Cyber Attacks Cost 4 EU Economies €307 Billion Amid Low Insurance Uptake

Cyber attacks have cost Germany, France, Italy, and Spain an estimated €307 billion between 2020 and 2025, according to Howden's Rebooting Growth: Cyber Insurance 2025 report. The study found that 49 percent of businesses in these countries experienced at least one attack during this period, yet more than 70 percent remain uninsured. 

Per the report, improved adoption of basic cyber hygiene and broader insurance coverage could have reduced losses by €204 billion. This includes €112 billion from lower attack severity and €92 billion from reduced frequency. The findings underscore a critical opportunity to close Europe's significant cyber-protection gap. 

According to Howden, only 22 percent of Italian companies currently hold cyber-insurance policies compared to 29 percent in France, Germany, and Spain. The United Kingdom, by contrast, shows a higher penetration rate of 39 percent. The report reveals that insurance uptake increases with company size, but mid-sized and small enterprises remain largely underprotected. 

For companies with €500 million in annual revenue, purchasing cyber insurance can save approximately €16 million in attack-related costs over 10 years, equivalent to a 19 percent return on investment, according to the report. The savings stem from reduced attack severity and enhanced governance. Claims payments in the event of a loss further improve returns. 

Despite a favorable market, insurers face challenges in sustaining growth. Global cyber-insurance rates have declined 22 percent since their mid-2022 peak, Howden said. In international markets, rates have dropped 12 percent since early 2024, compared to a 6 percent decline in the United States. While underwriting margins remain strong, expansion now depends on unlocking new business. 

According to Howden, to meet even conservative premium targets, insurers must increase exposure by 15 percent annually. This growth will rely heavily on first-time buyers in underserved regions. Among large European enterprises with over €500 million in revenue, 41 percent said they plan to purchase cyber insurance within the next 5 years. 

The report also found that improved cyber-risk management, such as regular software patching and strong password policies, reduces the average cost of attacks by 87 percent. For companies with average revenues of €62 million, this translates to €4 million in savings between 2020 and 2025. Howden said that resilience measures also improve insurability and reduce disruption. 

Nonetheless, residual risk remains. According to the report, 45 percent of European companies do not see the need for cyber insurance, citing cost and lack of awareness. However, market conditions—characterized by softening rates and growing insurer capacity—provide a favorable entry point for buyers. 

Howden said that insured firms also report better access to incident response, legal counsel, and forensic tools. For instance, only 14 percent of uninsured firms with under €1 million in revenue reported having access to incident response services, compared to 36 percent of policyholders in the same group. 

Ransomware continues to be a dominant threat, according to the report. Although the proportion of attacks stopped before encryption has risen from 27 percent in 2024 to 44 percent in 2025, recovery costs remain significant, averaging $1.5 million in 2025, excluding ransom payments.