Cyber threats are evolving, so must our data, says Howden Re experts

Cyber threat actors are adapting their methodologies quickly, using automation, zero-day exploits and cloud-based targeting. But as their techniques evolve, so, too, does the industry’s ability to respond.

Key points:
Cloud identities now prime targets
Better data = stronger reinsurance outcomes
Narrative not fear but opportunity

For Harriet Gruen, head of threat intelligence at Howden Re, the warning signs are impossible to ignore. Extortion adversary leak sites recorded 3,700 victim postings in just the first half of 2025 – up from approximately 2,800 for the same period in 2024, disproportionately affecting firms with revenues of less than $50 million. No business is beyond reach and the industry’s modelling assumptions risk falling behind reality.

Recent events underscore this volatility. CL0P resurfaced in late 2024, exploiting managed file transfer tools after a quiet spell, proving that old threats can re-emerge. Meanwhile, LockBit’s takedown by law enforcement in 2024 briefly reduced incidents, but opportunistic rivals quickly filled the gap, showing that enforcement alone won’t stabilise losses. However, while threat groups such as CL0P resurface, recent takedowns also show that coordinated industry and enforcement action can have real impact, even if opportunistic actors quickly move to fill gaps.

“There are so many cases where threat actors are targeting cloud identities and infrastructure,” noted Gruen. 

Why current models need updating

Traditional models and questionnaires have served the market well, but they risk missing nuances in today’s landscape. Vendor blind spots, limited baseline exposure data and outdated minimum standards can leave gaps.

“As the threat landscape evolves, our role is to ensure the industry does not just keep pace but stays ahead” 

For example, sector specific incidents from the past 18 months were not always captured in model footprints, such as CDK or Change Healthcare. Attackers are increasingly abusing software as a service (SaaS) infrastructure for data theft, which might not be addressed in model vendor scenarios. 

“Some of the tools that have been historically used to assess risk, or some of the controls seen as a minimum standard, won’t necessarily be effective against all of these attack factors,” Gruen explained. “Minimum standards therefore need recalibrating.”

“As the threat landscape evolves, our role is to ensure the industry does not just keep pace but stays ahead,” said Foord-Kelcey, global head of cyber at Howden Re. “By strengthening data inputs and constantly challenging assumptions, we can turn volatility into resilience, for insureds, carriers and, ultimately, the wider economy.”

Better data, stronger models

This is where progress is being made. By working with clients to capture more accurate and relevant data, from cloud authentication to supply chain dependencies, Howden Re helps ensure models reflect real-world conditions.

“There’s still some work to do around baseline data capture and improving accuracy,” Gruen said. “But focusing on the basics can have a material impact in terms of modelled losses.” Additionally, by identifying areas of accumulation which might sit outside of the vendor modelling landscape, Howden can work with insurers to quantify “model miss” and benchmark technology concentrations to third and fourth-tier aggregation pathways – such as CDK – that may create an outsized loss for an insurer if they have an overconcentration in their portfolio.

Positive outcomes for clients and reinsurers

Clients who invest in richer, better-quality data not only strengthen their resilience but also unlock differentiated reinsurance outcomes. Model vendors are increasingly giving benefit for cybersecurity control data around patching cadence, network segmentation and back-ups. For reinsurers, improved visibility from cedents reduces portfolio volatility and supports more sustainable capital allocation.

“Our focus is more around trying to understand commonly used methodologies by adversaries, rather than who is behind it,” Gruen added. “Companies that can scale up their posture and use the right tools to protect themselves will inevitably be more resilient in this heighted risk landscape.”

Foord-Kelcey added: “The narrative should not be one of fear. We see a real opportunity; carriers that invest in richer data and proactive strategies are not only more resilient, but they also help create a stronger, more sustainable cyber market for all participants.”

At Howden Re, the priority is ensuring clients and partners turn today’s evolving threat landscape into an opportunity to sharpen their risk strategies. 

Harriet Gruen is head of threat intelligence at Howden Re. She can be contacted at: harriet.gruen@howdenre.com

Luke Foord-Kelcey is global head of cyber at Howden Re. He can be contacted at: luke.foord-kelcey@howdenre.com

For more news from Monte Carlo Today, click here.

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.