Cybersecurity is a leading concern for risk managers as AI-related cyber risks surge, and despite growing investments, many businesses still lack comprehensive cyber insurance, according to a Nationwide survey.

The study found that 82% of risk managers express serious concerns about potential future cyberattacks, citing the rise of generative AI (GenAI) and post-pandemic technological shifts as major contributors to increased cyber vulnerabilities.

GenAI scams and fraud are now a prominent worry, with 77% of risk managers highly concerned and 24% reporting GenAI’s involvement in recent cyberattacks.

Cyber insurance is increasingly viewed as essential, with 68% of companies carrying policies and 99% of risk managers stressing its importance.

Nearly all managers (94%) said they are comfortable with their policy coverage, and decisions about cyber insurance are often made in collaboration with Chief Information Security Officers (CISOs).

However, cyber insurance renewals have become more challenging, with 36% finding it harder to renew coverage and 95% relying on brokers to navigate the renewal process.

Risk managers are adapting by regularly updating their coverage, with 65% increasing their cyber insurance limits or retention over the past two years.

Chad Graham, Cyber Incident Response Team (CIRT) manager at Critical Start, said cyber insurance adds significant value to an organization’s overall cybersecurity strategy by helping mitigate financial risks.

“It can cover substantial costs associated with data breaches, ransomware attacks and other cyber threats, including legal fees, notification expenses and compensation for affected parties,” he said.

He noted cyber insurance also supports business continuity by covering losses due to business interruption, helping companies recover operations more quickly after an incident.

Policies often provide access to cybersecurity experts, legal counsel and public relations professionals, offering valuable assistance during and after a cyber event.

“This support can be crucial in navigating regulatory compliance challenges, as insurance can cover fines, penalties and the costs of meeting regulatory requirements following a breach,” Graham explained.

Cybersecurity Investment Ramps Up

Businesses are ramping up cybersecurity investments, with 70% of risk managers expecting IT budgets to grow over the next three years.

The report reveals that cyberattacks have impacted 62% of businesses, with 25% experiencing an attack in the past year alone.

Among these, more than three quarters (78%) saw their business operations disrupted, and 74% endured notable financial setbacks.

Recovery times were significant; 76% of affected businesses required over a month to restore operations, while more than a third needed over four months.

Dimitri Chichlo, CISO at BforeAI, said large corporations struggle with a continuously expanding threat landscape driven by the rapid pace of digital transformation and increasing interconnectivity of systems.

“Key challenges include the complexity of their IT infrastructure, which often spans over multiple environments, from cloud to on-premise to hybrid,” he said.

This complexity makes it difficult to maintain a unified security posture and quickly identify vulnerabilities.

Additionally, large corporations face regulatory pressures to protect sensitive customer and corporate data, requiring constant adaptation to new compliance standards.

“The scarcity of skilled cybersecurity professionals makes their task even harder,” Chichlo added.

Compliance Adds Layer of Difficulty

Graham said navigating the complex web of regulatory compliance across different jurisdictions adds another layer of difficulty, as companies must secure their systems while adhering to varying legal requirements.

“Dependence on third-party vendors and partners introduces additional risks, particularly if these external entities have weaker security measures,” he said.

Insider threats, whether from negligent or malicious actions by employees or contractors, also pose a significant risk.

“Managing and securing the vast amounts of data generated daily can overwhelm existing security infrastructures, making it challenging to identify and respond to threats promptly,” Graham said.