A vast landscape of ever-increasing threats, crowded with dangerous actors and considerable perils. A marketplace of traders selling a variety of protections, some more comprehensive and stronger than others. The boundary lines between protection and loss can vary drastically, and the difference can be potentially catastrophic. Against that perilous backdrop, it is unsurprising that cyber insurance has been coined the “cyber frontier”.

Cyber insurance continues its upward growth trajectory as the fastest-growing global insurance product. Prompted by rising global cyber threats, an increasing number of businesses worldwide, across industry sectors, are either purchasing standalone cyber coverage for the first time or broadening the scope of their existing coverage.

For a product line still in its relative infancy, policyholder appetite means there are now 77 cyber risk insurers operating within the Lloyd’s market, each competing for market share by offering increasingly tailored products, bespoke wordings and coverage extensions.

The wide variance in coverage currently offered by cyber policies, combined with the lack of market standard terms and conditions, means disputes arising out of nuances in policy wordings are increasingly likely. The risk of dispute is further exacerbated by the fact that novel distinctions in policy coverage are often not alighted upon until after the loss. Plus, a total absence of judicial authority on the interpretation of cyber insurance clauses means the potential for cyber coverage litigation is ripe.

For that reason, the cyber market is understandably becoming increasingly wary of the national or global damage that a systemic cyber event might cause. The recent global CrowdStrike outage brought to the forefront market-wide queries around how cyber insurance might respond to cover the estimated billions of dollars of business interruption losses in that instance. Below, we comment on some of the developments in the cyber insurance market and give our outlook for 2025.

Top 3 cyber risks from 2024

  1. In July 2024, CrowdStrike’s security software outage caused widespread interruption to businesses in all sectors around the world, with those in the travel, healthcare and financial services industries particularly affected.
  2. State-backed cyber warfare remains firmly at the top of the agenda when reviewing systemic cyber risk.
  3. The extent to which insurance policies might indemnify regulatory fines is an issue being discussed more frequently in the UK and other jurisdictions. This is particularly so in the context of the UK and EU General Data Protection Regulations (GDPR), where levels of enforcement and regulatory fines are now at headline levels.

Looking ahead to 2025

As the cyber threat landscape continues to evolve and expand rapidly, the scope of coverage is shifting. A wide variance of cover is available through the market, and not all policies are created equal.

Businesses should continue to review the policies they have in place carefully to ensure they are comfortable with the coverage provided. In addition to the issues already discussed, looking ahead to 2025, the following points are likely to become increasingly relevant to coverage and risk management:

  • How will the business and policy respond in the event of a major cyber event? Does the policy have limitations on attribution, cause of loss, geography or industry sector?
  • What is the scope of coverage for emerging cyber risks, such as generative artificial intelligence (AI) risks?
  • Is there sufficient business interruption cover, and will it respond to indemnify losses flowing from third-party system failures or other vulnerabilities in the supply chain? How does the deductible or waiting period apply, and is the indemnity period sufficient if there is a major cyber event?
  • Does the policy allow for multiple occurrences, do the limits aggregate, and are reinstatements available?
  • Does the business have appropriate cyber security measures in place, and is the information in the proposal form accurate and maintained? A lack of multifactor authentication discovered following a cyber incident continues to be a focus area, and the level of detail required in some proposal forms is increasingly Are the directors and officers sufficiently engaged in cyber security and regulatory compliance?

 


 

Read more

This article is an extract from The Policyholder Review 2024/25. A detailed review and commentary on the key developments and trends across various commercial lines of insurance.

Key Contacts

See all people