Cyber insurance prices remain soft despite year of high-profile attacks

A spate of cyberattacks across a range of industries this year has not produced sufficient claims to harden the cyber insurance market.

The attacks, which include a series of incidents affecting UK retailers, a production-stopping hack at vehicle manufacturer Jaguar Land Rover Automotive PLC and a ransomware attack on a check-in system that disrupted three European airports. UK retailer Marks & Spencer Group PLC confirmed that it recovered £100 million from its insurers, for example. However, the payouts are not considered significant enough to move the market overall.

"It is very hard to predict, but it does not look like [cyber insurance] is going to be more expensive again," Nir Perry, founder and CEO of insurance-focused cyberrisk modelling company Cyberwrite. "We haven't seen a loss that is that critical that the pricing has moved up yet."

This year's highest profile cyberattacks also have not caused insurers to pull back from the affected industries.

"I've not seen any of our insurers come out and [say] 'That's it. No more UK retail or no more manufacturers ... or no more aviation, no more airports [or] airlines,'" Will Slater, an executive director at insurance broker Arthur J. Gallagher & Co.'s UK-based specialty business, said in an interview.

Near misses

Cyber insurance prices have been in a prolonged period of softening after the market hardened sharply in 2020 and 2021 in response to the increasing frequency and severity of ransomware attacks. Price increases slowed in 2022 and early 2023 and have fallen consistently every quarter since the third quarter of 2023, according to insurance broker Marsh's global commercial insurance market index. Global cyber rates have dropped 6%, 7% and 6% in the first, second and third quarters of this year, respectively, Marsh's index shows.

Insurers have picked up losses over the years, but they have typically been modest. The most significant cyberattack to date remains the NotPetya incident in 2017, which cost insurers more than $3 billion.

Despite the headlines and costly disruptions affecting companies, this year's attacks have left the insurance market mostly unscathed, in part because not all losses are insured.

Jaguar Land Rover Automotive PLC (JLR) reportedly did not have cyber insurance in place at the time of its Aug. 31 attack. The company restarted manufacturing on Oct. 8, but that meant it made no automobiles in September and fewer than usual in October. The company reported a loss before tax and exceptional items of £485 million during its fiscal second quarter, which runs from July 1 to Sept. 30, compared with a profit of £398 million in the same quarter of 2024. It attributed £237 million of the profit hit to reduced sales volume because of the cyberattack. In addition, the company took an exceptional charge of £196 million for costs associated with the attack. Revenue fell by £1.58 billion to £4.90 billion from £6.48 billion.

The attack will also hit third-quarter results. Overall, the stoppage prevented the company from producing around 50,000 vehicles, and the company took a sales volume hit of around 20,000 in the second quarter, Richard Molyneux, JLR's CFO, said on an earnings call for parent company Tata Motors Passenger Vehicles Ltd. JLR faces a further "considerably smaller" exceptional charge related to the cyberattack, but the big effect would come from sales volumes, Molyneux said.

"We do not comment on commercial matters such as these," a JLR spokesperson said in an email when asked whether the company had insurance or would now seek to buy cover.

Coverage gaps

While Marks & Spencer has recovered £100 million from insurers, that only covered part of its loss. Excluding insurance recovery, the cyberattack resulted in a £324 million hit to adjusted profit before tax in its fiscal first half, and it incurred a further £101.6 million of incident-related costs that were excluded from the adjusted profit.

In an email, a Marks & Spencer spokesperson reiterated that the company had "'appropriate insurance in place.'"

UK retailer Co-operative Group Ltd. expects its April cyberattack to cut full-year profits by £120 million, with an £80 million loss for the first half of the year, according to the company's accounts. However, the company may not be fully insured. Co-op CFO Rachel Izzard told Reuters in September that the retailer had coverage for the front-end aspect in place to respond to the attack but is not making claims for losses.

The insurance implications of the ransomware-fueled disruption to European airports in September remain unclear. The attack hit a system called MUSE, provided by Collins Aerospace, which allows multiple airlines to share check-in desks. Defense contractor RTX Corp., Collins Aerospace's parent, in a Sept. 24 SEC filing said the affected instances of MUSE were running on "customer-specific networks" rather than the company's. The incident is not expected to have a material impact to the company's financial condition or operations. RTX did not return a request for further comment.

It is unclear whether the affected airports have cyber insurance or whether the disruption would trigger it. The three airports most affected — the UK's Heathrow Airport, Belgium's Brussels Airport and Berlin Brandenburg Airport in Germany — either declined or did not respond to requests for comment.

Lessons across the board

The MUSE ransomware attack was another example of a cyberattack disrupting services used by a range of people and companies. It follows the 2024 attacks on health payment processor Change Healthcare and car dealership software provider CDK Global LLC, the non-malicious outage at cybersecurity firm CrowdStrike in 2024 and an attack on Microsoft's SharePoint service this year.

The MUSE attack "is the kind of event cyber (re)insurers watch closely: many small-to-mid claims across dozens of cedents from one vendor outage," William Altman, head of cyber threat intelligence services at cyberrisk modelling company CyberCube, said in emailed comments.

"One of the main things that really concerns insurance boards is a systemic event that is due to a single point of failure, and this is exactly what we've seen here," Perry said of the MUSE attack. While the industry scans the horizon for the next big cyber-catastrophe, events such as MUSE, CDK, SharePoint and CrowdStrike "are what insurance companies should really be worried about," Perry said.

"I think that's what we can learn from [the MUSE] event so far: that those smaller events are happening more and more," he added.

With the market softening, risks that were once excluded from or rarely covered in policies may become covered, resulting in greater exposure for insurers in the future. Non-IT supply chain cover, for example, which covers losses from cyber disruption to any of a policyholder's suppliers rather than just technology vendors, was once hard to come by for companies in the aviation sector, Slater said. With the market now soft, that cover "is readily available to airlines, airports and the aviation sector," he said.

For insurance buyers, recent attacks have revealed big gaps in coverage.

"If you are a board member and you are buying directors' and officers' insurance, but you are not buying cyber insurance, I don't think you are doing your job," said Perry, adding that companies are more likely to face a cyber intrusion than a fire but "everybody has fire insurance."