According to Marsh’s Q1 2024 cyber insurance report, the UK cyber insurance market has become increasingly “buyer-friendly”, with ample capacity and intense competition among insurers leading to rate decreases.
During the first quarter of 2024, organisations strengthened their cyber risk management with effective, data-driven controls. This led to decreased rates, improved terms and conditions, and an increase in underwritten business by insurers.
Despite a favourable market for buyers, cyber threats remained significant, with many insureds experiencing large ransomware and privacy losses. A UK Government survey published in April 2024 indicated that half of all businesses and 84% of large businesses reported some form of cybersecurity breach or attack in the past 12 months.
In March, major retailers and fast-food chains across the UK experienced IT outages. While there was no evidence of malicious activity, Marsh noted that the disruptions highlighted the heavy reliance on technology in modern business.
Generative artificial intelligence (AI) also continues to be a rapidly evolving risk, with its impact on cybersecurity under scrutiny in 2024. Cybercriminals are already leveraging AI to automate and facilitate threats, while cybersecurity software providers are adopting AI to detect and mitigate attacks more effectively, such as filtering out phishing scams from emails.
In Q1 2024, cyber insurance rates for Marsh’s UK clients with annual revenues exceeding £200 million dropped by an average of 12% compared to the same quarter in 2023, with primary layer rates decreasing by 10%. This marked the second consecutive quarter of double-digit rate reductions.
During this period, 24% of clients expanded their overall limits and 17% increased their primary layers. Nearly three-quarters (74%) of clients experienced premium decreases, 6% saw no change, and 21% paid more. Intense competition among insurers in the primary space is expected to continue driving down prices over the next quarter, both for primary and excess coverage.
The rapid adoption of technology over the past decade, including digitally controlled operational technology, Internet of Things (IoT) devices, and business communication systems, has expanded the attack surface for cybercriminals. The pandemic accelerated the integration of technology into daily life, increasing vulnerabilities.
Cybercriminals have exploited these vulnerabilities to inflict greater damage and make larger extortion demands, particularly in ransomware attacks, driving up claims costs. The potential financial impact of cyberattacks that disrupt or halt operations remains substantial, making organisations attractive targets for extortion, Marsh said.
Extortion following ransomware attacks among Marsh UK clients increased by over 300% in 2023 compared to 2022, with a shift from encryption to extortion after data theft. Human error continues to be a primary cause of cyber incidents. Last year, there was a spike in cyberattacks in the legal and education sectors, largely through phishing emails.
This year, Marsh noted that a wider range of industries have been affected by various types of cyberattacks, including zero-day exploits, which are expected to persist due to their efficiency in accessing and monetising data.
Claims notifications related to ransomware incidents are expected to remain consistent through 2025, although there has been a general decrease in ransom payments. An increase in phishing emails and business email compromise is expected as threat actors leverage generative AI to automate and personalise phishing emails, making them harder to detect.
Until recently, most insurance claims related to generative AI involved intellectual property (IP) infringement. However, claims activity in this area is expected to expand as organisations integrate AI into supply chain operations, raising concerns about supply chain security.
Smaller organisations, lacking robust cybersecurity controls, may pose a risk to the entire supply chain if they suffer a cyberattack, it was stated. The use of generative AI to automate threats is expected to continue scaling, presenting ongoing challenges for cyber risk management.
What are your thoughts on this story? Please feel free to share your comments below.