This article was created in partnership with AXA XL.
In a world in which change is the only constant, anticipating and understanding potential future risks is essential in order to address and resolve them. For over a decade, AXA XL has detailed these risks in-depth in their annual Future Risks Report - an all-encompassing reflection of the risk landscape, complete with insights on how to best mitigate them.
In this year’s report, cyber ranks as the third highest global risk - something that’s equally reflective in the UK market too.
“[Cyber] is most certainly a key concern for UK businesses,” added Vanessa Leemans, Head of Cyber, UK & Lloyd’s at AXA XL, “Our Future Risks Report also found that 69% of experts in the UK chose it among their top five risks. [What’s more], UK cyber risk awareness is growing due to the number of recent incidents involving well known UK businesses."
While the cyber insurance market is well established in the UK, threat actors are continually honing their own capabilities and the increased use of new attack techniques means that the risk landscape is always shifting. According to IBM, the global average cost of a cyber breach in 2024 was $4.9 million, a 10% increase compared with the previous year. Furthermore, a SoSafe report predicts that the global cost of cybercrime will reach $10 trillion this year.
“As the threat environment evolves, the cyber insurance market in London, and worldwide, must remain focused on sustainability and building up the expertise and knowledge that will help clients face the challenges on the horizon,” added Leemans.
For UK businesses, it’s a case of adapt and evolve to these threats or risk falling victim to increasingly sophisticated attacks. As Leemans told IB, as with all areas of business and society, the rapid development of artificial intelligence solutions is having an impact on both the cyber threat landscape and on clients’ capabilities to build cyber resilience.
“We haven’t yet seen the full scale of what AI could be capable of in terms of cyberattacks. But it’s possible, for example, for attackers to reverse engineer some of the cybersecurity patches that have been published. While we haven’t seen claims stemming from this method, it is just one example of how the cyber risk is likely to change - and will continue to evolve.”
There are several other evolving risk areas that AXA XL and its clients are monitoring closely. For instance, attackers are becoming more adept at bypassing multi-factor authentication (MFA) controls. Here, Leemans explained that it’s important that clients explore the use of more advanced MFAs that use contextual data like location, time of day and user behaviour patterns to assess risk.
“Cloud attacks are another growing concern,” she told IB. “Clients are stepping up their defences against these threats by using multifaceted approaches combining security tools and processes.”
Zero Day Vulnerability, where a security flaw is discovered by an attacker but is unknown to the software vendor, meaning no patch or software update is yet available, is another risk area that clients are addressing by having a zero-day patching strategy.
“Attacks on vendors continue to pose a threat to companies,” Leemans explained. “We encourage our clients to conduct thorough assessments of vendors to identify potential vulnerabilities.
“Our cyber services are built on four pillars: services that focus on prevention by assessing security maturity level, identifying risks and defining a cyber security strategy; services that support preparation by identifying vulnerabilities and anticipating attacks; services that prioritize protective efforts and build robust defences around critical assets and services that help to respond, recover and emerge stronger after an incident.”
Which such threats only continuing to increase, both in terms of number and intelligence, lawmakers are keeping a cautious eye on any developments. Regulatory changes in the UK are shaping the evolution of cyber insurance, helping organisations see that coverage isn’t just a ‘nice to have’ benefit - it’s a legal must.
“One risk area is the proposed UK Cyber Security & Resilience Bill, which was introduced to Parliament on 12th November,” added Leemans. “The proposed new laws will place obligations on IT providers and supply chain partners supporting critical infrastructure. The Bill proposes mandatory reporting standards for medium and large companies providing services like IT management, IT help desk support and cyber security to private and public sector organisations like the NHS, will also be regulated for the first time. As a result of this, organisations operating in the UK need to ensure that they have effective security programs in place to comply with the requirements.”
For Leemans, she sees this time as an opportunity for insurers to help clients not just transfer cyber risk, but to actively support them in shaping cyber resilience strategies.
“The risk picture is shifting; there is definitely more to come,” she told IB. “It’s beneficial to all concerned if we can work with our clients to help them on a journey of continuous risk improvement.
“As human vulnerability remains a risk and the deepfake threat becomes more sophisticated, we urge our clients to take a comprehensive approach to training colleagues. This can mean providing phishing-awareness education using real-life case-studies, among other things. The use of unique passwords and MFAs must be essential practice. And companies should have structures in place to enable colleagues to report suspected deepfakes or other security concerns.
“Our clients are also using new tools to better understand and monitor their risks. More are now using inside-out scanning, which enables them to have a more continuous risk management view, compared with outside-in scanning which tends to give a view at one point in time. Cyber insurance solutions are valuable in helping clients to assess and manage cyber threats. It goes beyond risk transfer and provides clients with a suite of services to help them prevent, prepare for, protect against and prevail over cyber threats.”
And looking ahead to what will really define the cyber insurance landscape in the next five years, Leemans was clear on one overriding point - that preparation is the only path to success.
“As we face the future, the evolving threat means it is vital that cyber insurers continue to conduct rigorous risk assessments, remain focused on underwriting discipline and keep a close eye on our risk aggregation to manage exposures,” she told IB.
“This will facilitate a sustainable cyber insurance market which is what all of us - clients, brokers, insurers and reinsurers - want and need.”
