Executive Summary

Economic and commercial operations have become increasingly reliant on digital technologies which face a constant threat of disruption due to human error or malicious attacks. The potential for serious economic and commercial repercussions, illustrated most recently in the millions of compromised records at Yahoo and Equifax, the disruption of major websites by a denial-of-service attack on Dyn and the hundreds of thousands of computers compromised by the WannaCry and NotPetya ransomware attacks, has meant increasing investment in safeguarding the confidentiality, integrity and availability of information and information systems.

While not a substitute for investing in cyber security and risk management—as having good cyber security and avoiding a disruption is a more preferable outcome— insurance coverage for cyber risk can make an important contribution to the management of cyber risk by promoting awareness about exposure to cyber losses, sharing expertise on risk management, encouraging investment in risk reduction and facilitating the response to cyber incidents. There is some evidence that the insurance market is making this contribution by sharing expertise on risk management, differentiating its pricing based on levels of risk and providing valuable support to both large and small companies in responding to crises.

However, the potential contribution of insurance markets to the management of cyber risk is even greater. The stand-alone cyber insurance market remains a fraction of the size of other commercial property and liability insurance markets with penetration (take-up) levels near 30% of companies in almost all countries (and in single digits for small and medium-sized enterprises (SMEs)). For those companies that do purchase cyber insurance, coverage limits are usually much lower than what is available for other perils and provided at a much higher premium level. In addition, some of the most important needs of companies, such as coverage for losses related to reputational damage or intellectual property theft, are rarely covered by cyber insurance products.

Overcoming the major obstacles to the development of the cyber insurance market could lead to greater and wider coverage of cyber risk and have a larger impact on risk management. The lack of historical data on cyber incidents and (in particular) the everevolving nature of the risk impede the ability to develop probabilistic pricing and exposure management models. The lack of trusted models reduces the willingness of insurance companies (and reinsurers) to extend significant amounts of coverage and leads them to apply various exclusions and sub-limits to control their exposure. The limited coverage available in the market along with the complexity of the terms and conditions imposed have led policyholders to question the value of cyber insurance coverage in its current form.

This report provides an overview of the financial impact of cyber incidents, the coverage of cyber risk available in the market, challenges to market development and initiatives aimed at addressing those challenges. It has benefitted from the input of a broad range of stakeholders from across the global re/insurance sector and the digital security and financial sector policy communities, including two OECD committees (Insurance and Private Pensions Committee and the Working Party for Security and Privacy in the Digital Economy) and the High-Level Advisory Board on the financial management of catastrophic risks.