Cyber catastrophes prompt
a second look at connectivity
By Joseph S. Harrington
“Having too much interconnectivity is not good.” That statement by Jeff Kulikowski, executive vice president and cyber/professional liability lead for Westfield Specialty, might be a little jarring to some people. After all, for some 30 years, public and private enterprises have striven to develop ever more integrated network connections within their organizations and with outside partners.
Kulikowski was referring, however, to the recent increase in “cyber catastrophes,” attacks and outages that affect numerous organizations and trigger millions in cyber insurance losses. Since May 2023, there have been at least four cyber events in which insured losses on a “significant number” of policies exceeded $800 million.
Large cyber-loss events to multiple users were actually more common in the early 2000s before falling off from 2009 on. The number of such events increased again in 2022 and 2023. While the overall level of losses remained low, the impact on affected operations and their insurers has prompted a re-evaluation of risk management. (For a view of the trend, see the chart in “Recent cyber catastrophes show an intensifying trend—but they are manageable” on theloop.ecpr.eu.)
Kulikowski says the latest spike in cyber catastrophes shows the impact of having so many companies relying on the same cloud-based, third-party software providers to host critical applications. “About 10 years ago, the word of the day was ‘interdependency,’ and having access to everything all from one spot. People are now realizing the dangers that can arise from interdependency. We’re seeing a lot more segmentation of data and applications.”
“Cyber operations carry the risk of systemic, large-scale losses that impact numerous insureds simultaneously,” says Kurtis E. Suhs, CEO of Concierge Cyber. “These losses often stem from shared vulnerabilities across software platforms, cloud providers, third-party applications, and supply chain partners.”
What’s driving growth?
Suhs cites “increased digital dependency” as one of the leading factors for growth in cyber insurance.
“Growth is driven by evolving cyber threats, regulatory pressures, and increasing awareness of the financial and operational impacts of cyber incidents,” he says. “With the introduction of artificial intelligence, insurers are experiencing rising frequency and severity of ransomware claims and business email compromise.”
Suhs adds that demand for cyber coverage is also driven by cloud services and third-party supply chain partners, as well as contractual mandates for the coverage, especially in the technology, healthcare, and finance sectors.
“We are increasingly seeing cyber insurance as a required coverage in contractual language,” says Steve Robinson, national cyber practice leader for Risk Placement Services (RPS). That’s not a new trend, but one that’s apparently becoming more pervasive.
“The biggest reason for growth in the cyber market is the rapid evolution of technology and the growing reliance on it for day-to-day operations,” says Heather McDermott, specialty lines underwriter at Irwin Siegel Agency. “As the threat landscape intensifies, organizations are turning to comprehensive cyber policies for financial protection and partners who can help them manage operational disruption, reputational damage, and regulatory exposure.”
What’s holding growth back
As of mid-2025, “cyber insurance growth has slowed down and stabilized compared to the previous three to four years,” says Gavin Reed, head of underwriting for North America at Resilience, a provider of cyber risk solutions. “Around 80% of mid- to large-sized companies are buying cyber insurance,” he adds, “so the market is not completely saturated, but moving towards that level.
“In the smaller business sector, studies show roughly around 50% have some degree of cyber coverage. So there’s obviously room for a lot more growth there.”
For that segment, Reed notes that “there’s been a lot of progress in streamlining the cyber underwriting process, yet there are still security control requirements many small companies cannot meet to even be able to buy cyber insurance.”
Moreover, “premiums are down a lot from where they were two or three years ago, but pricing is still seen as prohibitive” by smaller accounts, Reed adds. “We’re in a scenario where claims frequency and severity are increasing but rates have been coming down,” an indication of potential trouble ahead for providers of cyber insurance.
Although “digital dependency” characterizes almost every enterprise to some extent today, McDermott’s colleague at Siegel Agency, specialty lines underwriter Ariel Hunt, still finds “lack of awareness and understanding” to be restraining growth in cyber insurance from what it could be. “Some organizations don’t realize their exposure,” Hunt says. “Others believe an attack won’t happen to them. Still others may not have the money for insurance they have not previously purchased.”
According to Robinson, “Many businesses still incorrectly assume that broad cyber risk coverage exists in traditional P&C policies. Working with brokers who specialize in cyber insurance can go a long way to help overcome this knowledge gap.”
“About 10 years ago, the word of the day was ‘interdependency,’ and having access to everything all from one spot. People are now realizing the dangers that can arise from interdependency.”
—Jeff Kulikowski
Executive Vice President and Cyber/Professional Liability Lead
Westfield Specialty
Spending money so you can buy
For non-specialists, purchasing cyber coverage is different from purchasing other types of insurance in that applicants often have to implement changes in systems and protocols to buy the coverage.
“Insurers are running system scans on prospective insureds to detect vulnerabilities to be corrected before placing coverage,” Hunt says. “Addressing these vulnerabilities is usually in the best interest of the carrier and the client, but some applicants are hesitant to implement the required improvements due to their cost or reluctance to modify operations.”
Since its introduction in the mid-1990s, cyber insurance has matured as a line of coverage but still has—and may always have—characteristics of a newly emerging line. Among other things, despite steps taken to standardize the coverage offered in cyber policies, there is still a lot of variation among cyber policy forms, according to Kulikowski.
“While threat actors are utilizing AI to deploy attacks, cybersecurity software is incorporating AI-powered defenses to detect anomalies and respond on the fly.”
—Steve Robinson
National Cyber Practice Leader
Risk Placement Services
“There’s still a tremendous difference among primary forms, which is one thing that’s really holding this product back,” he says. “There have to be variations because of the unique nature of this coverage,” he adds. “Coverage is consistently expanding and the landscape is changing so rapidly that it takes a while to reach consensus about what’s covered.
“The exposures we addressed about 10 years ago, such as third-party cyber breach response costs, have all become pretty standard. Now there’s a lot of confusion around the type of insuring agreements used for business interruption coverage.”
Cyber insurance is also unique for the manner in which the hazards threatening data and networks evolve over time. As system administrators learn to deal with certain threats, new ones are developed by cyber intruders.
“Around 80% of mid- to large-sized companies are buying cyber insurance, so the market is not completely saturated, but moving towards that level.”
—Gavin Reed
Head, Underwriting for North America
Resilience
“Within a couple of years or months of the appearance of a ransomware variant with a new tactic, there’s usually a solution found for it,” says Kulikowski. “So hackers have to consistently evolve their attacks and methods of intrusion, and we have to update policies to make sure that we’re still addressing the potential risks that businesses face.”
AI arrives
The scope and scale of cyber exposure will grow, perhaps exponentially, as artificial intelligence is deployed through networked systems.
“Threat actors are using AI to create more sophisticated attacks,” says Suhs. Apart from more sophisticated use of established cyber hazards—deepfakes, automated credentialing, and social engineering—AI is introducing new causes of loss.
“Model poisoning” is an AI-driven attack method that distorts data in the training function of a large language model (LLM), the self-learning core function of AI. The attack seeks to alter or distort the model’s output. Model poisoning is one of several types of “injection attacks,” wherein malicious data is introduced into a system with the aid of AI.
Insurers and insureds are not sitting back, however.
“AI has quickly become a useful tool not only for adversaries, but also for underwriters,” says Robinson. “While threat actors are utilizing AI to deploy attacks, cybersecurity software is incorporating AI-powered defenses to detect anomalies and respond on the fly.”
For more information:
Concierge Cyber
conciergecyber.com
Irwin Siegel Agency
siegelagency.com
Resilience
cyberresilience.com
Risk Placement Services
rpsins.com
Westfield Specialty
westfieldspecialty.com
