The EU cyber insurance market in the run-up to GDPR implementation

Cyber-risk insurance is becoming an increasingly significant part of Insurance programs for corporate clients.

On the one hand, it is caused by cardinal technological changes in the main ways of doing business. Digital technologies can significantly reduce costs, improve business efficiency and give completely new opportunities in many areas.

On the other hand, along with these positive changes, the degree of cyberthreats is also growing. In 2016, the damage to world business from cyber-attacks was estimated at USD 450 bn. (Graham, 2017), while cyber risks ranked third in importance for business (Allianz, 2017).

Cyber-risk insurance is also showing significant growth over the past few years. However, for a more accurate understanding of the prospects of this market, it is necessary to outline its main segments that are fundamentally different in terms of the nature of the risks and the level of maturity.

Policyholders of cyber-risks can be divided into the following groups:

• companies processing large amounts of personal data (telecom- and media companies, health care, education, etc.);

• critical infrastructure companies (energy, communications);

• companies whose business is based on online transactions (retail, payment systems, financial institutions);

• a combination of the above (transport companies, health care).

The main driver of the growth of cyber insurance is the segment associated with the protection of personal data. At the same time, the largest losses are observed and expected in the financial sector and critical infrastructure companies. Thus, at this stage of the development of the cyber insurance market, there is a clear imbalance between the needs of policyholders and the capabilities of the insurance market.

The reason for the apparent imbalance may be the fact that the development of an insurance market in this direction requires generation of a conscious, qualitatively and quantitatively estimated demand. If we assume the hypothesis of two differently directed reasons for the growth of the insurance market: "demand following" and "supply leading" (Outreville, 2013), without going into detailed hypothesis testing, we can attribute cyber risks market on the current stage to the first group. Therefore, the growth of cyber-risks insurance market is currently a consequence of the corresponding demand.

We can support our assumption with the example of data breach insurance in the United States.

The growth of the US cyber insurance market in 2011-2015 was due to the introduction of legislation in most states to take appropriate security measures to protect against cyber risks and report serious breaches to national authorities. This led to an increase in demand for cyber insurance products covering personal data breach.

Data leaks became better identified and recorded, which enabled analysis of the related data. Figure 1 shows a clear upward trend of identified personal data leaks and the synchronous growth of the cyber-risk insurance market.

Between 2011 and 2015, when most of states actively introduced data breach legislation, cyber-risks market demonstrated an annual growth rate of about 30%. S. Romanosky (2016), in his research gives somewhat different data on the dynamics of the detected data leaks. Figure 2 shows moderate decrease in the total number of disclosed personal data breaches.

Figure 3 shows a similar trend in respect of the average size of the claimed loss for cybersecurity policies.

After initial growth, there is a slight decrease in the amount and average severity of the reported losses.

This may indicate the positive effect of personal data breach legislation and increasing maturity of information security management processes in insured companies.

Along with the policyholders, who were actively engaged in information security of their companies, insurers also learned how to deal with the new line of business. The effect of their effort is shown by the cost dynamics in Figure 4. Insurers spent less on Crisis Services Costs, such as forensic, credit card monitoring services, notification services for victims, legal support and PR services

Thus, judging by these trends, we can talk about the growing maturity of cyber insurance market in the US. This process takes place simultaneously for both: policyholders and insurers.

Policyholders pay more attention to cybersecurity and reduce the risk of personal data breaches. This leads to a better understanding of cyber risks and necessary conditions for cyber insurance policies.

Insurance companies, for their part, gain experience in claims settlement, improve policy terms, and work out interaction with Crisis services providers.

There is also a recent trend towards increasing demand for cyber insurance among medium-sized companies and small businesses.

European Opportunities

For European companies, the situation in the cyber insurance market before the adoption of the GDPR is quite similar to the market conditions in the US in 2011. The total volume of the cyber insurance market is estimated at about USD 135m (AON, 2017). The main policyholders are large companies with a turnover of more than USD 1bn. These are generally financial institutions, large retailers and hotel sector companies. Cover for cyber-extortion and business interruptions account for most of demand. (AON, 2017).

However, there are several significant differences from the US experience.

First, during the past 7 years the world business has faced many serious cyber-incidents, which affected the activities of many companies and made management aware of the possible consequences of such events.

Secondly, implementation of the European GDPR regulation and serious fines for its violation became known long before May 25, 2018. Consequently, the European business had enough time and incentives to prepare and ensure information security of its companies.

The third difference is that the world's leading insurers now have significant shares of both American and European markets. They are ready to apply the experience from the United States to the insurance of European companies in the field of personal data protection in accordance with GDPR.

All these prerequisites can help EU insurers to pass infant period of cyber insurance market with lower losses and less time. However, there might be some difficulties because of lower culture of cybersecurity among European companies as well as some unclarified issues regarding insurance coverage according to GDPR.

Critical infrastructure companies

Critical infrastructure enterprises frequently demand insurance coverage for cyber-risks even more than personal data operators. Such enterprises can suffer considerable material losses due to cyber incidents, and what is more dangerous, severe damage, including damage to life and health, can be caused to third parties. Despite this, only relatively small amount of such companies is currently buying cyber risks insurance policies.

Insurance is only one of the elements in building a cyber security system for enterprises. Technical and organizational measures to prevent cyberthreats should always be a top priority. However, current situation with cybercrimes prevention is far from ideal. Requirements of the NIS Information Security Directive for Operators of Essential Services (OES) and Digital Service Providers (DSP) will take effect on May 10, 2018 and according to a recent study (Honeywell, 2017), 45% out of 130 surveyed industrial enterprises do not have an information security specialist in their staff, 60% do not monitor suspicious network activity, while 53% of respondents have been a victim of cyberattacks at least once.

It is obvious that companies that are not aware of cyber threat and are not working on reduction of cyber risks are far from thinking about insurance protection for events.

If we assume the hypothesis of following demand, the demand for cyber insurance in this segment of policyholders is in the stage of formation.

Online Business

In terms of demand for cyber insurance products, online services and financial institutions are in a much more advanced state than industrial enterprises. Unlike the latter, this category of policyholders suffers from insufficient supply.

Companies in this sector are most vulnerable to cyberattacks. Banks and insurance companies are vulnerable to direct material losses. Moreover, there is significant risk of cumulation. Recent examples are cyberattack targeting systems operated by Domain Name System (DNS) provider DYN on October 21, 2016, and the Amazon S3 Service Disruption on February 28, 2017. Because of these incidents, clients of both companies suffered significant losses, once again proving that it is not necessary to be the target of cyberattack to suffer from it.

In addition to cumulation, the main risk for online services is business interruption. Policyholders require insurance protection for a large amount of intangible assets, since the cost of tangible assets of online companies is relatively small.

Both circumstances significantly restrain supply of cyber insurance products for online business.

Cyber liability or data breach insurance is currently the flagship of cyber insurance. This is the most massive segment, which allows both policyholders and insurers to gain necessary experience as well as understand and assess risks. This is the first step that will allow all participants of the market to switch to other types of cyber insurance: already existing and those that might emerge in future. In view of this, implementation of the GDPR shall significantly increase insurance protection of the EU business against cyber threats.


  1. Graham, L. 2017. Cybercrime costs the global economy USD450 billion [online]. CNBC Cyber Security. Available at:
  2. Allianz Risk Barometer, 2017.
  3. Outreville, J. F. (2013). The Relationship between Insurance and Economic Development:85 Empirical Papers for a review of the Literature. Risk Management and Insurance Review, 16(1), 71-122.
  4. S. Romanosky, «Examining the costs and causes of cyber incidents» Journal of Cybersecurity, Volume 2, Issue 2, pp. 121-135, December 2016.
  5. Net Diligence, «2017 Cyber claims study» 2017
  6. AON Inpoint. Global Cyber Market Overview. Uncovering the Hidden Opportunities. June 2017.
  7. Honeywell. Putting Industrial Cyber Security at the Top of the CEO Agenda. December 2017.
Larisa SACHENKO, Expert

Follow XPRIMM Publications on LinkedIn, for more data on the insurance and financial industry.

Share |

Related articles

Global economic growth is solid but slowing, and emerging Asia will continue to power the insurance market, sigma says

Global premiums are forecast to grow by around 3% annually in 2019 and 2020, mostly driven by the high growth rates in emerging Asia which may be as by three times more than the global average. The economic power shift from west to east will drive insurance sector development to 2020 and beyond. Expanding the boundaries of insurability for corporate intangible assets will be another main growth area for insurers


Insurance, a key player in building resilience

"The frequency of natural disasters is increasing, and the damage they cause will be greater as the world population becomes more urban and concentrated in areas prone to catastrophe," one of the latest analysis published by Aon under the Global Insurance Market Opportunities titles sates.


The Insurance Business in Transition to the Cyber-Physical Market

What we generically call "Cyber risk" is, in fact, a family of risks and it is worth observing if there is a commonality in the perception - thus management - of the risk in the academic, risk management, insurance and policymaking communities. The present study found that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness.


Hail and windstorms cause multi-billion global economic loss in June; draught may be this summer's nightmare for European farmers

Overall, extreme weather events led to a multi-billion dollar economic toll, of which insurers have to pay more than USD 3 billion in claims for US losses alone, the latest edition of Aon's monthly Global Catastrophe Recap report shows. Economic losses in the Central and South-Eastern Europe amounted some hundred million USD, but weather continued also in July, adding extra costs which may also amount to significant sums.



Lloyd's of London announced new members to the Council

Lloyd's of London announced that Albert BENCHIMOL and Victoria CARTER have been appointed respectively External member and Working member of the Lloyd's Council with effect from 1 February 2019. Michael WATSON, currently on the council, has been re-elected as External member.



Reducing the risks in agriculture by using insurance means, discussed in Skopje

On November 1st, an Agricultural insurance conference took place in Skopje, Macedonia, organized by the Insurance Supervision Agency in cooperation with the Ministry of Agriculture, Forestry and Water Economy. Drawing attention to the necessity of reducing the risks in agriculture by using insurance was the event's main purpose.


IIF 2018 - Insurance in a DIGITAL WORLD

Emmanuel DJENGUE, Innovation Director, Europe - RGAX, Spain is the Keynote Speaker at IIF 2018 - Insurance in a DIGITAL WORLD Conference in Bucharest, on November 27.


See all