A recent publication by Insurance Europe outlines policy recommendations for EU policymakers aimed at strengthening the insurance industry’s cyber resilience across Europe in response to a significant protection gap.
The global cyber insurance market has experienced rapid growth, increasing from an estimated $5.9 billion in 2019 to $14 billion in 2023, with projections suggesting it could reach $29 billion by 2027, according to Munich Re.
This growth has been driven by the rising frequency and severity of cyberattacks, which surged by 38% globally between 2022 and 2023. These attacks encompass various threats, including ransomware, malware, phishing, wiperware, and the exploitation of cloud vulnerabilities. Moreover, cyberattacks are becoming increasingly sophisticated and easier to execute, particularly with the assistance of artificial intelligence.
Cyberattacks can inflict severe damage on businesses, leading to business interruption, system shutdowns, and data breaches. Consequently, the European insurance industry plays a crucial role in supporting the EU’s efforts to enhance cyber resilience and competitiveness.
However, a significant protection gap currently exists, estimated at $0.9 trillion annually. Underinsurance is also a critical issue, with cybersecurity firm CYE reporting an average coverage gap of 350% among surveyed companies in 2024. This indicates that the costs incurred from a breach are estimated to be three times greater than the insurance coverage those companies maintain.
The publication identifies five challenges complicating the quantification and assessment of cyber risks: uncertainty around potential future losses, highly correlated risks due to widespread use of certain operating systems, limited data on cyber incidents and losses, increasingly intangible losses, and systemic catastrophic cyber risks.
To address these challenges, the publication outlines several policy recommendations for EU policymakers to enhance the insurance sector’s role in bolstering cyber resilience.
These recommendations include raising awareness about cyber risks and mitigation strategies, as fostering a culture of cyber risk awareness among citizens, businesses, and public authorities is vital for improving resilience.
Facilitating actions to make cyber incident data available to insurers is another key recommendation, as the lack of available data poses a major barrier to the development of the cyber insurance market. This data could help the insurance industry better understand cyber risks.
The publication also emphasises the importance of public-private cooperation in addressing catastrophic risks, advocating for open dialogue and collaboration to develop solutions for large and complex risks.
Additionally, it cautions against mandatory insurance schemes and standardisation, as these may not meet the specific needs of policyholders, potentially leading to excessive or insufficient coverage. Standardised products can also limit insurers’ flexibility to tailor policies to clients’ risks or adapt policy language to reflect evolving threats.
Lastly, it advises against paying ransoms during cyberattacks, encouraging companies to report incidents to the authorities instead, as attackers are often part of organised crime networks.
