State of the Insurance Market Report
2025 Initial Outlook and 2024 Wrap-Up
Cyber
The cyber landscape continues to evolve rapidly, as new risks and exposures continue to emerge. This includes artificial intelligence (AI)-related risk, pixel tracking litigation, and prominent systemic events such as CDK and Change Healthcare, and Crowdstrike. While capacity remains, ransomware attacks are resurging, raising insurers’ concerns.
Carriers are maintaining strict underwriting scrutiny. Organizations are generally seeing a decrease in cyber premiums, at the rate of 5% to 10%. However, those organizations with layered cyber security controls are experiencing premiums decreases of up to 20%, sometimes more.
Insurers are keeping a close watch on AI. New AI tools are aiding cyber risk management, but cybercriminals can also leverage AI to do harm. We see some carriers inquire about the use of AI and governance around it. Companies using AI tools to improve cybersecurity may qualify for better rates and terms.
Insurers have yet to experience the full impact of recent systemic cyberattack events with CDK, Change Healthcare, and Crowdstrike, but they are continuously monitoring any claims activity and losses arising from these events. So far, these events have not negatively impacted the rates but have increased underwriting scrutiny with respect to supply chain usage.
Cyber Rate Forecast |
||
| Entities with Good Controls: |  |
-5% to -10% |
| Entities with Layered Cyber Controls: | |
-20% |
Multi-factor authentication (MFA) for remote access and privileged accounts.
MFA uses a two or more-authentication verification system to give users access to accounts, applications, virtual private networks (VPN), and more. MFA goes beyond a username and password for additional verification, mitigating cyber threats.
Endpoint detection and response (EDR) provides real-time visibility across all endpoint activity by detecting red flags such as malicious behavior.
Additionally, it can analyze endpoint data and respond to threats. We are now seeing EDR tools use AI technology to assist with identifying malicious behavior and we expect this to increase.
Security training to help employees recognize common cyber threats, such as phishing scams, social engineering, poor password hygiene, and other risks.
It is preferable that training tools use analytics to help organizations determine which of its employees require re-training with respect to identifying email scams and using weak passwords.
Frequent, secured, encrypted, and tested backups for important records and data to be stored offsite, including business contracts and licenses, meetings, patents, trademarks, shareholder stock records, and important documents.
Privileged access management (PAM) to mitigate the risk of privileged access.
The core capabilities of PAM include discovery of privileged accounts across multiple systems, infrastructure, and applications; credential management for privileged accounts; credential vaulting; and control of access to privileged accounts.
Email filtering and web security to eliminate spam.
This basic, but important, filtering system should be seen as a foundation of cybersecurity, analyzing emails for phishing and other red flags, and dumping them into a separate folder.
Patch management and vulnerability management in tandem, to unveil and prioritize risks based on their individual threat level, as well as amending said risks by automatically upgrading software to its most recent version.
Incident response and business continuity plans to allow an organization’s IT team to detect any red flags and provide the time necessary to respond and recover from incidents, such as service outages, cyberattacks, or data loss.
Our Cyber Liability insurance team has the scope of products and deep expertise you need to meet today’s challenges.
Download the Report
Our industry and product line specialists have collaborated to provide an update on current trends and market conditions. We invite you to explore their insights by downloading our latest State of the Insurance Market Report.