Munich Re: Cyber Risks and Trends 2023

Future cyberattacks will be increasingly accelerated by key technology trends such as artificial intelligence like ChatGPT, the so-called “metaverse” and the expanding worlds of IT, Internet of Things (IoT) and operational technology (OT).

Source: Munich Re | Published on May 3, 2023

Measured cyber program for SMEs

Future cyberattacks will be increasingly accelerated by key technology trends such as artificial intelligence like ChatGPT, the so-called “metaverse” and the expanding worlds of IT, Internet of Things (IoT) and operational technology (OT). All these converging technologies offer great opportunities for society, businesses and governments, though new attack surfaces, vulnerabilities and systemic risks will continue to emerge at the same time. The human factor will remain an encumbrance to cybersecurity. As a result, phishing, social engineering and business email compromise (BEC) are likely to remain successful attack vectors.

In addition to the growing sophistication of cyber-criminal activities, organisations worldwide face greater exposure than ever to geopolitical conflicts, which are already starting to have an unprecedented impact on cybersecurity. Awareness, understanding and preparation are vital in this context, as our Global Cyber Risk and Insurance Survey 2022 as well as the Cyber Threat Outlook 2022 have already shown.

Cyber risk management is core in a digitised world. Since cyber insurance is an essential part of this, demand continues to grow strongly. Facilitating a sustainable cyber insurance market remains a key task for the insurance industry.

Currently, 4.7 million experts worldwide are working in the cybersecurity field, trying to limit the global costs of cybercrime. These are expected to surge in the next five years, rising from US$ 8.44 trillion in 2022 to approximately US$ 11 trillion in 2023, and potentially reaching approximately US$ 24 trillion by 2027. However, as predicted by the (ISC)² Cybersecurity Workforce Study, a skills shortage still exists, with a gap of 3.4 million cybersecurity workers needed to adequately protect organisations, and this gap will not be closed in the near future. In particular, niche talent – to secure cloud environments or OT, for example – is scarcely available. Our cyber and risk management experts predict that this shortage of talent, increasingly complex systems and digital infrastructures, the growing impact of geopolitics on cyber risk, as well as established cyber hazards, will result in a turbulent threat landscape for 2023 and beyond. Let us look at each in turn.

Geopolitical cyber risks 

The extent to which cyber risks will accelerate is underlined by the geopolitical risks deriving not only from the Russian invasion of Ukraine but also from further afield. Going forward, this conflict and global powers jockeying for position will be a key driver of cyber (in)security and will make a systemic, catastrophic cyber event more likely. Munich Re anticipates that the targeting of critical infrastructure, intellectual property or processes like governmental elections, which in 2023 alone will take place in around 70 countries, will be part of these geopolitical cyber risks. Of particular concern is that nation-state threat actors will increasingly dedicate resources to cyber research and development, for example, to find and exploit zero-day vulnerabilities. In addition, the situation becomes particularly threatening for all affected parties if tactics, techniques and procedures of nation states are adopted by “commercial cybercrime actors”. We will likely see advanced targeting of satellite technologies, producers and operators. The sophistication and scope of disinformation and destabilisation efforts will increase through the use of machine learning, AI, deep fakes, chatbots, social media and other digital channels. This will create an unprecedented threat for societies and governments.

As regards cyber warfare, it is important to state that risk transfer is not possible. There is clear alignment across the insurance industry sector to exclude warfare – this also needs to be unambiguously applied for cyber as is done in all other lines of insurance business. Munich Re supports initiatives to overhaul existing exclusion terminology. These revisions will add more clarity and transparency for all market participants. In order to better prepare society and the economy for cyber warfare scenarios, Munich Re is actively consulting and supporting governments and insurance bodies in promoting the establishment of effective public-private partnership solutions.

Ransomware

In terms of threats for businesses and individuals, ransomware will remain the primary loss driver in 2023, and very likely also beyond. The numbers are significant. According to Cybersecurity Ventures, ransomware will cost its victims approximately US$ 265 billion annually by 2031. The situation is made more worrying by some emerging trends. Alarmingly, our experts are seeing a trend towards data destruction rather than encryption, the pretence of data theft as a new successful form of extortion, and a concentration of ransomware attacks on cloud infrastructure. In addition, the alarmingly specialist expertise of cyber criminals and the ongoing sophistication of services like reconnaissance-as-a-service will enable the unscrupulous to attack with greater precision.

From the beginning of 2020 until 31 March 2023, the Munich Re Data Analytics Team observed that ransomware was, by far, the leading cause of cyber insurance losses. While business and professional services was the industry with the highest number of overall claims, the financial impact by market loss was heaviest on the finance industry.

Supply chain 

Supply chain will remain the preferred vehicle for threat actors, especially because the number of critical bottlenecks and systemic risk targets (e.g. cloud services) are on the rise, due to the rapid deployment of digital products, services and interconnectedness. According to Gartner, by 2025, 45% of organisations worldwide will have experienced attacks on their software supply chains, corresponding to a threefold increase since 2021.

Going forward, transparency for risk owners with regard to interdependencies within their own critical assets inventory and the supply chain will be crucial, which is why more and more organisations will procure mission-critical software solutions that mandate software-bill-of-materials (SBOM) disclosure in their licence agreements. Munich Re expects and welcomes that cybersecurity will become a key determinant in business relationships. It is obvious that full protection will not be possible. But a change of mindset to see investment in cybersecurity not as a burden but rather as a business enabler that fosters digital business and limits the impact of a possible attack needs to occur in every organisation and at its business partners and suppliers.

Data breaches and liability

Once again, Munich Re expects dynamic activity around data breaches and liability in 2023. Projections from “AWS’ Security Predictions for 2023 and Beyond” suggest that 463 exabytes (EB) of data will be created in 2025, creating a vast universe of opportunity for those with ill intentions. Biometric data, in particular, will in future likely attract considerable attention from malicious actors. In addition, legislation and awareness will inspire higher customer expectations regarding data protection.

The gravity of these trends is indicated by the reality that, by the end of 2023, experts estimate that modern data privacy laws will cover the personal information of three-quarters of the world’s population. One possible immediate result is that privacy legislation violations due to wrongful collection of data may become as prominent as privacy breaches. According to the Munich Re Data Analytics Team, privacy violations by industry are currently most common in the finance sector, followed by public authorities/NGOs/non-profit organisations, utilities and healthcare.

The world of “connected things”

Having already touched upon critical digital bottlenecks, there is one sector that cannot be overlooked in this context, namely the world of connected devices. According to IDC’s “Internet of Things Ecosystem and Trends”, there will be 41.6 billion connected IoT devices generating 79.4 zettabytes (ZB) of data by 2025. These devices and cyber-physical systems will improve efficiency, flexibility and redundancy, but they will also increase the return on investment for developing tools to exploit these internet-facing devices. The latter is underlined by Gartner, which estimates that the impact of attacks on cyber-physical systems will reach over US$ 50 billion by 2023.

This trend is becoming more critical as we observe an ongoing convergence between the “worlds” of IT and OT. And as already stated, the geopolitical situation will bring OT and critical infrastructure, in particular, into the direct line of fire.

Sustainability, sufficient capacity, expertise and innovation will drive cyber insurance

Munich Re has invested significantly in the cyber market from the outset and has established a leading global position through appropriate know-how, modelling, internal processes, tools, networks and guidelines. At Munich Re, we support insureds in building the resilience and responsiveness necessary to combat cyber risks. Our approach is centred around the aim of facilitating a sustainable and profitable cyber insurance market together with our clients, in order to let them grow their businesses with confidence.

The insurance industry welcomes the provision of further cyber risk capacity through increased ILS and capital markets capacity backing. Recent developments by policy makers are also a promising step in the right direction: in the wake of the latest geopolitical situation, the US government is considering the possibility of a cyber insurance backstop or public-private partnerships to cover areas of particular relevance to society. The role of finance in developing societal resilience to cyber risk is capable of further growth. ILS vehicles are just one example of how. By their nature, however, some limits must be left to political decision-making, which should lead to new forms of cooperation between public and private actors for the sake of society. However, digital sovereignty and security will not come without a cost to society. The insurance industry will continue to be a strong driver when it comes to increasing and improving cybersecurity and fostering digital business models.

Is cybersecurity set to become as important as ESG? 

Digitalisation cannot be separated from our private, professional and political activities – it is an ever-present feature of the modern world. It must therefore become a key consideration across the board. As a consequence, sources like the World Economic Forum are already demanding that cyber risk protection become an essential consideration for organisations, akin to environmental, social and governance (ESG) factors.

Cyber readiness and resilience are already playing a key role for stakeholders such as rating agencies, investors and analysts. In this context, it is not about adding a further layer of compliance and complexity – the development merely follows the logic of safeguarding essential business operations. Since the latter is clearly the most important return on cybersecurity investment, Munich Re welcomes such discussions.

Our key take-aways for future readiness

Building resilience and cybersecurity remains fundamental to the successful digitalisation of the economy. While full protection will never be possible, every organisation can limit the impact of cyberattacks to fully take advantage of the benefits of modern technologies. Our take-aways based on the 2023 threat outlook:

  • Combine new technologies with a strong cybersecurity culture
  • Continually increase resilience and preparedness
  • Invest in cybersecurity and reap the associated return
  • Build up strong networks, share and make use of data
  • Integrate cyber insurance solutions