My Account
Article22 May 2023

Cyber Security: ESG’s New Frontier

A recent report from Citi Research’s James Shuck dives into the world of cyber insurance, which should play a crucial role in promoting resilience and lowering systemic risks as corporates wake up to their fiduciary responsibilities.

Cyber security is top of the corporate ESG agenda. With cyber warfare firmly established and ransomware on the rise again, half of all companies reported a cyber attack of some sort in 2022. The economic damage from cyber attacks is estimated to reach >$10trn by 2025.

Against this backdrop, the World Economic Forum identifies cyber security as the key risk society faces after climate change. And for boardrooms, it is the top ESG concern as the chart below shows.


Which ESG concerns are of most risk to your company?

© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.

Figures represent the percentage of answers of all participants who responded (2,650)

Source: Citi Research, Allianz Risk Barometer, 2022


Citi Research analysts estimate that stand-alone cyber insurers generate only single-digit ROEs at an 80% combined ratio, with tail risk the biggest issue. This tends to favor larger, more diversified players.

Why do corporates buy cyber insurance?

The report notes that companies tend to buy cyber insurance for five key reasons. These reasons are aligned with ESG principles and form part of good governance. They can be summarized as follows:


  • Financial Protection. Cyber policies reimburse financial losses (both from first- and third-party claims).
  • Resilience & Compliance. Cyber insurance increases cyber security posture by encouraging the adoption of best practices and support to navigate compliance requirements before, during, and after a cyber event.
  • Expertise. Cyber insurance offers access to various professional experts (for example, IT forensics) and their resources in responding to and mitigating cyber events.
  • Peace of Mind. No one can guarantee that a company will never be the target of a cyber attack. Cyber insurance can provide peace of mind knowing that all the necessary steps have been taken to protect the organization and its assets if security controls do fail.
  • Reputation. In the event of a cyber attack, cyber insurance can provide access to public relations and crisis management professionals to help mitigate damage to an organization’s reputation.


Considerations for sector vulnerabilities to cyber attacks

© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.

Source: Citi Research

Cyber insurance is very different in the small and medium enterprise (SME) space compared to the large corporate space. Citi Research analysts reckon that three-quarters of SME distribution is through managing general agents (MGAs) whereas large corporates often rely on relationships with managed service providers (MSPs) for their cyber security solutions – where insurers tend to partner.

Cyber insurance market

© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.

Source: Citi Research, Gallagher Re


Portfolio exposure and premium development

© 2023 Citigroup Inc. No redistribution without Citigroup’s written permission.

Source: Citi Research, Aon


MGAs provide the security ecosystem often by leveraging third parties for analytics and services, with capacity mostly from a panel of insurers – although more recently they have been forced to turn full stack and carry their own risk.

The full note titled European Insurance - Cyber insurance – (Nat) Cats without the tails?, published on 4 May 2023, includes more detail on the cyber insurance sector, including a detailed market overview, how to reduce the protection gap, and the role of reinsurance.

Citi Global Insights (CGI) is Citi’s premier non-independent thought leadership curation. It is not investment research; however, it may contain thematic content previously expressed in an Independent Research report. For the full CGI disclosure, click here.



Sign up to receive our newsletter providing a roundup of recent content and updates on new reports.