A new report published by the International Association of Insurance Supervisors (IAIS), entitled Cyber insurance unpacked: the corporate digital safety net, takes an in-depth look at the concerns regulatory supervisors have regarding cyber risks and cyber insurance developments globally.
They say ransomware is becoming the leading source of cyber losses. They also say that the issue of non-affirmative or “silent cyber,” where coverage is not explicitly included or excluded, remains a critical concern for supervisors.
Additionally, the paper, written by the Financial Stability Institute and the Bank for international Settlements (BIS) says the pricing of cyber insurance poses unique challenges due to limited historical data, the evolving nature of cyber threats and the interconnectedness of digital ecosystems. “Traditional actuarial models, which assume stable risk distributions, struggle to account for the non-stationary and systemic characteristics of cyber risk,” the report’s researchers write. They add that accumulation risk is a major concern for cyber insurance underwriting.
“Growth in the cyber underwriting market needs to be prudent,” they add. “The market cannot fully address all cyber threats and vulnerabilities.” Later the paper continues, saying the development of the cyber insurance market must be grounded in sound practices. The global cyber insurance market was worth $15.4-billion in gross written premiums in 2024. (Figures in U.S. dollars.)
Four main types of malicious incidents
The report says the majority of cyber losses originate from four main types of malicious incidents: ransomware attacks, business email compromise, distributed denial of service attacks and data breaches. Policies to address these risks vary significantly across insurers and jurisdictions, they note. They also underline that cyber incidents can trigger claims under multiple and overlapping policies. “Such overlaps can contribute to accumulation risks,” they add.
One main regulatory and supervisory concern over the years, is the problem of non-affirmative coverage. “It could lead to significant losses for insurers despite not intending to provide coverage,” the paper states. “Property, liability and specialty insurance policies that are silent on cyber coverage may lead to losses from cyber incidents under non-cyber lines without having been explicitly underwritten or priced.”
They add that non-affirmative coverage is not a new issue. “Insurers’ underwriting policies and portfolio monitoring need to make explicit how cyber risk – affirmative or non-affirmative – is captured, constrained and reported against cyber and non-cyber underwriting limits.”
The paper is extensive, also focusing on silent artificial intelligence risks, underwriting and pricing, third-party risks, the existing protection gap, ways to address it and supervisory expectations.
“Supervisors may expect insurers to demonstrate how stress tests influence not only capital planning but also cyber pricing discipline and decisions to expand, restrict or withdraw underwriting capacity,” they write. It also encourages supervisors to closely monitor certain trends to ensure insurers’ risk management practices remain robust and adaptive.
