Delivering an update on the key trends impacting the cyber insurance market at the 2025 Financial Lines Forum in Zurich, Gülşah Dagdelen (pictured), cyber underwriting manager - EMEA at Tokio Marine HCC International noted that cyber exposures are changing on an almost daily basis.
Speaking with Insurance Business at the event, she highlighted how the greater automation of new technologies is changing the nature of the cyber risk facing insureds – both in terms of their exposure to these technologies and their ability to defend themselves against them. “Take for example, the Allianz Risk Barometer, which shows that cyber is still the top risk facing companies, but this year is also the first time AI made it on to the barometer, and directly into the top 10.
“So, it’s clear that cyber is an evolving risk. But while we’re seeing an increase in cyber claims notifications, the severity is better compared to previous years. That makes cyber very interesting to the market and is encouraging some players to come back into the market or to enter the market for the first time. So, we have huge capacity available at the moment in all markets for cyber, which is very good for clients.”
While there’s a lot of conversation in the market about getting the balance of pricing versus having the right terms and conditions for cyber policies, for Dagdelen, the real point of focus for the market needs to be around risk assessment. In talking to different insurance companies, you see that a ransomware attack is not always identified as such in claims information, she said. One might say it’s a business email compromise, while another says that because it’s a business email compromise caused by a ransomware attack, it should be classified as ransomware.
This makes it very difficult for insurance companies to effectively analyse this data and understand the cause of loss under the terms of the policy. This is where risk assessment is so critical, she said, as it’s the key to the cyber insurance market remaining viable and sustainable. “Risk information doesn’t only give us information but, when it’s played back to the clients, it raises awareness which is very important.
“It’s not about the amount of risk information requested; it’s about the quality. That quality is changing, and it has to continue to change because the technology is evolving. For example, where we started in cyber, the market was asking if the client is using MFA, the client would say it was using MFA somewhere, but we still see MFA as one of the main causes of cyber incidents. So, maybe the question isn’t whether the client has MFA but rather if they’re using it on all critical access areas points.”
As to where the cyber market goes next, Dagdelen emphasised the challenge facing the sector amid the rapid evolution of technology, and the increasing role AI is playing on both the defence and attack side of the cyber risk equation. With attacks becoming cheaper, more scalable, more personalised and more automated, insurance companies have to think carefully about how they can create cyber solutions built for the long-term, she said, and it all comes back to effective risk assessment.
“We have to adapt our risk assessment to the current technological advances that the clients are facing, and we can only do that by asking the right questions,” she said. “That is my key message to the market – we have to ask questions about all the extensions that we are packing into a cyber policy.” Looking at the emerging trend of different coverages within a cyber policy, she noted that it’s not a negative move as long as that exposure is being thoroughly underwritten – which means asking the right questions in order to obtain the right risk information.
“As long as we have risk information, we can underwrite each and every risk, but we should not forget to ask for this risk information. Because if you don’t understand a risk, how can you effectively underwrite it? And if you don’t ask the question, you can’t understand the risk. So, don’t be afraid to ask questions because any risk can be insured if the right questions are asked, and the right risk information is available.”
