Heading into 2025, risk managers are at the forefront of navigating the complex interplay between cybersecurity threats and insurance solutions.
In conversation with Insurance Business’ Corporate Risk, Patrick Costello, co-founder and principal of Evolve MGA, noted that with cyber risks growing in frequency and sophistication, businesses must adopt a layered approach to security.
"Hackers have a number of methods they can use to take advantage of you and your business," he said.
Costello highlighted a variety of tactics employed by cybercriminals, including social engineering, phishing, and ransomware. He points out that these represent only a portion of the strategies attackers use.
"Hackers can exploit software vulnerabilities, steal credentials, intercept communication on your network, target your third-party suppliers, exploit IoT devices, or even physically steal sensitive data from devices," he said.
Costell also emphasised the importance of addressing every potential vulnerability to avoid exposure. "If you are not considering all of your points of vulnerability, then you very well may be exposed."
To combat this, layered security has become essential. Costello said that cyber risk managers play a pivotal role in protecting organisations.
"They need to identify vulnerabilities and regularly assess points of exposure," he said. This involves setting up policies that comply with regulations, deploying tools like firewalls, endpoint detection, and multi-factor authentication, and investing in continuous employee training.
Costello also stressed the importance of creating a robust incident response plan and securing appropriate cyber insurance coverage.
In today’s digital landscape, businesses increasingly face overlapping technology and professional service exposures. "There is no doubt that many companies have overlapping technology and professional services exposures," Costello said.
To navigate this complexity, he advised businesses to clearly delineate their revenue streams when applying for tech E&O or cyber insurance policies.
"If the percentage of revenue from professional services is minimal, many markets will add an endorsement that includes coverage for the specific professional service," he said.
For companies with a significant focus on professional services, Costello recommended a different approach. "If the percentage of revenue from the professional service represents the majority of their revenue, the insured should look at purchasing an MPL policy and a cyber policy that covers their incidental tech exposures."
Phishing attacks remain a major concern for organisations and the insurance industry. Costello suggested a combination of training, technical safeguards, and planning to mitigate these risks.
"The best way to mitigate risk associated with social engineering and phishing scams is through a combination of employee training, technical safeguards, and proactive planning," he said.
Costello also emphasised regular phishing simulations and social engineering awareness programs to improve employee vigilance. At the same time, technical measures like email filtering, multi-factor authentication (MFA), and DMARC protocols form a strong defence.
"Real-time monitoring and phishing incident playbooks enable swift detection and response, while access controls and secure communication limit exposure to sensitive data," he said. Costello also stressed the need for vendor risk assessments and penetration testing to strengthen organisational resilience against evolving tactics.
Small and medium-sized businesses (SMBs) often face unique cybersecurity challenges. Costello emphasises three critical measures – MFA, backups, and patching – as priorities.
Costello noted that Evolve MGA supports these efforts by offering vulnerability assessments based on business names and domains, providing SMBs with actionable recommendations. He further underscored the role of risk managers in helping SMBs overcome resource constraints.
"They can identify vulnerabilities through scans or consulting outside firms, prioritise risk-based controls with clear 'must-haves,' and identify cost-effective solutions," he said. Leveraging free or built-in tools, such as MFA options, can make cybersecurity measures more accessible to smaller firms.
As the cybersecurity landscape evolves, Costello also predicted significant changes by 2025.
"Ransomware tactics will evolve, AI and machine learning will be increasingly used to launch more precise phishing and malware campaigns, and the growing adoption of IoT devices will present new vulnerabilities," he said.
On the regulatory front, Costello anticipates broader adoption of GDPR-like data privacy laws and stricter cybersecurity standards in sectors like healthcare and finance.
"More regions will adopt GDPR-like data privacy laws, and in the U.S., federal privacy regulations may emerge," he said.
The demand for cyber insurance is also expected to rise. "Insurers will enforce stricter requirements for multi-factor authentication, endpoint detection, and regular patching," he said. However, increased claims from ransomware and business interruptions may lead to higher premiums and deductibles.
Costello also highlighted a shift toward proactive risk management in the industry. "Policies will increasingly bundle preventive services like security awareness training, vulnerability scanning, and breach coaching," he said. Insurers will also focus more on supply chain risks by assessing the cybersecurity practices of third-party vendors.
To navigate emerging risks and regulatory challenges, Costello advises businesses to enhance their resilience.
"Strengthen security measures like endpoint detection, incident response, and network segmentation, while training employees to recognise phishing and social engineering," he said. Compliance with privacy laws and the implementation of measures like encryption and regular audits are also crucial.
Securing supply chains is another priority. "This involves vendor cybersecurity assessments and enforcement of contractual obligations," Costello said.
For insurers, he recommended strengthening underwriting standards and adopting AI-driven tools to predict and monitor risks.
"Collaborating with regulators to align with mandates and foster public-private partnerships will enhance the industry's resilience and compliance," he said.
What are your thoughts on this story? Please feel free to share your comments below.