With his ear to the ground on underwriting trends, regulatory developments and the constantly developing risk horizon, Mauro Marongiu, Alta Signa Technical Head of Cyber Underwriting, provides an update on European’s cyber trends and outlook for Q1 2024
The cost of cyber attacks on the global economy in 2023 is estimated to top $10.5 trillion. It’s a huge toll by anyone’s standards, and the threats faced by governments, businesses, infrastructure managers and individuals will continue to evolve in new ways in 2024.
Across Europe, cybersecurity is becoming a strategic priority integrated into board-level decision-making, with an expected increase in board members with expertise in cybersecurity by 2026. As we head into 2024, the dialogue around cybersecurity in Europe is constantly developing - and the insurance sector continues to innovate in response.
The evolving risk landscape
Many commentators are predicting a challenging security landscape in 2024, fueled in part by the increasing productivity of developers using AI and the emergence of equally powerful AI-enabled attackers.Cyber security analysts highlight generative AI as a key trend to watch, for instance, with the growth of sophisticated AI-powered attacks matched by AI-based defence mechanisms such as real-time anomaly detection and automated incident response.
Social engineering attacks, particularly phishing, are also predicted to become more sophisticated with the help of generative AI tools, requiring organisations to focus on awareness, education, and the use of AI and zero-trust approaches for defence.
Meanwhile, the increasing number of connected devices poses a growing risk from cyber attackers, particularly in the context of remote work. Weak security protocols and passwords in consumer IoT devices are identified as potential vulnerabilities.
To add to the myriad of risks, state sponsored cyber attacks are also anticipated to increase globally, especially during major elections. And these are just four examples of the developing frontiers of cyber threats.
Cyber Resilience
Distinct from cybersecurity, the conversation around cyber resilience is now front and centre - focusing on ensuring continuity of operations even in the event of a successful breach. Developing agile recovery capabilities will be a strategic priority.
The zero-trust security model will dominate conversations in 2024, emphasising continuous verification. This demonstrates an evolution into a more adaptive and holistic approach, integrating AI-powered real-time authentication and activity monitoring.
Cybersecurity professionals are expected to take on more complex roles, requiring not only technical skills but also soft skills such as communication, relationship-building, and problem-solving.
Regulatory response
Governments and regulators of course recognise the risks posed by cyber threats, leading to the emergence of new regulations to enhance national security and economic growth.
Indeed, 2023 saw the release of a draft of new European regulatory proposals and reports, which shed light on several key trends that are set to continue to evolve over the coming months, demanding our attention:
The European Directive on Security of Network and Information Systems (NIS Directive) aims to achieve a high common level of cybersecurity across all Member States. The revised directive known as NIS2 came into force on 16 January 2023 and extended the scope to new economic sectors.
Meanwhile, the proposed Cyber Resilience Act (CRA) and Cyber Solidarity Act (CSoA) aim to enhance vulnerability management further. At the same time, the establishment of an EU vulnerability database and coordination efforts marks a positive stride toward a mature vulnerability disclosure ecosystem.
Cybersecurity Labelling
The EU's move to introduce cybersecurity labelling rules, as outlined in the EUCS, signifies a comprehensive approach. The proposal, extending requirements to banks and airlines, indicates a commitment to securing various industries. However, concerns have been raised about potential discrimination against foreign cloud providers, affecting sectors beyond tech giants.
Despite these strong policy signals, a recently released cybersecurity investment and vulnerability management report by the European Union Agency for Cybersecurity (ENISA), underscores the mismatch between the growth in cybersecurity investment and the scale of the threat.
Collected from a total of 1,080 Operators of Essential Services and Digital Services Providers from all 27 EU Member States, the data in the ENISA report shows that there was a 0.4% increase in IT budget allocation year-on-year in 2022, despite a 25% rise in the cost of major cyber incidents. Notably, vulnerability management emerges as a critical focal point.
In the transport sector, meanwhile, the patching of critical vulnerabilities is a concern, with 51% of organisations requiring a month for resolution. The slow response time raises questions about the agility needed in addressing evolving threats.
Juhan Lepassaar, Executive Director of ENISA, emphasises the importance of managing vulnerabilities alongside "secure by design" initiatives. In addition, the report highlights talent shortages reported by 83% of organisations, revealing a human resource gap that intersects with effective vulnerability management.
The focus from policymakers on closing vulnerability gaps, detecting, and disclosing cyber breaches is pivotal. The persistent cyber threats in Italy, for instance, exemplified by the Wikiloader malware deployed by the TA544 group, emphasise the need for continuous vigilance.The malware's sophistication, observed in its evasive manoeuvres, highlights the evolving tactics of cyber adversaries.
Growth Opportunities: Navigating the Cyber Insurance Market
Despite the high risk environment, Q4 2023 witnessed stable cyber insurance pricing, attributed to increased competition among insurers. Notably, ransomware coverage exclusions are diminishing, reflecting improved risk quality and insurer flexibility. However, caution is warranted, questioning the wisdom of moving towards systemic loss events.
Notably, the financial services sector's exposure to cyber threats is driving demand for cyber insurance protection. Regulatory developments and evolving macroeconomic trends pose challenges, especially for insurers dealing with consumer business and high net worth individuals.
Despite market softening, the cyber insurance sector remains dynamic, with first-time buyers and companies taking advantage of favourable economic conditions to acquire additional capacity. Thanks to independent MGAs offering expert underwriting and local presence for enhanced distribution, the European insurance market can address specific, unique and complex cases not covered by traditional insurance markets.
Here at Alta Signa, we pride ourselves on working with non-traditional sectors or within the new economic environment on previously hard to place risks, providing carefully considered tailored solutions on a case-by-case basis. We are seeing increasing demand from both capacity providers and local broker networks for this focussed approach to cyber risks.
As we navigate through 2024, the convergence of regulatory frameworks, market dynamics, and emerging threats necessitates a holistic and adaptive approach to cybersecurity. The pursuit of resilience, innovation, and collaboration will be instrumental in safeguarding digital ecosystems across Europe.