A recent Geneva Association report warns that as cyber incidents grow more frequent, sophisticated, and costly, many firms still have persistent gaps in cyber hygiene and risk management, underscoring the urgent need to strengthen resilience, with cyber insurance playing a critical role.
The Geneva Association noted that intensifying geopolitical tensions and deeper digital interdependence are increasing both the frequency and intensity of cyber risks. The median annual loss from a cybersecurity breach has risen 15-fold over the past 15 years, from $190,000 to nearly $3 million.
Cyber risk is increasingly recognised as a core operational concern. Yet many incidents still stem from basic, preventable vulnerabilities—such as phishing attacks, weak passwords, unpatched software, and misconfigured systems—highlighting persistent gaps in cyber hygiene and risk management.
The report stressed that understanding cyber resilience goes beyond conventional risk management and the actions firms take to limit potential losses. Resilience also requires attention to how firms prevent, absorb, and recover from disruptions.
The Geneva Association described cyber insurance as a potentially powerful, though still under-realised, governance mechanism—one that can positively shape firm behaviour, incentivise risk prevention and mitigation, and provide critical expertise and financial support when incidents occur.
While the market for cyber insurance has expanded rapidly over the past decade, adoption remains low in many sectors, leaving gaps in firms’ ability to prepare for and respond to complex cyber threats. This is particularly concerning for small- and medium-sized enterprises (SMEs), which are increasingly targeted by cyberattacks but often lack the resources to build robust internal capabilities.
Estimates suggest that only around 10% of SMEs globally have cyber insurance, and in some countries the figure could be much lower, especially among the very smallest firms.
Expanding the resilience benefits of cyber insurance will require greater awareness of the prevention and response services embedded in policies.
Moreover, stronger coordination between insurers, policyholders, technology providers, and governments will be essential to improve understanding of interdependent cyber risks and support solutions that strengthen system-wide resilience.
The report emphasised that by helping establish and reinforce widely adopted standards of good cyber hygiene, cyber insurance can evolve into a more trusted and effective mechanism for building resilience across companies, industries, and economies.
Jad Ariss, Managing Director of the Geneva Association, said, “In today’s geopolitical environment, cyber risk is no longer just an IT issue – it is a core business and economic risk. Cyber incidents may be inevitable, but their impact is not. Cyber insurance can play a critical role in strengthening resilience – helping firms prevent incidents, manage disruptions, and recover faster. Unlocking that potential will require closer collaboration across industry, technology providers, and governments.”
Darren Pain, Director of Research at the Geneva Association and author of the report, added, “Cyber insurance already contributes to resilience through underwriting standards, incident-response services, and claims support. However, many policyholders, particularly SMEs, underuse the preventative services embedded in their policies. Increasing awareness and utilisation of these capabilities could significantly strengthen firms’ ability to withstand and recover from cyber incidents.”
