Cyber risk is no longer a niche concern but a mainstream business issue affecting organisations of all sizes. As digital systems become more embedded in daily operations, particularly for small and medium-sized enterprises (SMEs), farms, and individuals, the need for tailored cyber insurance solutions has grown significantly.
Cybercrime has surpassed the drug trade as the largest illicit economy globally, representing a multi-trillion-dollar industry. The ecosystem behind it is highly organised, with specialised actors working in tandem to exploit digital vulnerabilities. This complex environment poses a particular challenge for smaller organisations that often lack the sophisticated defences of large corporates.
Despite the overall growth in the cyber insurance market—estimated at over $10 billion and expanding at 25% annually, the vast majority of cover is concentrated among corporates. Nearly all large firms now maintain cyber insurance, while adoption among SMEs and microenterprises remains low. For instance, cyber cover penetration for micro, farm, and personal lines sits at under 10%. This gap presents a clear opportunity for insurers to design fit-for-purpose products for these underserved segments.
Insurers with cooperative or mutual models are often at the forefront of addressing this gap, reflecting their commitment to serving local and specific communities. These organisations are responding by developing simplified products, sometimes embedding limited cyber cover within standard commercial or home policies to increase uptake. This is particularly important for markets like Sweden and Finland, where microenterprises form a significant portion of the economy.
A major challenge lies in making cyber risks understandable and relevant to smaller policyholders. Incidents such as ransomware attacks on agricultural robots in Finland and Sweden illustrate how cyber threats are no longer confined to digital-only businesses. Even feeding or milking systems on farms have become vulnerable due to increased automation and remote access.
Another critical area of development is the intersection of cyber insurance and regulation. With increasing digitalisation, new regulatory regimes, such as the EU’s NIS2 directive, are influencing both policyholder obligations and insurer liabilities. Insurers are navigating overlapping regulations and reassessing policy wordings to clarify what is and isn’t covered.
One pressing concern for the industry is systemic risk and the potential for large-scale cyber events. Accumulation risks are inherent when a single software provider or third-party service is used across multiple insureds. This interconnectedness means a single event—like a vulnerability in widely used software—could trigger simultaneous claims across a portfolio. Insurers are increasingly turning to advanced modelling and catastrophe bonds to manage this exposure, as well as strict policy design and exclusions, particularly around ransom payments.
While ransomware remains a significant issue, its dynamics are changing. Large corporates have become less frequent targets due to improved defences, shifting the focus of attackers to SMEs, where defences are generally weaker. However, the frequency of attacks does not always correlate with insurance adoption, partly due to a lack of reported claims and general awareness.
There is also a growing interest in personal cyber insurance. Some insurers are beginning to incorporate this into household policies, with coverage extending to issues like identity theft and cyberbullying. The inclusion of digital risk mitigation services—such as dark web monitoring and credit alerts—adds value for consumers and helps demonstrate the relevance of cover.
However, pricing in the cyber insurance market remains volatile. Following significant losses from ransomware in the early 2020s, rates surged but have since softened, particularly in European markets. Competition, increased capacity, and a lack of major catastrophe events have contributed to downward pressure on premiums.
Another concern is the moral hazard associated with ransomware coverage. Some argue that insuring ransom payments may encourage attacks. In response, some jurisdictions and insurers have chosen to exclude ransom payments entirely, often in line with regulatory guidance. Nevertheless, attackers continue targeting businesses regardless of whether ransom is covered, suggesting the link between coverage and attack frequency is not straightforward.
A consistent theme across the sector is the importance of risk mitigation. Many insurers provide pre-breach services, security tools, and educational resources as part of their policies. These are essential for smaller clients who may lack the internal expertise to implement best practices independently. However, adoption remains a challenge, and efforts are underway to simplify and customise guidance based on each client’s specific risk profile.
Overall, the cyber insurance sector is evolving rapidly. The path to greater resilience lies in more inclusive product design, deeper customer education, clearer regulation, and smarter accumulation management. The cooperative and mutual sector continues to play a leading role in this transformation, leveraging its close relationships with policyholders to pioneer sustainable and accessible cyber risk solutions.
Speakers:
- Osamu Asari, Executive Director, International Cyber, Gallagher Re (UK)
- Matt Cullina, Head of Global Cyber Insurance Business, Cyberscout (A TransUnion Brand, USA)
- Eero Järvenpää, Development Manager, Cyber Insurance, LocalTapiola (Finland)
- Paul Henderson, Specialty Treaty Underwriter, Beazley (UK)
- Stefan Jonsson, Head of Reinsurance, Dina Försäkringar (Sweden)
