Cyber risk

Against a background of a growing catalogue of cyber incidents(the attack on US credit report agency Equifax in the summer being the latest high-profile example), cyber insurance solutions demand continues to grow.

The cyber insurance market is expanding rapidly. Against a background of a growing catalogue of cyber incidents (the attack on US credit report agency Equifax in the summer being the latest high-profile example), demand for cyber insurance solutions continues to grow. Estimates vary, but global cyber insurance premiums were probably somewhere in the range of USD 2.5 billion to USD 3.5 billion in 2016, and are set to climb further in 2017 as both the take-up of cover and premium rates increase.1 Increasingly, cyber policies are being sold on a stand-alone basis rather than as part of a broader insurance package.2 Some industry observers expect the recent rapid pace of growth of around 30% per annum to continue with premiums possibly reaching USD 14 billion by 2022.3

The influx of risk-absorbing capacity from new entrants and incumbent insurers is having an impact on pricing in some pockets of the market. In particular, US cyber liability rates reportedly weakened slightly in 2017 after years of strong increases.4 More generally, however, robust demand for cyber insurance combined with a continued lack of standardisation in policies is providing some support for premium rates, especially outside of the US. The EU's General Data Protection Regulation (GDPR) is reportedly catalysing improvements in cyber risk management, including the purchase of insurance. With just a few months remaining until GDPR enforcement begins, less than 10% of firms believe they are fully compliant.5

Firms are increasingly seeking insurance against possible losses well beyond the direct cost of data breaches and third-party liability, including cover for business interruption, reputational harm and sometimes physical damage. But without full understanding of how much risk they are taking on, and wary of the possibility of extreme risk accumulation, many insurers set low limits and various exclusions in order to cap their potential losses. Gaps in available cover also continue to persist. For example, relatively few insurers offer insurance against intellectual property theft or damage to physical assets from a cyber incident.6

An important factor influencing the pace and scope of future market development will be the capture and analysis of data needed to underwrite cyber risks accurately. Product and process innovation, including developing sophisticated tools to detect and evaluate cyber threats, can help make cyber risk more manageable and foster further expansion of associated insurance solutions. Cooperation between companies, insurers and governments will be essential to increase the resilience of society. Government backstop financing may ultimately become necessary for accumulating cyber scenarios that are too great to be absorbed by the private re/insurance market, and/or events with a terrorism- and war-like character. Such a backstop reduces uncertainty and allows re/insurers to go closer to the edge of their risk appetite and hence assume and retain more risk.


1. The penetration of cyber insurance is estimated at less than 30% in the US (where almost 90% of premiums are currently being underwritten), which is much less than in other commercial lines.

2. Cyber Line Expected to be One of the Leading P/C Growth Areas, A.M. Best, June 2017.

3. See for example, "Cyber Insurance Market to Top $14 Billion by 2022: Report",, 9 December 2016,

4. Commercial Insurance Rates Continue Decline in Light of Global Market Forces, Marsh, 25 August 2017,

5. GDPR Preparedness: An Indicator of Cyber Risk Management, Global Risk Perception Report, Marsh, October 2017.

6. Cyber Risk Landscape Report, RMS, 2017.