The digital transformation of economic activities is creating significant opportunities for innovation, convenience and efficiency. However, as recent major incidents have highlighted, a growing reliance on digital technologies comes with digital security and privacy protection risks. This presents policy makers with the challenge of finding an appropriate balance between addressing these risks while allowing sufficient space for achieving the economic and societal benefits of digitalisation. The role of the nascent cyber insurance market in enhancing cyber resilience is increasingly being recognised by policy makers.

Economic and commercial operations have become increasingly reliant on digital technologies which face a constant threat of disruption due to human error or malicious attacks. The potential for serious economic and commercial repercussions, illustrated most recently in the millions of compromised records at Yahoo and Equifax, the disruption of major websites by a denial-of-service attack on Dyn and the hundreds of thousands of computers compromised by the WannaCry and NotPetya ransomware attacks, has meant increasing investment in safeguarding the confidentiality, integrity and availability of information and information systems.

This chapter provides an overview of the context for this study, notably the increasing concerns about the implications of cyber risk, as well as some information on the survey undertaken for the purposes of informing this report. It also describes the potential contribution of insurance to managing cyber risk through: (i) supporting the quantification of cyber exposure; (ii) providing expertise on risk management and prevention; (iii) facilitating access to crisis management services; and (iv) encouraging risk reduction through premium pricing.

This chapter provides an overview of the different types of cyber incidents, based on a categorisation approach developed by the CRO Forum, as well as the types of losses that may result from these incidents. Where available, data is presented on the magnitude of losses from past incidents including trends in the magnitude of losses and some of the drivers of cost variations across different countries (such as differences in terms of notification requirements).

This chapter provides an overview of the cyber insurance market, including the types of losses that are commonly covered across stand-alone cyber insurance policies and traditional policies and also the losses that are more difficult to cover. It provides some data on the size of the stand-alone cyber insurance market, penetration levels and pricing, as well as information on how insurers underwrite cyber insurance coverage approach and the additional risk mitigation and crisis response services that are often offered with cyber insurance policies.

This chapter provides an overview of the main challenges to the development of the cyber insurance market in terms of both insurers' willingness to provide coverage and the demand from companies to acquire insurance coverage. The lack of historical experience and evolving nature of cyber risk create significant challenges for quantifying cyber risk. These challenges, along with concerns about the potential for accumulation risk, lead to higher prices and limited coverage levels. At the same time, the complexity of standalone cyber insurance policies, as well as the potential for coverage of cyber risk in traditional policies, leads to significant misunderstanding about the insurance coverage available for cyber risk. There are also concerns about whether cyber insurance policies are responding to the most pressing needs of policyholders.

This chapter examines ways to address the challenges that impede the development of the cyber insurance market. The development of probabilistic models for cyber risk could improve underwriting and reduce uncertainty although this will require improved data on past incidents and their impact as well as on the relative effectiveness of security policies and practices. There are several potential sources of data that could support probabilistic modelling and a few initiatives aimed at sharing this data within the insurance sector and between the government and the private sector. However, a lack of harmonisation limits the contribution of these efforts. The insurance sector and governments in several countries are also examining ways to improve understanding of the insurance coverage available for cyber risk and at least one country has implemented a regulatory intervention to encourage greater transparency.

This chapter provides a set of recommendations on policy and regulatory measures that could be implemented to improve the development of the cyber insurance market. Governments could contribute to the availability of data on past cyber incidents, forward-looking analyses on the changing nature of the risk and on the effectiveness of security practices, including through the development or promotion of cyber security standards. Governments should also closely monitor the market developments and consider if there is a need to intervene to encourage greater clarity on coverage or to support the management of accumulation risk.