AI, Cyber Risk, and Insurance: Protecting Multinationals in 2025
The technology adds as many problems as it solves.
Artificial intelligence can be both a curse and a savior for corporate executives intent on protecting sensitive business and customer data from the onslaught of cyber risks bombarding today’s business world.
AI systems can help multinationals shield themselves against attacks, offering stronger capabilities to assess threats and automate company defenses, while improving the speed of post-breach responses. Yet, AI also lowers the barrier for attackers, giving bad actors without high-tech expertise the ability to launch sophisticated assaults. “AI is a double-edged sword,” says Peter L. Miller, president and chief executive officer of The Institutes, a not-for-profit in Malvern, Pennsylvania, that operates in the risk management and insurance area. “It is accelerating market innovation, but it’s also a force multiplier for cyberrisk at an unprecedented scale.”
Darren L. Pain, director of research at the Geneva Association, a Zurich-based think tank for the global insurance industry, adds that malicious actors can weaponize and poison AI models used by companies, which raises concerns about model accuracy and outcomes. Hackers can use AI tools to create convincing phishing emails, fake websites and even deepfake videos to inject malicious prompts or codes, he says. “This allows cybercriminals to craft personalized, realistic messages and methods that bypass traditional detection mechanisms,” Pain says.
That means managing AI risk has become a top issue for corporate boards. “Large organizations continue to purchase cyber coverage, focusing on catastrophic risk, as cyber is now increasingly viewed by their boards as an operational risk, on par with weather and political unrest,” says Bob Parisi, head of cyber solutions – North America, Munich Re Facultative & Corporate.
As a result, the cyber insurance market has grown to meet emerging AI risks, as well as the data breaches and IT outages that accompany the digitalization of business and society. According to the Geneva Association, global premiums for cyber insurance increased tenfold, to $15 billion, in the decade ending in 2023, up from $1.5 billion in 2013. Munich Re expects global gross cyber premiums to reach $16.3 billion by 2025, as premiums continue to grow and more companies adopt detailed coverage in the years to come. The German-based reinsurer expects average annual growth rates of 10% until 2030.
Although the use of cyber insurance is relatively stable among large multinationals, especially those domiciled in the United States, a 2024 survey of risk managers conducted by the risk brokerage firm Aon reveals a significant degree of underinsurance in cyber coverage. The results showed that less than 20% are carrying cyber coverage, compared to 60% with property insurance. “That’s despite cyber being assessed as having a higher probability and severity of loss than property,” says Rory Egan, head of cyber & analytics within the Global ReSpeciality business of Aon’s Reinsurance Solutions unit in London.
“Cyber rates can change quickly in response to new loss trends that may emerge.”
Rory Egan, Aon Reinsurance Solutions
Parisi says today’s cyber insurance coverage is exponentially broader than the product first offered 25 years ago. Coverage terms have become more consistent in recent years as insurers have adopted more standardized terminology. “However, that is not to say that the market is so settled as to fail to respond to new or expanding risks like AI and quantum computing or the resurgence of privacy perils, stemming from biometrics and an active regulatory environment,” he adds.
According to the Insurance Information Institute (Triple-I), an insurance trade association, insurers are meeting policyholders’ needs by adding clearer language around AI-related exposures and tightening or clarifying exclusions and conditions for state-sponsored/nation-state attacks and war/hostile acts. Insurers are also changing how business-interruption losses are measured after cyberattacks. Availability and limits have generally improved even as insurance underwriters demand stronger controls and carve out, or clarify, the exposures deemed ambiguous. Yet the typical coverage components remain: Firstparty cover for the policyholder can include compensation for forensics, data restoration, business interruption, ransomware payments, and crisis public relations. Third-party coverage helps compensate insureds for the costs associated with notifying customers of privacy breaches; regulatory defense; fines where they are insurable; media liability and network security liability.
Gerald Glombicki, a senior director in Fitch Ratings’ insurance group in Chicago, agrees that cyber coverage is constantly responding to evolving threats. “Cyber is a very bespoke product line,” says Glombicki. “No two policies are alike within the same industry, and if comparing policies in two different industries, there are often night and day differences.”
Yet not all sectors face cyber risks—and any subsequent need for coverage—equally. Critical energy and infrastructure sites operated by governments face the greatest exposure as outages or delays in service “can impact not only quality of life but potentially life itself,” Glombicki says. Sectors that are more lucrative for the hacker, such as financial institutions, are also a greater mark. The Triple-I cites the healthcare industry, with its patient data and critical services, and manufacturers using operational technology and industrial control systems to monitor and manage industrial processes and machinery, among other high-risk industries. “However, anything connected to the internet is a target,” Glombocki points out.
More Capacity And Stable Premiums
Fortunately for multinational buyers, insurers and reinsurers are not facing capacity constraints right now, therefore premiums are still declining after nearly tripling in 2021 and 2022. Egan says rate reductions of 10% year-over-year between 2022 and 2024 have slowed to 5% this year. Corporate buyers can expect flat to a slightly downward movement in premiums if current claim trends continue. “However, cyber rates can change quickly in response to new loss trends that may emerge,” he adds.
Geneva Association’s Pain says rates could also increase as coverages extend into other sectors and countries, “as firms’ and individuals’ awareness of cyber exposures rises and recognition of their degree of underinsurance grows.”
Pain points out that insurers rely on reinsurers to lay off peak cyber risks and avoid straining their own balance sheets. While estimates vary by year and country, Pain estimates primary insurers cede about 50% of their cyber premiums to reinsurers, far more than other lines of insurance. “And reinsurers remain cautious about the scale of losses that could result from a major cyber incident, including an accidental single point of failure,” says Pain, pointing to the CrowdStrike outage in July 2024 as an example. [On July 19, 2024, a single content update from CrowdStrike, a cybersecurity software company, caused more than 8.5 million systems to crash, including hundreds of Fortune 1000 companies. The incident was estimated to cost insurers around $1.5 billion in payouts, under business interruption, cyber and system failure coverages.]
“Any bunching of cyber incidents also raises the prospect that reinsurance might be unexpectedly triggered if a collection of cyber incidents were to happen within a single treaty period,” says Pain.
To meet the market’s anticipated demand for greater capacity, experts say alternative risk transfer mechanisms can play a role.
In a report issued in December 2024 by the Geneva Association, “Catalysing Cyber Risk Transfer to Capital Markets: Catastrophe Bonds and Beyond,” the authors examine how these risk transfer alternative mechanisms, including insurance-linked securities (ILS), such as cyber catastrophe bonds, can help spread these risks onto the financial markets.
“Cyber is a very bespoke product line. No two policies are alike within the same industry.”
Gerald Glombicki, Fitch Ratings
Although involvement in the cyber-ILS market is increasing, the authors note that investor appetite is hindered by uncertainties related to potential large-scale cyber exposures, variations in insurance policy language, and liquidity concerns. “The market’s growth will likely hinge on its ability to attract additional capital beyond the insurance and reinsurance sector to absorb potential unexpected losses,” Pain says.
