Cyber risk remains a top exposure for companies of every shape and size. In our increasingly connected, technology-dependent world, the opportunities for system failure continue to multiply, with ever-expanding ripple effects.

The insurance industry, however, continues to respond. Though coverage terminology is shifting to adapt to evolving threats, capacity remains plentiful as insurers and brokers work to meet the needs of their clients.

Here are the key trends shaping the cyber landscape today, and how businesses and their insurers can work together to mitigate the risks:

1. Ransomware and BEC Remain Top Threats

Siobhan O’Brien, head of cyber insurance, MSIG USA

“Ransomware and business email compromise remain significant threats. The increased utilization of technology in our world, particularly with the hybrid working model and the reliance on cloud sharing, file sharing, and video conferencing tools, presents potential weaknesses if cybersecurity measures are not robust enough,” said Siobhan O’Brien, head of cyber insurance, MSIG USA.

According to the Cyber Infrastructure Security Agency (CISA), 90% of successful ransomware attacks in the US start with a phishing attack. These attacks open the door for bad actors to plant malware within a targeted organization’s system. The consequences can be severe, with sensitive data, customer information, intellectual property, and revenue all at risk. Not all companies have the financial resilience to survive the downtime, loss of income, and reputational damage resulting from such an attack.

Employee training is critical to mitigate this risk. Employees should not only be able to recognize the characteristics of a fraudulent email, but also appreciate their role in protecting their company as a whole.

“Taking the time to train employees is vital because phishing scams can harm individuals and companies in many ways. Phishing training emails and videos may seem simple, but they highlight the importance of being vigilant. Employees must understand the implications of clicking on malicious links to prevent harm to the company and ensure its survival,” O’Brien said.

2. Vulnerability to Non-malicious Events

Increasing interconnectivity and reliance on cloud services mean that an outage can disrupt millions of businesses. The CrowdStrike outage of 2024 exemplifies this. A flawed software update caused a system failure that affected Windows users around the world, impacting industries including airlines, airports, hotels, healthcare, financial services to emergency services and more. Disruptions like this have the potential to bring the global economy to a halt.

Cyber policies are not consistent in how they respond to these unintentional failures.

“The biggest headline event in the cyber world last year was a non-malicious event, which some risk models didn’t anticipate. Some policies have responded positively to such incidents, while others have excluded coverage. Purchasers of cyber insurance will likely seek clarification on the intent of policies to cover non-malicious events without limitations,” O’Brien said.

For insureds, this underscores the importance of keeping technology systems up to date and having backup processes in place, but it also highlights the unpredictability of cyber risk. Insurers, brokers and clients will have to work closely together to identify vulnerabilities, strengthen risk mitigation strategies, and clarify coverage terms and conditions so everyone understands the potential impact of an outage.

3. The Unknown Impact of Artificial Intelligence

Emerging capabilities of artificial intelligence have both positive and negative potential for insurers and insureds alike.

“AI can be very positive from a cybersecurity perspective, enabling better protection through enhanced threat detection and rapid response, but it can also be negative, allowing for an increased frequency of attacks on companies. New technologies often come with both benefits and challenges, so it is important to find the right balance,” O’Brien said.

The risk presented by AI is multifaceted. Companies can employ AI to streamline processes, reduce the risk of human error, boost efficiency and cut costs. But AI platforms also represent another potential entry point for cyber criminals. Perpetrators can also utilize AI themselves to commit fraud, leveraging “deepfake” technology to execute social engineering schemes. There are also broader questions around liability when it comes to decisions made based on AI-driven algorithms.

Despite its many potential benefits, many questions remain around the utility of AI platforms and how best to keep them secure. Insurers and insureds will have to grapple with these questions together as the technology continues to evolve.

“We must continually work with partners to assess the current and future risk landscape. The past is not always a predictor of the future in cyber, as it’s a unique universe with different needs compared to property or casualty insurance,” O’Brien said.

How the Cyber Insurance Market is Adapting

The US cyber insurance market is currently robust, with plenty of capacity available for both primary and excess positions. The number of cyber insurance policies being purchased is increasing year over year, as reported by the 2024 NAIC Report on the Cyber Insurance Market, indicating room for growth in the market.

“According to recent reports from global insurance and reinsurance brokers, the cyber market experienced single-digit decreases in pricing in Q4 in the US,” O’Brien said.

Good risk selection remains critical, with insurers seeking clients who have strong cybersecurity measures in place, such as strong passwords, regular updates to software thorough employee training, and multi-factor authentication.

“Insurers want to understand the security posture of the company, their data encryption practices, their actual utilization of multifactor authentication, strength of the firewalls and ultimately their capability to recover from an incident,” O’Brien said.

“We want to know that the risks being brought to us are well managed, well considered, and well protected,” O’Brien said. “We also look for a partnership, where the client is seeking an insurer who can bring their expertise in cyber protection and ultimately bring partnership in managing the claims handling process. When a cyber incident occurs, clients want to know that their insurer is there, partnering with them and providing the necessary support through a combination of their in-house capabilities and trusted vendors.”

Characteristics of Top Cyber Insurer

As a new entrant in the cyber insurance market, MSIG USA has the advantage of a fresh perspective without any legacy issues.

“While we have the robust infrastructure and financial strength of a 350-year-old company behind us, our team is equipped with the expertise and capabilities to innovate and respond to clients’ cyber needs,” O’Brien said.

This supports the type of collaborative partnership that will be necessary to address cyber risk exposures for years to come.

“From an underwriting perspective, we are assembling a team with deep expertise and a holistic view of our clients’ risks across all lines of insurance. In claims handling, to enhance the capabilities of our in-house claims team, we are partnering with vendors who can help us respond rapidly and diligently to get our clients back up and running,” O’Brien said.

And then there is the sheer scope of MSIG USA’s reach.

MSIG USA currently serves approximately 40+ regions and countries around the globe, with plans to continue growing.

“MSIG USA is uniquely positioned to provide comprehensive strategies that protect clients and help them achieve their goals in today’s technology-driven world. Our aim is to enter the market in the mid-excess capacity but with a view to developing a primary product offering bringing innovation to our products based on client needs,” O’Brien said.

To learn more, visit https://www.msigusa.com/commercial-insurance/.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with MSIG USA. The editorial staff of Risk & Insurance had no role in its preparation.