Credit: Przemek Klos/Adobe Stock
Cyberattacks are no longer isolated disruptions—they are engineered to inflict lasting financial and operational damage.
From ransomware attacks that paralyze entire networks to business email compromise (BEC) schemes that siphon millions through fraudulent transactions, the landscape has become increasingly complex.
Insurers and businesses alike are struggling to quantify these risks in real time, with cyber threats evolving at a pace that outstrips traditional risk modeling. Understanding the true costs of an attack and the cascading effects across supply chains is now critical for assessing exposure and setting accurate insurance premiums.
Hidden costs
The financial impact of a cyberattack extends far beyond the ransom payment or the immediate cost of restoring systems. Companies often incur millions in forensic investigations, legal fees, regulatory fines, and lingering reputational damage. Crisis communication firms are frequently brought in to handle public messaging, manage investor concerns, and mitigate reputational damage.
In some cases, these indirect costs exceed the initial financial hit.
For mid-sized organizations, a ransomware attack can cost anywhere from $1.5 million to $10 million, depending on the size of the company and the extent of the breach. Network intrusions, which may not immediately result in encrypted data or ransom demands, can still require costly forensic investigations and security overhauls, with price tags ranging from $150,000 to $1.5 million.
Business email compromise scams, now accelerated by AI-generated phishing schemes, have led to fraudulent transactions worth hundreds of thousands or even millions of dollars before detection. One factor driving up costs is business interruption, which varies depending on industry.
In manufacturing and healthcare, where operational technology (OT) relies on legacy systems that are difficult to patch, downtime can be catastrophic. A 2023 IBM study found that the average cost of a data breach in the healthcare industry reached $10.93 million per incident, the highest across all sectors, due to the regulatory environment and the critical nature of patient data.
The ripple effect
Cyberattacks rarely stop at a single organization. A breach at one company often cascades across its entire partner ecosystem. Third-party contractors, for example, frequently retain access to corporate systems long after their contracts expire, leaving dormant credentials that can be resold on the dark web for as little as $2,000.
Attackers known as initial access brokers specialize in selling these credentials to ransomware groups, fueling a cycle of persistent cyber threats. The value chain impact of these breaches is particularly severe in industries with deeply interconnected suppliers.
A World Economic Forum report found that 54% of large organizations identified supply chain security challenges as the biggest barrier to achieving cyber resilience. In some cases, insurers have struggled to determine liability—does the attack on a supplier increase the insured’s exposure, and should that be factored into premium adjustments? This lack of clarity has made cyber insurance pricing volatile, particularly for companies operating in industries with high supply chain dependencies.
Why traditional risk modeling falls short
Cyber risk assessment has traditionally relied on structured questionnaires that measure a company’s security posture at a given moment. Insurers typically look at multi-factor authentication, network segmentation, and patching policies, but these assessments fail to capture the dynamic nature of cyber threats.
The challenge lies in the fact that cyber risk does not behave like property and casualty risk, where long-term actuarial data can be used to model exposure. With property insurance, flood risks can be determined based on decades of historical data. Cyber risk, however, is constantly shifting. A company might be fully patched one day, only for a new vulnerability to emerge the next, instantly increasing exposure.
The reliance on static assessments has created gaps in underwriting. Many businesses struggle to prove their security resilience beyond compliance checklists, leaving insurers to price coverage based on incomplete or outdated information. This discrepancy has contributed to volatile cyber insurance pricing, with some organizations facing significant premium increases despite making security investments.
The rise of AI-driven threats
AI has accelerated the sophistication of cyberattacks, particularly in social engineering. Phishing emails, once riddled with grammar errors and obvious red flags, are now linguistically flawless and tailored to specific industries.
Attackers can generate highly convincing emails designed to trick lawyers, CFOs, or procurement officers into authorizing fraudulent transactions. This shift has made email compromise one of the most effective and costly forms of cybercrime.
Beyond phishing, AI is transforming how attackers conduct reconnaissance. Automated tools can now scan for vulnerabilities, identify misconfigurations, and map out network structures before launching targeted intrusions. This has forced businesses to rethink cybersecurity as a real-time challenge rather than a compliance exercise.
Continuous monitoring must become the standard
Given the pace at which threats evolve, dynamic risk modeling is emerging as the only viable approach to cyber risk assessment. Unlike traditional underwriting models, which rely on annual questionnaires and fixed security benchmarks, dynamic modeling continuously updates a company’s risk profile based on live security data.
A modern, effective approach involves attack surface management, which actively monitors key risk indicators such as unpatched vulnerabilities, unauthorized access attempts, and anomalous network activity. A company with 200 employees should never have more than 200 active user accounts, yet many organizations fail to deprovision old credentials, leaving doors open for attackers.
Similarly, companies with no operations in Eastern Europe should not be allowing authentication attempts from IP addresses in Moldova or Belarus. These anomalies, if detected in real time, can prevent attacks before they escalate.
Dynamic risk modeling also has implications for insurance pricing—allowing insurers to develop more flexible pricing mechanisms that reflect an organization’s real-time security posture rather than its compliance status at the start of a policy term.
As cyber insurance companies overhaul their approach to risk, organizations that fail to adapt will face not only heightened exposure to attackers but also rising premiums. Meanwhile, companies with strong security postures can expect lower costs.
AI-driven attacks will continue to rise. Organizations that embrace continuous monitoring and a dynamic approach to risk assessment will stay ahead of the curve.
Paul Caron is Head of Cybersecurity, Americas at S-RM, a global corporate intelligence and cyber security consultancy. He can be reached at P.Caron@s-rminform.com.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.