The UK cyber insurance market has become increasingly “buyer-friendly”, with an abundance of capacity and intense competition among insurers driving rate decreases, according to Marsh’s Q1 2024 cyber insurance report.
At the same time, generative AI (GenAI) continues to be a rapidly evolving risk, with its impact on cybersecurity under scrutiny in 2024.
According to the firm, during the first quarter of 2024, organisations strengthened their cyber risk management with more effective, data-driven controls, which ultimately led to decreased rates, improved terms and conditions, and an increase in underwritten business by insurers.
However, despite a buyer-friendly insurance market, cyber threats remained significant and persistent, and insureds experienced a number of large ransomware and privacy losses.
Moreover, a UK Government survey published in April 2024, showcased that half of all businesses and 84% of large businesses reported some form of cybersecurity breach or attack in the preceding 12 months.
Back in March, a number of major retailers and fast-food chains across the UK were affected by IT outages. Marsh notes that while there was no evidence which suggests they were caused by malicious actors, the widespread disruption underscored the dependence on technology in the modern business age.
Going back to AI now, Marsh explains that cybercriminals are already leveraging AI to automate and facilitate threats.
Additionally, cybersecurity software providers are reportedly adopting AI technology to detect and mitigate attacks more effectively, such as filtering out phishing scams from emails.
Moving forward, the report highlights that during the first quarter of 2024, cyber insurance rates for Marsh’s UK clients with annual revenues of over £200 million dropped, on average, 12% compared to the same quarter in 2023, with primary layers decreasing by 10%.
This was the second consecutive quarter in which the market experienced double-digit rate reductions.
During Q1 2024, 24% of clients expanded their overall limits, and 17% increased their primary layers. As well as this, 74% also experienced premium decreases in the quarter, while 6% saw their premium unchanged and 21% paid more premium.
Marsh also explained that throughout the last decade, organisations have adopted technology at an accelerated pace, including digitally controlled operational technology, Internet of Things (IoT) devices, and business communication systems.
Looking back at the COVID-19 pandemic, it supercharged the onboarding of technology into nearly every aspect of life, given the need to be able to work and operate remotely, however this also increased vulnerabilities.
“The increased surface area for attacks has allowed cybercriminals to exploit vulnerabilities in ways that were previously not possible. Upon gaining access to systems, cybercriminals are able to inflict greater damage and, in the case of ransomware attacks, make increasingly large extortion demands, which can drive up claims costs,” the report reads.
Furthermore, extortion following ransomware attacks among Marsh UK clients increased by over 300% in 2023, compared to 2022, with encryption used less and extortion after data theft being the focus.
One of the primary causes of cyber incidents continues to be human error, says Marsh.
Last year, there was a spike in the volume of cyberattacks in the legal and education sectors, with businesses successfully targeted by phishing emails.
However, this year, Marsh noted there has been a wider range of cyberattacks affecting a broader spectrum of industries. This includes zero-day exploits, which are anticipated to persist due to their efficiency in accessing and monetising data.
The company also stated that claims notifications related to ransomware incidents are expected to be consistent for the rest of the year and into 2025, however there has been a general decrease seen in ransom payments being made.
An increase in phishing emails and business email compromise are also expected as threat actors continue to leverage GenAI which can automate the process of sending phishing emails, personalise emails, and generally make them more sophisticated and far harder to detect.
Marsh concludes by noting that smaller organisations that are lacking robust cybersecurity controls, may pose a risk to the entire supply chain if they suffer a cyberattack.
As GenAI models continue to advance, organisations may possibly need to address the potential for unexpected corporate liability emerging from the use of these models in their operations, customer services, and products.
