Newsletters
Risk Central
Digital EditionCyber Threats Intensify as Nearly 9 in 10 Executives Say Their Companies Lack Adequate Protection
The global cost of cybercrime is projected to reach $14 trillion by 2028, a figure that would exceed the combined economic output of Germany, Japan and India, according to a new analysis from Munich Re.
Despite the growing scale of threats, the reinsurer found that the lion’s share of cyber risks remains uninsured — and nearly 9 out of 10 C-level respondents said their companies are not adequately protected against attacks. The findings underscore a widening gap between threat severity and organizational preparedness that risk managers across industries will need to confront.
Claims Patterns Reveal Broad Exposure
First-party claims continue to dominate Munich Re’s actively managed cyber portfolio, accounting for 62% of all claims, with business interruption, privacy liability and incident response driving most reimbursement costs. While headlines tend to spotlight large enterprises, the report found that the majority of cyber incidents and claims affect micro-companies and small and medium-sized enterprises.
Malicious events outpace non-malicious ones at a ratio of roughly 3 to 1, according to the claims data. However, non-malicious losses — often tied to human error, flawed software or pixel litigation — are growing in significance, Munich Re said. Mid-sized and large companies reported a higher proportion of non-malicious events, particularly in IT, health care and finance. The report noted that both categories can trigger extreme loss impacts and are typically insurable, reinforcing the need for organizations to assess their full spectrum of cyber exposure rather than focusing solely on criminal attacks.
Governments, manufacturing firms and technology companies face the highest exposure to attacks from financially motivated threat actors, hacktivists and state-sponsored groups, according to data from Munich Re and Google Mandiant Underwriting Threat Intelligence.
Geopolitics, Supply Chains and Sophisticated Cybercrime Reshape the Threat Landscape
Geopolitical tensions are increasingly spilling into cyberspace, with the boundaries between state-sponsored advanced persistent threats, state-tolerated groups and criminal enterprises growing blurrier, according to the report.
Roughly 64% of organizations expect to be potential targets of geopolitically motivated cyber attacks, according to World Economic Forum data cited in the report. Organizations involved in critical supply chains and infrastructure — particularly in defense, energy, finance and telecommunications — face elevated risk.
Supply chain compromises are becoming a defining feature of the threat environment. More than two-thirds of large organizations experienced at least one third-party cybersecurity incident in the past 12 months, the report said. Future attacks are expected to increasingly involve the impersonation of suppliers and digital service providers, exploiting trust between organizations and their vendors. Rising hyperconnectivity and reliance on cloud providers and content delivery networks compound accumulation risk.
Meanwhile, cybercrime is evolving into a “hyper-organised, service-oriented industry,” the report said, with ransomware-as-a-service providers offering AI-powered turnkey packages and affiliate models. Declining skill and capital requirements are attracting new entrants. Deepfakes, voice clones and synthetic identities are being deployed to circumvent traditional defenses, and markets for infostealers and initial access brokers are diversifying into cloud environments, SaaS platforms and operational technology ecosystems, the report said.
AI Amplifies Existing Threats While Creating New Ones
Agentic AI is expected to shape the scope, speed and precision of both offensive and defensive cyber operations, according to the report. AI systems can already generate deepfakes, build realistic phishing domains and conduct hyper-personalized social engineering — capabilities that will expand attack surfaces exponentially as autonomous agents become mainstream.
Munich Re said it expect agentic AI to affect the frequency of attacks more than their severity in the near term. Insurance lines most likely to feel the impact include system failure and contingent business interruption, incident response, data restoration and cyber extortion coverage. Third-party losses from privacy violations, wrongful data collection and technology errors and omissions may also increase.
Despite concerns, executive sentiment around AI remains broadly positive. Only 23% of executives said AI would negatively affect their businesses, while 66% expected a positive impact, the report found.
Physical AI and robotics represent an emerging frontier for cyberattacks, with more than 4.7 million industrial robots operating worldwide in 2024 and key threats including remote hijacking, malware and data theft that could lead to bodily injury or production shutdowns.
The report compared the cyber protection gap to natural catastrophe coverage, noting that 48% of 2025 natural hazard losses were insured. Achieving similar penetration for cyber insurance remains a significant industry challenge, the report said.
Read the full report here. &
