 90% of ransomware incidents in the third quarter of 2023 involving data exfiltration. This tactic, known as double extortion, poses a major challenge for those responding to incidents.
Ransomware and malware events continue to be the leading causes of losses for the insurance industry, with cloud events resulting in lower losses. Data theft incidents rank third in terms of their impact. Cybercriminals are increasingly exploiting weaknesses in third-party services, which can lead to widespread financial consequences.
In response to the growing cyber threats, underwriters are adjusting their strategies by limiting coverages, raising retentions, and scrutinizing policy limits more closely. There is also increased focus on third-party liability, especially regarding wrongful data collection due to privacy regulations.
North America is the most developed market for cyber insurance, particularly among large corporations. However, there are opportunities for growth in smaller businesses, emerging sectors, and personal insurance lines. Traditional insurers still have strong capacity for coverage, and new capital is being introduced by managing general agents.
As the cyber landscape continues to evolve, both insurers and businesses must stay alert and adapt to the changing risks they face.