Few companies adequately insured against growing cyber threats

Despite the rising number of cyberattacks and increasing damages, only a small percentage of companies in the Netherlands are adequately insured against such threats, according to insurers and cybersecurity experts, BNR reports.

In 2023, the Dutch cyber insurance market generated 101 million euros in gross premiums, a fraction of the 16.5 billion euros total for all non-life insurance policies, according to the Verbond van Verzekeraars. While the market for cyber insurance grew by nearly 50 percent last year, it remains underdeveloped, says Bert Hubert, a former AIVD supervisor and technology entrepreneur. "Cyber insurance is still in its infancy," Hubert said.

Hackers can exploit vulnerabilities in widely used systems, causing large-scale damage. This makes it challenging for insurers to manage risks, with some leaving the market entirely due to the rapid pace of cybercrime innovation.

Hiscox, a market leader in cyber insurance, only accepts clients with annual revenues below 250 million euros to limit exposure. "Companies must meet a certain baseline of cybersecurity hygiene," said Yasin Chalabi, Hiscox's director responsible for cyber risks. Clients, for instance, are required to maintain backups of critical files.

Chalabi noted that cyber claims have increased, but companies are improving their security practices compared to a few years ago.

Many business owners underestimate their vulnerability, believing they have little to lose in a cyberattack, Chalabi explained. A lack of understanding about the costs and benefits of cybersecurity also hinders the development of the cyber insurance market, according to the Centraal Planbureau. Some companies mistakenly assume their existing liability insurance policies already cover cyber risks.

Strict acceptance criteria also discourage small and medium-sized businesses (SMEs) from obtaining coverage. Requirements such as maintaining dedicated security teams are often beyond their reach, according to a spokesperson from MKB-Nederland, the Dutch SME association. The organization focuses on raising awareness to help members strengthen their defenses against the growing threat.

Business Email Compromise (BEC) attacks, where criminals impersonate trusted parties via email or messaging platforms like Teams, accounted for 73 percent of reported cyber incidents in 2024, according to Eye Security. Job Kuijpers, CEO of the company, warned that these attacks are expected to rise in 2025, along with premiums and claims.

Ransomware remains a dominant tactic, with attackers threatening to release or destroy stolen data unless ransoms are paid. In 2023, the Dutch Data Protection Authority recorded at least 178 successful ransomware attacks, many affecting multiple organizations simultaneously.

Eward Driehuis, a cybersecurity expert, noted that many incidents go unreported as companies avoid disclosing data breaches. "Most of the costs associated with cyberattacks are not from ransom payments but from halting operations and restoring systems," Driehuis said.