Riding the Wave: EMEA Approaches Cyber Maturity

While differences persist across countries, Europe rode the tide towards cyber security maturity in 2024. The market moved away from data-centric regulations towards resilience and an increased focus on the organization’s ability to withstand and recover from attack and avoid business interruption. We witnessed an uptick in the effective deployment of security controls, particularly with respect to managing and recovering from ransomware attacks, maturation in the cyber insurance market in both underwriting capability and coverage capacity and the influence of regulatory frameworks on resilience.

Major systemic-type cyber events impacted Europe in 2024, and geopolitical tensions deepened, leading to volatility and more risk. The UK’s National Health Service suffered multiple attacks throughout the year, notably the June ransomware attack against a pathology services provider. This breach led to canceled appointments and procedures and disruptions to blood transfusions and test results.1 The CrowdStrike outage in July 2024 served as a timely reminder of the potential loss severity associated with digital supply chain interconnectedness. The incident caused more than 8.5 million systems to crash, disrupting operations worldwide for days and impacting commercial flights, hospitals and financial services.2

Volatility also led to more aggressive and pernicious nation-state-style actors, whether direct or through ancillary bodies. Critical infrastructure was a key target and between January 2023 and January 2024, global critical infrastructure faced over 420 million cyber attacks, or 13 attacks per second, with varying levels of severity.3 These attacks occurred worldwide, with the U.S. being the most frequently targeted country, followed by the UK and Germany.4 As the U.S. and China compete more commercially, we anticipate increased commercial-style espionage, likely impacting Europe. Many insurance carriers are already reacting to this volatility. There has been growing consensus in the market that if an attack is state-backed and causes significant or major disruption in a country, losses might be excluded provided such disruption is of enough scale to be non-insurable.

Technical Controls Get Stronger But Third-Party Risk Climbs.

The year saw a more engaged and resilient client base emerging as organizations made significant progress in implementing technical controls and strengthening digital domains. Aon clients across Europe reported an overall Aon global risk score — a key metric that measures preparedness across six critical cyber security domains — of 2.53 out of four. Organizations performed best across endpoint security, network security and access control, while unsurprisingly, organizations were least prepared to manage third-party risk and business resilience.

Cyber Domains | 2024 EMEA Data

Overall Risk Score 2.53

Ransomware attacks persisted across Europe in 2024. While the law enforcement actions of the past few years to dismantle ransomware threat actor groups destabilized the space, they also gave rise to dozens of splinter groups.

As the frequency of ransomware attacks grew, attack groups broadened their efforts and targeted smaller organizations. However, the severity of attacks declined, partially supported by stronger cyber security controls and ransomware preparedness. Globally, the ratio of payment to demand size decreased to 28 percent, from 41 percent in 2023, and the average ransomware payment amount declined by 77 percent. While this decrease in severity is a promising picture, the rise in ransomware event frequency necessitates guidance around reporting and navigating notices.

Third-party risk, which refers to the potential risk from suppliers, vendors or partners, continued to prove challenging. This score is a call to action for many businesses. The events of 2024 highlight the potential downstream impact of a third-party breach. Organizations also underperformed at managing business resilience, including back-ups, incident response, and business continuity management. Phishing and social engineering attacks increased by a third in 2024, accounting for nearly one in five of the primary incident vectors when joined with identity theft/account cracking. The majority of examined large telecommunications, financial services and e-commerce operators saw an increase in overall fraud attacks, including identity thefts and account takeovers.5 6 As a result, we expect organizations to devote more time and effort on fraud prevention, business resilience policies and procedures in order to safeguard the overall environment.

Cyber Insurance and Regulations Help Drive Maturity

Across 2024, cyber regulations demanded that more organizations identify, assess and mitigate their cyber risks. The European Union’s Network and Information Security Directive (NIS2) expanded regulations to 18 sectors, including energy, transport, health, finance and digital infrastructure, encompassing both essential and important entities within these sectors. It also called on EU member states to define their national cyber security strategies and collaborate on cross-border reaction and enforcement.7 Another piece of EU legislation, the Digital Operational Resilience Act (DORA), focuses on cyber security across financial institutions such as banks, insurance companies, and investment firms, working to ensure that Europe’s financial sector is more resilient in the event of a severe operational disruption.8

As organizations complied with regulations in 2024, they also worked to secure cyber insurance and underwriting — all of which helped drive cyber security. At the same time, insurance carriers experienced increased competition. The European insurance marketplace has never been more accessible thanks to many new entrants and a flood of new capital into the cyber insurance marketplace, resulting in declining prices, great scope and scale for renewals and new buyers.

2020–2025 Cyber Premium Changes by Quarter​

Average Year–over–Year Change (Same Clients)​

Cyber Monthly Pricing All Layers

Average Year–over–Year Change (Same Clients)

A broadening of coverage emerged in unexpected areas, including third-party risk. Many managing general agents now offer turnkey solutions and bundles, such as packaging a threat-hunting or endpoint detection and response (EDR) with substantial reactive cyber insurance in one complete package.

As competition continues, insurance carriers will become more innovative in their products and coverage. On the incidents and claims front, carriers will need to manage more complex supply chain claims, deal with a continued uptick in notifications and make more complex business interruption adjustments.

Recommended Actions

• Conduct a data-driven analysis of your organization’s cyber risk posture. Strengthen third-party and business resilience domains.
• Engage in regular horizon-scanning and collaborate with industry peers to identify sector-specific challenges and threats. Work to close or reduce vulnerability to these threats.
• Secure a broad cyber insurance policy that considers and covers supply chain risk. Use feedback from the insurance marketplace to inform cyber security planning.
• Ensure robust data security and governance controls exist before deploying AI technologies. Have clearly defined use cases for all AI deployments and robustly evaluate the risks associated with those cases to determine appropriate mitigation strategies.
• Develop AI usage policies and hunt down shadow AI or employees’ unauthorized use of AI tools and technologies. Execute an internal education and awareness campaign.