Moody’s global cyber survey finds 50% rise in cyber insurance premiums

Moody’s Investors Service has released the results from a 90-question survey about cyber insurance buying trends.

Cyber-security’s enterprise-wide visibility has improved while budgets have grown 70% in the last five years, according to Moody’s 2023 cyber survey.

Advanced cyber practices remain out of reach for many issuers, the study noted, and survey responses raised questions about the effectiveness of some cyber initiatives.

Companies and organisations face lurking challenges, according to Moody’s, including a growing cyber-security talent shortage, and the advent of generative artificial intelligence, which will introduce new risks.

Cyber managers have an increasingly important role, the ratings firm said; In 2020, Moody’s reported only 61% reported to a C-suite individual, up to 90% in 2023.

Key Findings

• Budgets are on the rise while C-suite visibility of cyber risk has also markedly increased
• Growing costs are putting pressure on budgets — and some responses have cast doubt on how the efficacy of certain cyber practices implementation
• Between 2019 – 2023, cyber budgets rose by 70%. There was considerable variance in growth rates among respondents, but budgets were up overall, and significantly for most sectors. Budgets for corporates grew the most — up 100%.
• Cyber insurance premiums increased by a median of 50% across the board between 2020 and 2022. Healthcare, housing, and higher education issuers reported a 94% increase.
• In our prior survey only 61% of cyber managers were reporting to a C-suite individual, i.e. CEO, CFO CIO etc. In this survey, 90% of issuers said their cyber managers were reporting to C-suite individuals.
• Despite 464,000 people joining the cybersecurity profession between 2022 and 2023, the shortage of cybersecurity talent continues to deepen, resulting in a global cybersecurity workforce gap of about 3.4 million.

“While cyber budgets have risen, so have requirements. For example, cyber insurance premiums rose by a median of 50% between 2020 and 2022, according to respondents, after a steep increase in ransomware attacks during the pandemic,” said Leroy Terrelonge, vice president and analyst, cyber credit risk, Moody’s Investors Service.

The study, with more than 1,700 global respondents, gauged cybersecurity practices among global debt issuers.

“Two-thirds (66%) of respondents said they are required to report cyber incidents that do not lead to a breach of personally identifiable information, such as names, passport data, or biometric records,” said Tettenlonge.

The rating agency collected data on emerging cyber risk that carries the potential to influence the credit profile of all debt issuers.

“This figure will likely rise as legislators and regulators worldwide tighten disclosure rules. A high share of respondents (80%) said that new vendors whose personnel or products had access to their in-house computer systems required a risk assessment from the cybersecurity team in all or most cases. However, the number dropped to 63% for the regular monitoring of existing vendors – indicating a potential area of vulnerability,” Tettenlonge added.