Given cyber crime incidents are now estimated to cost the world economy in excess of $1trn a year –around 1% of global GDP – it is no surprise that cyber risk regularly ranks as a top customer concern in the Allianz Risk Barometer, our annual survey identifying the top business risks around the world (including finishing #1 in the 2022 edition). Indeed, AGCS’ own insurance industry claims analysis shows that external attacks are responsible for more than 80% of the value of the 3,000 cyber‑related claims we have been involved with over the past five years around the globe.

This report highlights some of the main cyber risk trends we see from an underwriting, risk consulting and claims perspective, such as the growing cost of ransomware attacks – which has been the major loss driver in recent years, the targeting of more smaller‑sized companies by hackers, the increasing frequency and sophistication of business email compromise attacks in the ‘Zoom and deep fake era’, as well as the impact of wider geopolitical tensions.

Our analysis shows that business interruption is the main cost driver in more than 50% of all cyber claims we participate in, and the report also highlights some of the major exposures that can result in large loss activity for companies. Of course, almost any cyber incident can also lead to litigation or demands for compensation from affected customers, suppliers and data breach victims, and elsewhere we look at the continuing evolution of third‑party liability exposures, and how cyber security is increasingly seen as an environmental, social, and governance (ESG) issue. We also examine how a talent shortage is hindering efforts to improve cyber security.

In response to the challenging loss environment of recent years, the insurance industry is more diligently assessing clients’ cyber risk profiles and clarifying coverage areas in a bid to incentivize companies to improve cyber security and risk management controls.

Our experience shows a number of companies still need to improve their frequency of IT security training, cyber incident response plans and cyber security governance. Incident response is critical as the cost of a claim quickly escalates once business interruption kicks in.

It is clear that organizations with good cyber maturity are better equipped to deal with incidents. It is not typical for us to see companies with strong cyber maturity and security mechanisms suffer a high frequency of ‘successful’ attacks. Even where they are attacked, losses are usually less severe.

The good news is that we are now seeing a very different conversation on the quality of cyber risk than we were a few years ago and are therefore gaining much better insights as the cyber insurance market matures. Insurers have a role that goes beyond pure risk transfer, helping clients adapt to the changing risk landscape and raising their protection levels. The more we can partner with our clients the more losses will hopefully reduce in future.

About the author

Kwame Anane