Geneva Association urges firms to use cyber insurance

Cyber incidents are rising in frequency and cost, with median annual losses increasing fifteen-fold over the past 15 years to nearly USD $3 million, according to new research from the Geneva Association.

The findings point to a widening gap between escalating cyber risk and the level of preparedness among firms, particularly small and medium-sized enterprises that often lack the resources to manage complex attacks.

The report describes a threat environment shaped by expanding digital interdependence and geopolitical pressures. Businesses rely more on cloud infrastructure, third-party vendors and interconnected systems, which increases exposure to cyber incidents.

Artificial intelligence is also reshaping the threat landscape. While it can strengthen defences, it is also used by attackers to automate and scale attacks. This dynamic has widened the attack surface across sectors.

Despite these developments, many successful breaches still originate from basic weaknesses. Weak passwords, unpatched systems and phishing remain common entry points for attackers. These gaps suggest that a significant portion of cyber risk remains preventable.

Resilience focus

The report frames cyber resilience as a broader capability than traditional risk management. It defines resilience through three core functions: prevention, absorption and recovery.

Prevention focuses on reducing the likelihood of incidents through security controls and monitoring. Absorption refers to limiting operational disruption and financial impact during an attack. Recovery centres on restoring systems and operations while managing reputational damage.

This framework reflects a shift in how organisations approach cyber risk. Instead of treating incidents as isolated events, firms are encouraged to plan for continuous disruption and ensure business continuity under stress.

Insurance role

Cyber insurance is positioned as a tool that supports this resilience model. It has developed beyond a basic risk transfer mechanism into a broader service offering that combines financial protection with operational support.

Policies now often include pre-incident services such as vulnerability assessments, threat intelligence and security guidance. These measures aim to improve cyber hygiene and reduce exposure before an attack occurs.

Post-incident support is also a core component. Insurers provide access to digital forensics teams, legal advisers and communications specialists to manage breaches and accelerate recovery.

"In today's geopolitical environment, cyber risk is no longer just an IT issue – it is a core business and economic risk. Cyber incidents may be inevitable, but their impact is not. Cyber insurance can play a critical role in strengthening resilience – helping firms prevent incidents, manage disruptions, and recover faster. Unlocking that potential will require closer collaboration across industry, technology providers, and governments," said Jad Ariss, Managing Director, Geneva Association.

Market gaps

Despite its expanding role, the adoption of cyber insurance remains limited. The report estimates that only about 10% of SMEs globally have cyber insurance cover.

This low uptake leaves many firms exposed to financial losses and operational disruption. SMEs are increasingly targeted by cyberattacks, yet often lack internal cybersecurity capabilities and formal risk management structures.

There are also structural challenges within the insurance market. Insurers face difficulties in accurately pricing cyber risk due to limited data and reliance on self-reported information. Traditional underwriting methods struggle to keep pace with the evolving threat landscape.

Policy complexity is another barrier. Firms may find policy terms difficult to interpret, which can discourage uptake. Concerns about sharing internal data with insurers also affect adoption, as some businesses fear it may lead to higher premiums.

Claims evidence

The report finds that cyber insurance is effective in covering losses when policies are in place. Around 92% of notifications of potentially covered cyber incidents fall within policy coverage.

For SMEs, insurance payouts cover close to 70% of total incident costs on average. This level of support can be critical for smaller firms with limited financial buffers.

The underwriting process itself can also influence behaviour. Firms seeking coverage are often required to meet baseline security standards, which can drive improvements in cyber defences.

Policy shift

The report calls for changes across the insurance ecosystem to address these gaps. Insurers are encouraged to simplify policy language and streamline underwriting processes to make coverage more accessible.

There is also a push towards greater use of real-time data in risk assessment. Partnerships with cybersecurity firms and cloud providers could enable continuous monitoring and more accurate pricing models.

Government involvement is identified as another factor. Improved information sharing between public agencies and insurers could strengthen threat intelligence and support consistent cybersecurity standards.

"Cyber insurance already contributes to resilience through underwriting standards, incident-response services, and claims support. However, many policyholders, particularly SMEs, underuse the preventative services embedded in their policies. Increasing awareness and utilisation of these capabilities could significantly strengthen firms' ability to withstand and recover from cyber incidents," said Darren Pain, Director of Research, Geneva Association.