2025 J.S. Held Global Risk Report: Managing Cyber Risk

Introduction

Cyber incidents such as the 2024 event involving Change Healthcare, which compromised the personal information of over 100 million people, highlight the evolving nature of cyber threats – increasingly becoming risk management challenges driven by disruptive new technologies, including AI. Such incidents can halt operations, prompt regulatory investigations, and result in significant financial costs. They often lead to increased insurance claims, litigation from affected parties, and even open the door for further issues like fraud. The Change case also underscores the steady rise in both the number and severity of cyberattacks and data breaches. In response to these trends, regulators and legislators, such as the US Securities and Exchange Commission (SEC) and European Union, have sought to enact new laws and regulations protecting consumers, patients, and investors. While the threats continue to evolve, and new laws are drafted, organizations are fighting back by enacting stronger controls as part of new minimum cybersecurity thresholds mandated by common protection frameworks, such as the one outlined by the National Institute of Standards and Technology (NIST) in the US. Another key question around this topic: whether or not to pay a ransom. While companies should be asking their insurer if payment would be covered by their policy, paying a ransom could also inadvertently put a company in legal jeopardy – for example, by violating sanctions policies of the US Office of Foreign Assets Control. All told, the onus is on organizations to act proactively by establishing an information security and incident response program, having proper backup and protocols in place, and maintaining a deep understanding of what their cyber insurance covers for data breaches and other cyberattacks.

Managing Cyber: Risks

1. Disruption of business due to a cyber incident
2. Litigation and / or reputational damage resulting from a cyber incident
3. Loss of sensitive data
4. Growing regulatory and legislative pressures in the US and Europe, including:
   1. The EU’s Network and Information Systems Directive 2 (NIS2) to improve cybersecurity in essential sectors (i.e., energy, transportation, banking, health, drinking water, digital infrastructure)
   2. The EU’s Cyber Resilience Act
   3. The US Securities and Exchange Commission’s cybersecurity disclosure rules
   4. The US Transportation Security Administration’s proposed rule mandating cyber risk management and reporting requirements for certain transportation owners and operators
   5. The EU’s General Data Protection Regulation (GDPR)
5. Not having the correct level of cyber insurance coverage – questions to ask include:

1. Does the company’s cyberattack policy insure against ransomware or require separate coverage?
2. Is the insurance suitable for the company’s industry and the data held?
3. Are there exclusions in the policy that limit liability if the company is in breach of compliance laws?
4. Are breach notification costs covered?

A Closer Look at Cyber Regulations

• The EU Cyber Resilience Act (CRA), enacted in October 2024, imposes mandatory cybersecurity requirements for manufacturers and retailers of products that contain a digital component.
• The US Securities and Exchange Commission’s cybersecurity disclosure rules went into effect at the end of 2023. Yet, companies are still grappling with the requirement that they disclose material cybersecurity incidents within four business days of discovery. The question of what types of incidents are considered “material” is still at issue. Additionally, publicly traded companies are required to make annual disclosures about their cybersecurity risk management, strategy, and governance.
• Proposed rule from the US Transportation Security Administration would mandate cyber risk management and reporting requirements for certain pipeline and rail owner / operators, and a more limited requirement for certain over-the-road bus (OTRB) owner / operators, to report cybersecurity incidents.
• The EU’s General Data Protection Regulation (GDPR) governs the collection, use, transmission, and security of data collected from residents of the EU. Among the most significant requirements is that people must be allowed to give explicit consent before their personal data is collected. Fines of up to EUR 20 million or 4% of total global turnover may be imposed on organizations that fail to comply.

Managing Cyber: Opportunities

1. Companies that adapt to incorporate stronger cybersecurity controls – such as Multi-Factor Authentication (MFA), advanced Endpoint Protection and Response (EDR), and immutable backup strategies and response planning – will aid insurance underwriting and meeting the requirements of external partners
2. Companies are using artificial intelligence to identify patterns and anomalies in data, therefore detecting fraud and cyberattacks more quickly and reducing costs
3. Insurance companies are seeing greater demand for cybersecurity and ransomware coverage from organizations in all sectors – however, some carriers are putting more exclusionary clauses into contracts
4. Companies using dependency mapping of different processes and assets will lessen the impacts of a potential cyber incident
5. Organizations with strong business continuity plans and cyber hygiene may receive better cyber insurance rates

Supporting Statistics