93 Percent Uninsured Against Cyberattacks: The Bill No One Wants to See

87 percent of German companies fell victim to cyberattacks last year. Total damage: €289 billion. Companies with cyber insurance: just 7 percent. This gap isn’t an IT department oversight – it’s a strategic failure at the C-level – and under NIS2, it carries personal liability.

TL;DR

7 Percent: The Number That Should Wake Up the Executive Suite

The Bitkom Economic Protection 2025 study delivers a stark picture no boardroom presentation should omit: 87 percent of companies experienced data theft, industrial espionage, or sabotage in the past 12 months. 34 percent were hit by ransomware. 15 percent paid ransom. Total damage: €289.2 billion – a 30 percent jump from the previous year.

And yet only 7 percent hold cyber insurance. This isn’t the result of a deliberate risk decision. In most cases, it reflects the fact that the question was never raised at the C-level. Over half of affected companies don’t even know whom to contact in a crisis.

The global view confirms the pattern. According to the Munich Re Global Cyber Risk and Insurance Survey, 87 percent of surveyed C-level decision-makers rate their organization’s cyber protection as insufficient. Globally, Arctic Wolf reports only 47 percent of eligible organizations carry any cyber insurance at all – meaning Germany’s 7 percent lags far behind an already low benchmark.

Root causes are structural: Many executives underestimate residual risk after technical investments. Others shy away from premium costs without weighing them against potential losses. And in more than a few cases, there’s simply no awareness that cyber insurance is a board-level decision – not one to be negotiated within the IT department.

What Cyber Insurance Covers – and What It Doesn’t

What is cyber insurance? Cyber insurance covers financial losses resulting from cyberattacks, data breaches, or IT system failures. Covered costs include IT forensics, crisis communications, business interruption, GDPR-mandated notifications to affected individuals, and legal counsel. It does not replace IT security – it complements it as a financial safety net when all technical safeguards fail.

Munich Re’s figures reveal the scale: The global cyber insurance market will reach approximately $16.3 billion in premiums in 2025. By 2030, that figure is projected to double – to over $32 billion. Europe accounts for $3.3 billion (about 21 percent of the global total) and is growing fastest at 26 percent annually – a sign that European companies are slowly recognizing the gap.

According to Allianz Commercial, roughly 60 percent of major cyber insurance claims (exceeding €1 million) in the first half of 2025 stemmed from ransomware. Manufacturing leads in claim volume – a consequence of a 71 percent surge in attacks targeting the sector and increasing digitalization of production systems. The flip side: Average claim size dropped by over 50 percent during the same period, as insured companies demonstrated stronger incident-response processes.

Source: Bitkom Economic Protection 2025 (n = 1,003 companies with 10+ employees)

Why the Board Must Decide

Cyber insurance is treated as an IT issue in many companies. That’s wrong. The decision whether – and to what extent – a company insures itself against cyber risks touches three executive domains simultaneously: the CIO (risk assessment and security maturity), the CFO (premium budgeting and loss exposure), and the CEO (overall accountability and personal liability). None can decide alone.

NIS2 has enshrined this responsibility in law. Management bodies must approve and oversee cybersecurity risk management measures. Gross negligence may trigger personal fines of up to €10 million – or 2 percent of global annual turnover – as well as temporary professional bans. Whether a company needs cyber insurance forms part of this duty of care; ignoring it may constitute negligence.

For the financial sector, DORA adds further pressure: Every ICT third-party provider – including the insurer itself – must be registered and assessed. Its ability to deliver in a claim must be documented. A board unable to demonstrate systematic evaluation of the insurance question leaves itself exposed.

“We must continue raising our investments in IT security.”
Dr. Ralf Wintergerst, President of Bitkom (Bitkom Economic Protection 2025)

Wintergerst’s call goes beyond technical measures. According to Bitkom, the share of IT budgets allocated to security has risen to 18 percent – up from 9 percent in 2022. Forty-one percent of companies already invest 20 percent or more. Yet technology alone isn’t enough: The question isn’t whether an attack will happen – but when. And then, insurance determines whether the company survives financially.

The Premium Trap: Why Insurers Are Scrutinizing Applications More Closely

After two years of declining premiums, Munich Re forecasts a 15-20 percent rise for 2026. Why? Claims frequency is outpacing premium income. Ransomware groups are becoming more professional; attack surfaces are expanding through remote work and IoT; and recovery costs are climbing alongside IT infrastructure complexity.

Insurers are responding with stricter underwriting criteria. Multi-factor authentication (MFA), tested backup strategies, documented incident-response plans, and regular penetration tests are no longer optional extras – they’re prerequisites for coverage at acceptable rates. Companies lacking these fundamentals either receive no policy – or pay premiums that blow their budget.

For leadership, this means: If you lack cyber insurance today, you’ll pay more tomorrow. And if you want to buy it, you’ll first need to prove your organization meets basic security standards. Insurers’ minimum requirements largely align with NIS2 obligations – fulfilling one prepares you for the other. That makes investing in security infrastructure doubly valuable.

A counterpoint is valid: Not every organization needs full coverage. For those with highly mature security postures, self-insurance may be economically rational. But that choice must rest on a documented risk analysis – not inaction. The board must be able to demonstrate it consciously addressed the question.

Three Questions the Board Must Answer

These questions form the core of responsible cyber-risk strategy. Each demands a documented answer – for internal governance and for NIS2 compliance verification.

1. What is our maximum potential loss exposure? A ransomware-induced operational shutdown costs between €50,000 and €5 million per day, depending on industry and company size. The board must know its own organization’s loss ceiling – both to inform insurance decisions and to meet NIS2’s risk documentation requirements.

2. Which risks do we insure – and which do we retain? Not every policy covers every loss. War exclusions, systemic infrastructure failures, and state-sponsored attacks are frequently excluded. The board must understand coverage gaps – and document why specific residual risks are consciously accepted.

3. Do we meet insurers’ minimum requirements? Without MFA, backups, and an incident-response plan, affordable protection is off the table. These requirements mirror NIS2 obligations – meeting one prepares you for the other.

Conclusion

A 7 percent insurance rate amid 87 percent victimization isn’t a statistic – it’s a wake-up call. Cyber insurance doesn’t belong in the IT department. It belongs on the C-level agenda. NIS2 makes that discussion mandatory. And rising premiums make waiting more expensive than acting. The first step: A documented risk analysis quantifying maximum loss exposure. Without that number, rational decisions on insurance – or security investment – are impossible.

Frequently Asked Questions

Header Image Source: Pexels / Vlada Karpovich (px:7433929)