Vicky Hughes  

Well, hello everybody, and welcome to this latest webinar from ICMIF. We’ll just give you a couple of seconds there for everybody to enter in from the lobby. A very warm welcome to you all from wherever you are arriving in the world today, whether it’s the morning or the afternoon.

Today, as cyber threats continue to grow in scale and sophistication, understanding the latest risks and how to respond to them has never been more important. And today’s webinar is designed to provide practical insight into the evolving cyber threat landscape and what organisations and insurers in particular can do to strengthen their resilience. So, we’re delighted to be joined by ICMIF supporting members Beazley and Cyberscout – A TransUnion Brand. Together they work at the forefront of cyber risk, incident response and recovery, supporting organisations through real world cyber incidents every day. Their frontline experience gives them a unique perspective on emerging global trend and the challenges that organisations are facing and the practical lessons that can be learned and improved for preparedness, response and recovery. So, during the session, our speakers will share insights from recent global cyber incidents, highlight key emerging risks and explore what these developments mean for the insurance sector, and they’ll also discuss how mutual insurers can support their members in managing and mitigating cyber risk more effectively. We’ll be taking questions throughout the session and again at the end, so please do post your questions in the chat function at any time and we’ll address as many of those as we can.

I’m now very pleased to introduce our speakers from Cyberscout in the USA – a TransUnion Brand. I’d like to introduce Matt Cullina, Head of Global Insurance, and Eder Ribeiro, Director, Global Incident Response. And from Beazley in the UK, we have Paul Henderson, Underwriter, Specialty Reinsurance and Inma Parron Sanchez, International Business Manager. We’re delighted to have you all with us today. Thank you so much. And now I’ll hand over to you so the session can begin.

Matt Cullina

Excellent. Thank you so much, Vicky. It’s Matt Cullina here. For those of you who have heard me present in the past, I’ll say it again and again that ICMIF is my favourite insurance organisation in the world. We’ve been supporting members for a number of years and year in, year out, it’s just the best organisation to be a part of.

So thanks for allowing us to present to you all today. As you see here, we’re joined by a real strong group of experts that are coming from different angles on cyber risk and the insurance that’s provided in market. So, we really want your questions, so we’ll try to, you know, basically troubleshoot those as we go, but please, please line those questions up as you hear us present. We’re really going to start talking about things from an emerging risk and trends that we’re seeing, from those risks’ standpoint. And for those of you who have read up on cyber or even offer it to your customers today, cyber isn’t a singular risk, right? It’s a multifaceted risk. And really what you’re going to hear today is kind of what we’re seeing on different fronts, different war fronts around what’s happening with organisations and people as it relates to cyber risk. These digital risks are really financial exposures, they’re reputational exposures, they’re business operational exposures. And the insurance industry, as you probably know, has really stepped up to the bat and tried to tackle all the different exposures with different heads of cover. So even in the insurance product world, these cyber products tend to have 7,8,9,10 heads of cover within the forms, within the policies themselves, really trying to make sure that every aspect is covered. So, what I’m going to do today is start by setting the table to talk probably about the most public aspect of risk and that is data breaches. And so, as you probably know, most countries have passed privacy laws out there that include significant sections that really relate to disclosure if an organisation has exposed people’s sensitive data. The US was really the first country that started this off and now all 50 states in the US, even the federal government, have different laws pertaining to data breach notification. These are sunshine laws. The EU has laws. The Middle East passed laws. Even India just enacted their law, they’re sunshine laws. So, it really is all about if an organisation has had an event where sensitive data about their employees or their customers is out in the airwaves, threat actors taking control, the data has been exfiltrated, then that organisation has an obligation to report around that event to usually a local regulator and often to the impacted people. So, they’re literally having to communicate with folks about what happened. What I’m showing you today is US specific data, although many of these events are multinational. But, as I said, with US having the oldest privacy laws, we also have probably the most penetration when it comes to cyber insurance sold today. So, it’s really where the cyber insurance products started to originate.

But generally, what you’re seeing here is first half of 2025 data compared over a handful of years, and we’re almost done with getting our research done for the full year, but this is really just first half of 2025. And what you’re seeing is that there’s been a significant increase of the number of data breaches reported. Now this isn’t a be all end all around all the data breaches that have happened in the US. We pulled this from a bunch of data sources. So, it’s our best guess at what the actual number is. But you could clearly show that between 2024 and 2025 the 83% jump in the number of incidents reported. And just to specify, you see one chart showing the primary breaches. So that’s a breach that’s impacting an organisation directly. Third party events are supply chain events. So those are events that are impacting an organisation that then cascades to all of their vendor partners, all of their customers. So, these are more complex events and you see here it jumped 118% year over year on those third-party events. We are managing more of those today and I’ll tell you they are very, very tough to address with all the different folks involved in those events.

Taking a step back, even for our own organisation, this data has proven true for us. In 2025 we started the year handling about 125/130 cyber events, breach events per month and by the end of the year that had jumped to over 250, so the volume of events is definitely on the increase. Now this is a bit of a busy slide but stick with me here. So, this is what I was just showing around the events growing 83%. You see the primary chart, the third-party chart more than doubling and then you know the blended chart again 83% increase year over year in the number of events reported.

So, moving on to the next slide, this is just how many people are impacted per event. And what you see here in the early 2000s that was growing at a significant clip for the first three years of the 2020s and now we’ve seen a considerable drop in the last three years. So, although the volume of events is increasing, the number of people impacted per event, both from an average standpoint, from a mean standpoint as well as from a median standpoint, has been trending downward. So, we wanted to dig into kind of, “OK, well, what does that mean and what are the complexities of these events?” So, this next chart really just shows the most sensitive type of data. So, government ID number, what industries are the most impacted by having the most sensitive data exposed. And we see this in our own shop as well, when we’re working on behalf of insurers that professional groups, lawyers, accountants, doctors, et cetera tend to be targeted because everyone knows that they can’t do business without managing our sensitive data, and they often aren’t probably as prepared or secure as other organisations like financial services companies, for example. So, you see here a significant spike in the number of events impacting both accounting firms and legal firms, so almost 100% jump in legal firms alone. Again, being targeted because everybody knows the type of data they’re housing and how sensitive it is. But the insurance industry also over the last few years has become a top five target. We’ve seen this for the last three years or so that the insurance industry is now being significantly targeted. Last year we saw a number of events caused by scattered spider impacting large insurance companies literally in the US and around the world. So definitely a targeted group again because these companies like you all tend to house a lot of significant sensitive data about their customers.

So, moving along, I wanted to show that this is really the number of credentials exposed per event. So again, this is first half 2025 data versus years prior. And what we’re seeing here is that when it comes to a primary event now that’s again a breach impacting one organisation more than half of those events basically involve credentials of four or less exposed. So around 4 credentials exposed, 3 credentials exposed. This contrasts very significantly with third party events. So, as I said, third party events are much more complex and what you’re seeing here is when you get into third party events, more credentials tend to be exposed, 5 or more majority tend to be exposed and including up into the 7, 8+ category. So, they tend to be housing as these kinds of supply chain partners. They tend to house a lot of different data points on people and when it comes to kind of what happens with you or I, if our data is exposed, the more and more credentials a threat actor has, the more and more they can take advantage of our identities, create synthetic identities, etcetera, and really do harm from a financial standpoint. Or simply, move that into a social engineering scam and come after us under fictitious purposes and try to gain access to where we have access, whether it’s our employer, our personal accounts, etc. So again, just in summary, breaches are on are up from a by volume. The size of breaches has gone down pretty significantly. The third-party breaches are really becoming a big problem in the market and one big part of that is the number of credentials exposed in those third-party events is quite considerably higher than first party events. So now we’re going to turn it over to Paul and Paul’s going to really get into other kind of cyber trends and emerging cyber trends that Beazley is seeing in the market. So over you to you Paul.

Paul Henderson

Thanks, Matt. So, yeah, so this is just sort of a brief slide and I think this will be a bit of a data off between us and Cyberscout in terms of some of this information we’re providing is some of Beazley’s own internal information from our own sort of claims experience and what we’ve seen within our portfolios. Ransomware increased sharply in August/September and that was a bit of a surprise, but the cyclical nature of sort of ransomware type events isn’t really easily determined. I think, everybody within the industry experienced a huge drop off in ransomware activity when the Ukraine -Russia war first started, but that really is back up to the same level it was previously and is ramping up. I think the way to think about threat actors is to really think about it as a business model, an economic business model that is really trying to derive value from the data that they can obtain and other sensitive information that they can obtain and how they can try and monetise that. Also, from our own stats, we can see that 65% of all the ransomware cases are really focused on three key ransomwares pieces of kit that are really being used by the biggest operators, which is obviously creating a lot of success for them. And with that you’ve also seen that there are various vulnerabilities within different types of applications and other sort of service providers who ransomwares have been able to sort of identify weaknesses in those. And then again they are, once you’ve got a good thing going, then it’s very typically, it’s the same playbook every time until that can all be patched up or solved and that is something you know in terms of chief technology officers or companies or even just, you know, information security and cyber security vendors trying to keep their clients on top of this to make sure that they’re as well protected as possible is still the ongoing battle and the challenge.

Similar to Matt’s stats, professional business services firms are the key targets for all of this ransomware again because they’re having huge success here. It’s a playbook that they keep running. And so, from that point of view these organisations have a lot of value, potentially don’t have the strongest of defences as some of the other well noted financial services or indeed healthcare where the sort of numbers in that area is pretty stable. So, I might go to the next slide please. So, I just wanted to sort of talk about a few things that we’re sort of seeing in terms of ways that these threat actors are trying to dupe would beat customers into making mistakes. So, we have what’s known as SEO poisoning, which is search engine optimisation where they’re trying to use engine rankings to get sort of downloadable links pushed up the search engine radar, basically trying to point people to malicious websites. And I think it’s a key thing to remember that with any kind of cybersecurity that the biggest weakness that a company has is its own employees clicking that link and not being aware of any kind of sort of activity that they should think twice about clicking that link for. And by using this, the threat actors are able to sort of get these things downloaded into people’s computer systems and that potentially creates an entry for them. As part of that SEO poisoning, you’re seeing what we call Trojanised tools which are these sites that sort of purport to have sort of downloads of certain applications that are popular and often are business critical and people sort of downloading them and obviously giving them access to what is a claimed site of entering certain credentials and that will also allow them an access point to that. And then oftentimes it’s through the defence mechanisms, trying to circumnavigate certain portions of cybersecurity, downloading and trying to keep on top of that they can use those types of tools to get people into the wrong type of download and again giving them access when you think you’re doing the right thing. So just making sure that we’re properly keeping everything up to date, keeping all the security patches up to date and ensuring that there’s good level of education within the employees and the workforce is critical to maintaining a very strong cyber defence posture.

Next slide please, Matt. Just wanted to touch a little bit about AI. I’m certainly not an AI expert and I don’t think anyone at Beazley reports to be, but some of the things that we’ve seen, the proliferation of AI throughout various facets of life and including employment and, of course, it’s a very strong and powerful tool and can be used for absolute good, but also for various nefarious means as well. So one of the things that we’ve seen and have witnessed is that Agentic AI powered attacks which are AI agents being orchestrated by the threat actors to try and stage multiple attacks against targets, giving it scripts and allowing it to sort of be self-autonomous in terms of who it targets and discover certain assets and recon for the threat actors. It’s a very lean model in terms of work effort compared to what it was previously. And that in itself means that it can be a really powerful tool and it’s a very difficult tool to be defensive against, certainly if it’s being autonomous and fast and quick, which is one of the biggest challenges that you with any kind of defence against these types of things. So that is a way that’s enabling the threat actors to be a lot more efficient and productive in terms of what they’re trying to do. And that just heightens the stakes of the game in terms of what companies need to do to try and protect themselves.

With agentic AI, you also have that house within companies who may be using these types of AI agents to run certain decision making within the organisation. So, if you think about Generative AI, which is sort of ChatGPT and the various others that are out there, you’re putting in prompts and it’s generating results and answers. So, a more sophisticated search engine giving you a bit more drill down. What Gen AI is really doing is using those large language models but also introducing decision making into certain processes and that in itself then creates chinks in the armour for any would be business or insurance company. So, there are good examples within the insurance world where agents are making other claims decisions to make claims payments faster and quicker and a bit more objective. But when you introduce all this and you’ve got an executing AI agent within an organisation, any kind of penetration into those types of agents may trigger certain decision making, which is not necessarily what you want as an organisation. It can also proliferate other decision making within the organisation that can lead to significant outcomes and damage within the organisation. So, we’ve not really seeing too many of these yet appear, but on our sort of review of AI and its tools and what would be able to be executed against us tools it’s going to be a challenge to really keep on top of that. And again, it’s another avenue for threat actors to explore and use as a way to gain access to what they want, which is often in the data.

Can you go to the next slide please, Matt? And lastly for me, I just wanted to leave a sort of message around sort of AI readiness. I mean it’s critical that any organisation, so you’re insured, you as an organisation really have an AI plan to make sure that you address what is going to be an emerging threat for you as an organisation and for your policyholders. So, trying to get a clear eye goal and strategy, just using AI because AI is not necessarily a good thing. You need to think about what are you trying to build and what problems are you trying to solve with it? I think it’s important to make sure that you sort of compartmentalise these things as well. So, it’s not one big AI solving problem, it’s solving multiple different problems, and it’s all housed slightly differently, so it doesn’t have a huge reach across the organisation. And I think, the other thing is certainly with employees that most people are using some form of AI tool outside of the auspices of work. That in and of itself can cause issues, especially if there’s no policies and procedures around using internal information or data and using an outside AI tool to help them with whatever specific tasks they want, I am preparing a presentation or reading a report or exec summary that’s been a confidential memo. Once it’s in that orbit, it’s become publicly available potentially because the data is then stored into a large language model. So, it’s important that you as organisations and insurers have a real strong stance on what you think about AI and how you’re going to manage that information. Thank you, Matt. It’s over to Edar now.

Matt Cullina

Well, if I could, just maybe to put a little bit more colour on it for the group here today. I know we talked about a recent large cybercrime claim that Beazley took in. Maybe if you could share that with the with the group.

Paul Henderson

Yeah. Sure, sure. Thank you, Matt. So yeah, it’s a claim we’ve come across, and it was a very sophisticated claim. It involves roughly USD $3,000,000 of payment to a threat actor, and it was to do with an acquisition of a company the CFO held Teams calls with the account employee with regard to making this payment. The law firm involved in that also that negotiation and contract signing was also involved in those conversations. And the person based in Asia, who was a dual acquisition, an Asian entity, basically went ahead and made the payment according to the instructions that were given via e-mail, but also the Teams calls that they’d been entertained. Unfortunately, the CFO and the law firm were AI created and the interactions were all driven based upon artificial intelligence interactions with this individual. So, this poor employee who believed they were following what was being asked through these teams calls unfortunately made the payment on the basis of misinformation and obviously it was emails and calls, Teams calls backing up the decision making. So, it was very hard given the level of sophistication of these types of attacks and threat of how difficult it can be to spot these things. But that’s the level that these types of things are rising to in terms of sophistication. The prize had to be worth it from a threat actor point of view. But you do see this across many different facets of size of company, calls that are mimicked or other types of AI type things. So, it affects everybody and it’s AI is helping power this as much as also hopefully helping to defend it.

Matt Cullina

Awesome. Thanks so much. Cautionary tale for sure. So now we’re going to turn it over to Eder. So, Eder, the stage is yours.

Eder Ribeiro

Thank you, Matt. Thank you everyone. And just to echo Matt real quick, it’s always a pleasure to talk to the folks at ICMIF. We’re big fans from these webinar events to in-person events. I know I was just blessed to be in Costa Rica with the ICMIF crowd a few months ago and it really is just the best organisation to be a part of.

So, thank you for the time and thank you, Matt and Paul, for all the amazing information shared. I think there’s a continuing trend here. We’re seeing a lot of novel risk this time around this year, 2025-26 primarily because of AI, Paul just spent a lot of time talking about these AI risks, whether it’s stuff that we didn’t see at scale like SEO, which was a lot smaller, you know any I think anyone could say is certainly a lot smaller orders of magnitude three years ago before these LLM [large language models] became so popular and so a lot of the emerging risks are in the pre penetration as we would normally call on the forensic side, right. So, before they get in the network, hence the penetration language. And that’s in malware development, right? That’s going to be in across a bunch of different things. But often the threat actor end game isn’t exactly as novel, right? So, they’re using new tools, new ways, new tactics, and there’s emerging different risks coming from how they’re getting to the end game. But sometimes the end game, quite often the end game is still the same. We’re still getting, as Paul mentioned in the beginning of his part, ransomware had a big drop during the conflict, the war over in Ukraine and Russia, but it’s certainly skyrocketed right back up and starting to hit leading rates again and it makes folks sometimes think is ransomware still the king of threats? It’s always been the big thing that we always talked about and everyone in the market essentially talked about until AI kind of came along. And so a little bit of where I’m shifting the tone a little bit here is also a little bit of the concept of re-emerging threats.
Some of these threats have not gone away, but they’re coming back with new flavours because they’re now partially powered by AI or powered by different types of automation that are allowing these threats to proliferate at a faster rate than ever before and so for those of you who don’t like cliffhangers, I won’t give you, I won’t leave you one. In my opinion, based on our data and some of what we’re seeing in market, especially when it comes to downstream, mid-market, smaller, micro, ransomware is still king. And that’s because of AI for sure. The ability for threat actors to vibe code, which is like the language of using AI agents to develop code or help you fine tune code. I hate saying things without definitions, so bear with me on that.

So the ability to vibe code hasn’t allowed lower-level associates or affiliates as we call them in the ransomware market to achieve better results. More targets, more complex organisations are now being penetrated by lower-level targets. I mean lower-level affiliates. Because of the innovations that are coming in, threat actors are unburdened by governance, right? So, unlike us, any of us here, who have to worry about regulations, who have to worry about corporate governance, they don’t have to worry about that. So, piracy drives innovation and I can give you stories about how that’s true from the LimeWire days to nowadays. And that just remains a pattern and likely always will be because of just that inherent truth, right? Threat actors don’t have to worry about governance, so they can utilise any tool, whether it’s cloud code or whether it’s some jailbroken version of GPT or some other LLM to help create a better phishing scam, to help create a better modification to a website, thus turning it malicious or create better code, so on so forth. And so, we’re seeing the phishing techniques and we’re seeing some of the core methods still present but being sped up by some of these new technologies behind the scenes. But when you combine some of the new technologies with their tactics, with their lack of governance and thus freedom of operations and then, of course, the industry still hasn’t even caught up to where certain defence technologies should be, such as having immutable and air gapped backups, meaning backups that cannot be rewritten or overwritten and that are disconnected from the Internet because of that way an automated tool, like most ransomware packets, are unable to touch it unless it’s deployed directly in that space, which it just creates another layer of separation between your data and the malware that ought to be the standard. That’s the standard that we’ve been preaching for many, many years now. But the reality, when we look at the claims data, is that most policy holders, when they’re suffering a ransomware incident, they’re not finding themselves in a position where they actually have immutable or air gap backups and that’s why they’re still having to pay ransoms. It’s often why they’re also facing longer business interruption, and so on, and so forth, all the damages that come from having your data encrypted and losing access to your data and being locked up.

So, all of these things still matter. You know, I don’t want to also just talk about threats I want to remind people that it’s important to think about defences, right? Whether they’re all these emerging threats that we’ve talked about, these escalation tools, efficiency gainers, so on, so forth, they can be combated with immutable intergap backups. They can be combated with tighter user privilege management, meaning zero trust principles, right? Ensuring that you’re locking in access within your domain and the domain is also now extended. So even understanding the domain right, mapping your data and understanding where you have data. I don’t have numbers on this yet and we’re looking at calculating it by empirically, by observation, it’s pretty strong to say that the vast majority of mid-market and below now are pushing data all over the place, which is making mapping incredibly difficult because your small business is getting hit by you know your midmarket and even your enterprise, but it just takes a lot more cost so they’ll get there eventually. But they want to push data everywhere for the utility.

So small businesses just by example will have nowadays a server in the house to manage a couple legacy things and because they just happen to have it, but emails are on cloud, file transfers are on cloud, file management is on cloud, ERM is on cloud. You know, storage is on another cloud. Everything’s in a different place that they don’t own, and they don’t always know exactly how these environments are talking to each other and who has access and privilege and most importantly, elevated access to these spaces. So, maintaining proper privileges is incredibly important, especially nowadays where a single credential might give you access to an entire space. And I’m not even talking to a super admin level credential, but a user may now grant you access to all these different places with all these different data points and all these different cloud locations come with different settings and formats as to how much access can any given user have to data. And so, these are novel ways. We are living in novel times of management of people, management of data which does translate immediately to management of threats, which is a good bridge or a segue to next slide where I want to not just talk about ransomware, but talk about some other AI risks and some other goodies that are still I think super critical for every single business nowadays to still consider because again, it’s easy to lose sight when you’re hearing about prompt injection, which is a newer AI based risk, right? I’m stickler for definitions. Think of it as tricking the bot to go against its own hardwired commands, right? Paul hinted at that some of that, without using without the terminology, but it’s widely proven now that most of the major LLMs in the market you can, without being a psychologist of renown, you can give it enough prompt to make it identify its kind of prime directive or its main mission and then give it enough logical traps that it will then create an exception for you. And once that happens, it’s game over. It’ll start feeding you data. And now it’s just about what data does it have access to.

So, these threats are material. Now of course it requires getting into that LLM, which can be done by getting access to the user’s accounts, right? And that’s where phishing comes into. That’s where SEO comes into, all of these things. So, what does that do? In my opinion, that creates a novel, heightened challenge, which is a material challenge really for less sophisticated teams. Imagine if you’re you know a mid-market manufacturer with a two-person, three person IT team and you have 1,000 users that you have to manage. How do you manage 1,000 people having login problems, having whatever issues coming back from leave, stuff’s expired, so on so forth. But at the same time, you have to understand prompt injection. But everyone wants you to use the newest, shiniest tool because of the efficiency gains. It’s a very interesting time that we’re in right now because of that. And it requires major leadership buy-in. These decisions cannot trickle down like uphill. They have to come down from the top because it requires guidance. And the reason the guidance is so required is because any reacting to these new threats requires resources. Whether it’s in re-shifting data, whether it’s reclassifications of data, whether it’s over overhauling how you know, your user management. All of these things will require time and effort, and it requires also an understanding from the leadership to ensure that AI usage and tool usage is in line with their goals of advancing the companies forward, but at the same time allowing the security professionals to actually do what they need to do. And then I just wanted to hit on a couple things that I just didn’t want to leave without talking about because of the vast majority of our claims to this day are not AI. The majority of the claims are still phishing. It’s still social engineering; it’s still business e-mail compromise.

And again, it’s very easy to see all the new shiny stuff and only look into that and forget that it’s important to have phish resistant multi-factor authentication or MFA. It’s still important to remember that we are seeing hundreds of thousands of dollars in fraudulent funds, funds transfers or FFTS for sure coming out of BCs or coming out of other social engineering, cyber extortion scams. These things are still bread and butter work for threat actors every day, and it’s important that members understand that this is something that they cannot lose sight of because there’s a whole new risk vertical to worry about. It simply means that they have a whole new risk vertical to worry about, it’s a new thing. It’s not a new thing in lieu of an old thing. And same goes to account takeovers. I want to give a special quick oversight to some of the claims that we’re seeing on the micro and small side of the house. These businesses are now utilising social media heavily for direct-to-consumer interactions and direct sales, which means when their Facebook gets compromised and their Facebook market gets compromised or their Instagram gets compromised, it is highly damaging to them. It’s reputational. It has direct sales impact, which really goes to BI and getting access back to these tools can be, for lack of a better terms, a nightmare. Proving to Meta that you are who you actually are is not as easy as one may think, and there aren’t dedicated portals for security professionals to go to and convince them that you are who you are. So, you kind of get stuck in line often with everyone else who are also just having random issues with their social accounts. So, it’s very important to lock these accounts up, especially if you’re mid-market and below. And the good news is that the majority of these environments offer really up-to-date high-end phish resistant multi-factor authentication, high security protocols. I know my own even personal Facebook account is MFA locked, physical encryption key, the whole Shabang. Now granted, I may be a little bit of a skeptical because of what we do, but I highly recommend a lot of skepticism is good. So don’t forget that this stuff still matters. And because of all the other things that we covered today, they can get to it faster, they can get to it more effectively and they can get to it in a much more horizontal and a much like kind of bigger net way. And with that being said, I want to again, thank you for your time and that’s what I wanted to speak to you guys again today. Thank you.

Matt Cullina

Thanks, Eder. All right, now we’re going to be getting into kind of, what are we going to do about it, right? We frame the risk out. So, I’m going to turn it back to Paul and Inma to go over a couple slides on that front.

Inma Parron Sanchez  

Sure. Hi everyone. For the final section and in line with what Eder just explained, we’ve covered the SME cyber protection gap, how insurance can help to build this resilience. So, across all regions we are seeing cyber insurance penetration gradually increase, but the reality is that SMEs remain deeply underinsured and this is a consistent patent globally. Most SMEs generally believe they are protected. They think outsourcing IDs, having an antivirus or simply not being a target is enough, but they are not investing in preventive controls, and they can constantly underestimate the operation and financial impact a cyber incident can have on the business and we continue to observe across all markets that what Eder said, human error remains the number one driver of incident whether through phishing, misconfiguration, weak password or accidental data handling mistakes. While preparing for AI is essential, it represents only one dimension on the broader cyber landscape and organisations become more digital dependent. The exposure spans far beyond the traditional threats, cyber risk is no longer an IT problem. We believe it touches every layer of the business operations, supply chains, people, vendors and of course the technology.

So, it’s key that the insurers and the SMEs understand how cyber risk is evolving and expanding. So, we can pass to the next one. So, I’m going to just explain a bit of what is happening in each of the regions. While these things are global, as explained, the dynamic is slightly different in each region. So, awareness levels, penetration and buying behaviour vary and these differences shape on how SMEs approach cyber risk. So, in the Middle East, the market remains focused primarily on e-crime. We have been experienced lately things like funds transfer fraud and invoice manipulation. So, they have brought their cyber adoption is still limited, however, rapid digitalisation means exposure is growing faster than awareness. In LATAM, for example, the region shows the lowest overall penetration, but also one of the highest growth potentials. Awareness remains low and there is a strong price resistance, especially among SMEs. However, despite this, once education and distribution models improve, we believe LATAM could escape quickly. In Europe, the penetration was better than the LATAM, but still nowhere it could be. SMEs remain highly price sensitive and the adoption of the cyber risk for SMEs is often driven by regulation or contractor requirement rather than proactive risk management. We can see that in Europe awareness is improving, but willingness to pay remains very low, so therefore they want to pay for a big protection, very little and there is still a very big significant protection gap in local business, especially in the ones that believe they don’t need it. So, they underestimate the real operation impact of the cyber incident.
In Canada, this is where we see higher penetration, a more mature market, but for SMEs still there are a lot of issues even though awareness is relatively strong. And for this region the opportunity lies in value added service, simplified process and supporting business beyond pure identity.

We come back to the next slide, Matt, please. So just to conclude, in our opinion what has been working well across the markets considering all explained before, in all these regions, certain approaches generate better engagement, better conversation, better resilience, however, simple underwriting, minimal questions, faster decision maker help. While level solution has helped as well distributed through banks, telecommunication companies, association and local insurers where there is seamless customer experience, but also, we have seen as well that it has helped massively the same with lead cyber product, not just indemnity. So, SME vulnerability spans, incident response, support, monitoring, awareness training, and practical tools. So, a service lead approach helps SMEs feel supported and importantly reduce the likelihood and severity of the claims. So, across markets, whether material emerging, the direction is clear and SMEs don’t just need an insurance policy, they need guidance tools and support with their resilience. So, yeah, that’s our very brief [overview] of what we are seeing lately. Thank you very much. And I believe it is now the time of questions, right?

Matt Cullina

Sure. Yeah. And so, as you saw with Inma’s last slide, from experience we have seen that significant marketing and marketing approaches are needed for successful cyber rollouts to emerging markets, especially when we’re talking about policyholders that are micro or small businesses or families and homeowners. This cyber product is unknown to them and even to their agents who may be selling the products to them. So, a bit of a push is greatly needed. And so, there’s different tactics outlined that get you there, but really would like to hear from you. What are you seeing? Are you finding success? Do you have blanketed programmes where you’re rolling out a cyber proposition to a broad audience? Are you selling one at a time? Are you still on the sidelines waiting to figure out what your organisation is going to do about cyber risk? Any and all feedback is welcome.

Vicky Hughes 

Well, thank you so much to all four of you. That was absolutely brilliant. And you’ve given our members so many valuable insights there. And yes, so does anybody have any questions for anybody on the panel? Matt would love to hear about questions and feedback about what you’re seeing in your local market, if anybody had anything that they would like to find out more about or any observations they can share. Maybe you’ve given them absolutely everything that they want to know. No, here we have. We have a question here from Chantelle. “I would like to attend a seminar about personal line cyber topic because usually all webinars are about commercial”. So, there’s a comment there.

Matt Cullina

Yeah. And I’ll comment quickly on that. Just what we’re seeing in the market is really when we’re talking to local insurers, about three out of every four is looking to roll out a personal cyber proposition. So personal cyber products are the hot product right now across the globe. We’re seeing in every region of the world outpacing small commercial launches by three to one and really in the US the bit saturated, it’s moving kind of a from an ID theft market to a personal cyber market. But rest of world we’re seeing it be kind of the top new cyber product launch and as you’re probably thinking, there are distinctions between what a family’s risk is to cyber versus what a business’s risk is to cyber, and we’re happy to share more details around those contrasts offline.

Vicky Hughes  

Thank you, Matt. And we also have a question from Eric who says – “I am curious what people are doing to monitor third party risks. I am using ASM tools but curious if others have found something really good.”

Matt Cullina

Alright, Eder, you’re up.

Eder Ribeiro

Yeah, there’s some usage in ASM tools. It depends on your appetite, depends on your budget. You know, a lot of resources. The reality is a lot of market is doing this through paperwork. They’re doing it through contractual obligations. Whether it’s scheduled auditing, whether it’s duty to report really tight timelines about any incident, whether it’s duty to report and show SOC 2 reports, pen test reports, so on and so forth, their own or your third party security work to give you that little bit of extra safety and then it’s on you to deploy sufficient management of user management technologies, because that’s often where that’s the separation, right? Wherever it is that your environment meets their environment you got to have perimeter defences there and perimeter defence is not like, don’t take that in a firewall capacity. I don’t mean that in a literal technical sense, but I just mean that’s where you have to deploy the guards, that’s the gate for third party that you have to secure. And so that’s also going to vary greatly from business to business, right? If that’s just an API call versus somebody that’s actually remote accessing your environment, those are going to be different tools for different situations. So, in principle, that’s what I can provide from a guidance perspective. And again, from trends, the most popular thing right now it’s based on what we’re seeing is contractual securities for lack of better terms.

Matt Cullina  

Thanks, Eder. Maybe going back to the personal cyber topic, Paul or Inma, do you want to talk about your experiences and maybe kind of what that discussion’s like with a cedent who’s interested in personal cyber? What are the key topics discussed?

Paul Henderson 

Yeah, sure. I think the, I think one of the challenges in that space is trying to understand and identify what it is you want to sell and what kind of specific products do you want. So, as Matt already said, that the ID theft products have evolved into what we call a more personalised cyber product and it covers very many heads of cover, but includes things such as extortion, home system compromise, identity theft, retail or fraud. So online retail fraud and other types of frauds that might be perpetrated against, cyberbullying is another one. So, from that perspective there’s quite a broad range of cover and each territory similarly to the commercial is has a slightly different demand for a different type of products. So, we’re experiencing more demand for sort of fraud led type products where, certainly with banks and insurance companies are trying to work out, well, where’s the gap in coverage? So, banks are a good example where they will only cover certain things and so therefore a consumer might be left out of pocket because the banks are only obliged under the regulations to reimburse for a certain type of fraud. So, this product will fill the gap for that. So that seems to be a feature of some of the decision making there. Cyber bullying again we do talk about quite a lot. It’s quite ethereal in terms of it’s not a first party cover, reimburses for counselling and to help people navigate a difficult situation. So that can be quite emotive. And then identity theft is one of those things. Again, it can be a big issue, but with all the data and the credit monitoring that’s been going on in the world with all the data being accessed, there’s actually I guess a little bit less focus on that than there was previously. So, it really, sort of depending on what type of product, there’s always a price point.
Which is also it’s very price sensitive in different territories and it’s really just trying to understand what the demand from your sort of consumer base is.

Matt Cullina  

Thanks, Paul. And Paul, there’s another UK question just popped up. Do you think the JLR cyber-attack in the UK will lead to more companies further down the supply chain purchasing coverage?

Paul Henderson

It’s very good question. So, I think if you look at the analysis of the attack, I think it’s still early days and trying to establish causation and responsibilities in that specific attack. But my view would be that ultimately JLR were taken down and offline for a certain number of weeks and months, I think, and they couldn’t operate; they couldn’t pay people. And so, the question becomes, what is the product that these other people buy? Does it respond to these issues? Because one of the biggest challenges is that their suppliers weren’t getting paid because they weren’t doing anything and whilst they were non-operational, you had suppliers building up. I guess inventory and also weren’t able to work and get paid also. So, it presented a really interesting dynamic of what a peril or the outcome of a loss could be for an interconnected supply chain like that. So, yeah, so I think one is making sure that you’ve got your own cover, so on the flip side, they bought their own cyber coverage down the line and had dependent BI. Could you interpret the fact that they can supply to their main customer because they weren’t taking deliveries because they weren’t operating? Was that going to be something that’s recoverable under the contracts? And it potentially isn’t because you’re still able to do business, it’s just your customers not paying you and that’s not necessarily something that’s covered under a cyber BI contingent BI loss. But it may be that it’s an add-on or an evolution. The one thing I would say about cyber coverage is that from where it first started to what it looks today is not unrecognisable, but there’s a lot of new coverages that have been added over this 10-year period where the product’s gone in a completely different direction to where it first started, so. Contingent BI, e-crime, invoice manipulation, all those kinds of things. So, the product’s been trying to respond to these types of events, and this could be a very good example where a product might evolve to try and meet the demand of what is a specific loss scenario.

Matt Cullina  

Yep. And it’s public knowledge we did work on that event. So, the company did do quite a bit from a consumer, customer support standpoint once that breach became public. So, we are seeing, and I’m not sure, Eder can attest, a lot of requirements that supply chain partners have cyber coverage within those relationships. So it’s coming from that angle as well, where there’s some pressure on the smaller vendors to make sure that they have ample coverage in case of these types of events that could be caused by the small fish in the big ponds, so we just have a couple minutes left, so I would love to just maybe have closing remarks. We’re right at the start of 2026, right? So, predictions, thoughts, what you think is going to happen in 2026, both on the risk front and possibly on the coverage front. So, Eder, I’ll start with you.

Eder Ribeiro  

On the risk front, I think some of those emerging risks we talked about are going to start to make their way downstream throughout the year. As proliferation of the tools become more popular, the societal pressure to use these tools are going to hit downstream. Then I think we’re going to start to see more of that risk and folks are not even close to being ready to wrap their heads around securing the folks downstream. So I think we’re going to start to see that as the year goes on and ultimately then I think we’re going to see higher level techniques being starting to be used against major enterprise, the true automation level stuff that Paul mentioned, I think that’s really coming towards the next few months as some of the tools become even more effective than they are now because one thing about especially AI is just that the order, the rate of improvement is unlike anything we’ve ever seen. And so that’s why you can almost kind of bet on some of these risks making their way into market faster than other risks in the past.

Matt Cullina  

Awesome. Thanks, Eder. Inma, you’re up. Final thoughts.

Inma Parron Sanchez  

The thing is changing massively. So, we need to, I don’t really know how, I will just say consider what we have mentioned, if the way going forward is to keep protecting your customer, keep protecting yourself in terms of security measures and rely on not getting a salary insurance policy, yeah, that’s what it comes in.

Matt Cullina 

Excellent. Thanks, Inma. And Paul, how about yourself?

Paul Henderson   

I mean I think sort of to pick on what Eder’s last point was, is that I think we will see some more large corporation issues and sort of take downs. It is a big prize. I think that will still resonate and hopefully that sort of continued activity will lead a lot more sort of SME buyers to reconsider the sort of the value of this of this product. I think what I would like to change and like to predict for ‘26 is that awareness and acceptability of buying a product like this is a core part of any business’s armour.
And that includes insurance companies and what else and getting deeper penetration into that because overall that will help with the cost for everybody. And the more that we see these types of activities and the more that the people in the cyber sphere can sort of help operate and mitigate these issues as well as solve them, I think is going to be critical to keeping the threat actors at bay.

Matt Cullina  

Awesome. And I’ll close by saying, we are seeing a ton of activity in cyber insurance launches and upgrades. Canada is a super-hot market, all across Europe we’re seeing a lot of buying activity and programme rollouts from a number of different partners. The Middle East has been consistently active for the last couple of years as well, followed by Latin America, which we’re seeing some development in as well. So really, it’s across the globe. We’re seeing a lot of things popping when it comes to both small commercial cyber and personal cyber basically growing in market.
So with that, I’ll turn it back to Vicky. Thanks for the crew and to ICMIF for making this happen.

Vicky Hughes  

Well, thank you so much everybody for attending today and thank you to our wonderful presenters today, Matt, Eder, Paul and Inma. And if anybody listening, watching this webinar today has any more questions or would like any more information, then obviously everyone’s details are on the screen, so please drop them down and I’m sure they’d be delighted to help you and help you with next steps. So, thank you so much again. Enjoy the rest of your day or evening or wherever you are in the world and we hope to see you soon. Take care for now.