A new Geneva Association report warns that cyber incidents are becoming more frequent, more sophisticated, and more expensive, while many firms still show basic weaknesses in cyber hygiene and risk management. The message is blunt. Resilience needs work, and cyber insurance has a bigger role to play.
The Geneva Association said growing geopolitical tension and deeper digital interdependence are increasing both the frequency and severity of cyber risk.
Over the past 15 years, the median annual loss from a cybersecurity breach has risen 15-fold, from $190,000 to nearly $3 mn.
Cyber risk is now widely viewed as a core operational issue. Even so, many incidents still start with preventable problems, phishing, weak passwords, unpatched software, and misconfigured systems. That points to a stubborn gap in day-to-day cyber discipline.
The report said cyber resilience goes beyond standard risk management or steps aimed only at reducing losses. It also depends on how firms prevent disruption, absorb shocks, and recover when incidents hit.
Geneva Association described cyber insurance as a governance tool with real potential, though one still not fully used.
In its view, cyber cover can shape behaviour, encourage prevention and mitigation, and provide important expertise along with financial support when a breach occurs.
The cyber insurance market has grown quickly over the past decade, though take-up remains low across many sectors. That leaves many firms with weaker preparation and less ability to respond to more complex threats.
The report puts special focus on SMEs. Smaller firms are being targeted more often, though many lack the internal resources needed to build stronger cyber capability on their own.
Estimates suggest only about 10% of SMEs worldwide carry cyber insurance. In some countries, the figure may be much lower, especially among the smallest businesses.
The Geneva Association said expanding the resilience value of cyber insurance will require better awareness of the prevention and response services already built into many policies. Too many policyholders still treat cover as a claims product and nothing more.
The report also said stronger coordination between insurers, policyholders, technology providers, and governments will be necessary to improve understanding of interdependent cyber risks and support solutions that strengthen resilience at a broader system level.
According to Beinsure analysts, the bigger challenge is not only selling more cyber insurance. It is making the cover more active in practice, setting better hygiene standards, shaping behaviour earlier, and helping firms use the services already attached to the policy before losses spiral.
The Geneva Association said cyber insurance can become a more trusted and effective resilience tool by helping establish widely adopted standards of good cyber hygiene across companies, sectors, and economies.
Jad Ariss, managing director of the Geneva Association, said cyber risk is no longer only an IT issue in the current geopolitical environment. He said it now sits at the centre of business and economic risk.
Cyber incidents may be unavoidable, he said, though the scale of their impact is not. In his view, cyber insurance can help firms prevent incidents, manage disruption, and recover faster, though unlocking that potential will require closer cooperation across industry, tech providers, and governments.
Darren Pain, the Geneva Association’s research director and author of the report, said cyber insurance already supports resilience through underwriting standards, incident-response services, and claims support.
He also said many policyholders, especially SMEs, still underuse the preventive services included in their policies. Better awareness and stronger use of those capabilities, he said, would materially improve firms’ ability to withstand and recover from cyber incidents.
