The EU cyber insurance market in the run-up to GDPR implementation

Cyber-risk insurance is becoming an increasingly significant part of Insurance programs for corporate clients.

On the one hand, it is caused by cardinal technological changes in the main ways of doing business. Digital technologies can significantly reduce costs, improve business efficiency and give completely new opportunities in many areas.

On the other hand, along with these positive changes, the degree of cyberthreats is also growing. In 2016, the damage to world business from cyber-attacks was estimated at USD 450 bn. (Graham, 2017), while cyber risks ranked third in importance for business (Allianz, 2017).

Cyber-risk insurance is also showing significant growth over the past few years. However, for a more accurate understanding of the prospects of this market, it is necessary to outline its main segments that are fundamentally different in terms of the nature of the risks and the level of maturity.

Policyholders of cyber-risks can be divided into the following groups:

• companies processing large amounts of personal data (telecom- and media companies, health care, education, etc.);

• critical infrastructure companies (energy, communications);

• companies whose business is based on online transactions (retail, payment systems, financial institutions);

• a combination of the above (transport companies, health care).

The main driver of the growth of cyber insurance is the segment associated with the protection of personal data. At the same time, the largest losses are observed and expected in the financial sector and critical infrastructure companies. Thus, at this stage of the development of the cyber insurance market, there is a clear imbalance between the needs of policyholders and the capabilities of the insurance market.

The reason for the apparent imbalance may be the fact that the development of an insurance market in this direction requires generation of a conscious, qualitatively and quantitatively estimated demand. If we assume the hypothesis of two differently directed reasons for the growth of the insurance market: "demand following" and "supply leading" (Outreville, 2013), without going into detailed hypothesis testing, we can attribute cyber risks market on the current stage to the first group. Therefore, the growth of cyber-risks insurance market is currently a consequence of the corresponding demand.

We can support our assumption with the example of data breach insurance in the United States.

The growth of the US cyber insurance market in 2011-2015 was due to the introduction of legislation in most states to take appropriate security measures to protect against cyber risks and report serious breaches to national authorities. This led to an increase in demand for cyber insurance products covering personal data breach.

Data leaks became better identified and recorded, which enabled analysis of the related data. Figure 1 shows a clear upward trend of identified personal data leaks and the synchronous growth of the cyber-risk insurance market.

Between 2011 and 2015, when most of states actively introduced data breach legislation, cyber-risks market demonstrated an annual growth rate of about 30%. S. Romanosky (2016), in his research gives somewhat different data on the dynamics of the detected data leaks. Figure 2 shows moderate decrease in the total number of disclosed personal data breaches.

Figure 3 shows a similar trend in respect of the average size of the claimed loss for cybersecurity policies.

After initial growth, there is a slight decrease in the amount and average severity of the reported losses.

This may indicate the positive effect of personal data breach legislation and increasing maturity of information security management processes in insured companies.

Along with the policyholders, who were actively engaged in information security of their companies, insurers also learned how to deal with the new line of business. The effect of their effort is shown by the cost dynamics in Figure 4. Insurers spent less on Crisis Services Costs, such as forensic, credit card monitoring services, notification services for victims, legal support and PR services

Thus, judging by these trends, we can talk about the growing maturity of cyber insurance market in the US. This process takes place simultaneously for both: policyholders and insurers.

Policyholders pay more attention to cybersecurity and reduce the risk of personal data breaches. This leads to a better understanding of cyber risks and necessary conditions for cyber insurance policies.

Insurance companies, for their part, gain experience in claims settlement, improve policy terms, and work out interaction with Crisis services providers.

There is also a recent trend towards increasing demand for cyber insurance among medium-sized companies and small businesses.

European Opportunities

For European companies, the situation in the cyber insurance market before the adoption of the GDPR is quite similar to the market conditions in the US in 2011. The total volume of the cyber insurance market is estimated at about USD 135m (AON, 2017). The main policyholders are large companies with a turnover of more than USD 1bn. These are generally financial institutions, large retailers and hotel sector companies. Cover for cyber-extortion and business interruptions account for most of demand. (AON, 2017).

However, there are several significant differences from the US experience.

First, during the past 7 years the world business has faced many serious cyber-incidents, which affected the activities of many companies and made management aware of the possible consequences of such events.

Secondly, implementation of the European GDPR regulation and serious fines for its violation became known long before May 25, 2018. Consequently, the European business had enough time and incentives to prepare and ensure information security of its companies.

The third difference is that the world's leading insurers now have significant shares of both American and European markets. They are ready to apply the experience from the United States to the insurance of European companies in the field of personal data protection in accordance with GDPR.

All these prerequisites can help EU insurers to pass infant period of cyber insurance market with lower losses and less time. However, there might be some difficulties because of lower culture of cybersecurity among European companies as well as some unclarified issues regarding insurance coverage according to GDPR.

Critical infrastructure companies

Critical infrastructure enterprises frequently demand insurance coverage for cyber-risks even more than personal data operators. Such enterprises can suffer considerable material losses due to cyber incidents, and what is more dangerous, severe damage, including damage to life and health, can be caused to third parties. Despite this, only relatively small amount of such companies is currently buying cyber risks insurance policies.

Insurance is only one of the elements in building a cyber security system for enterprises. Technical and organizational measures to prevent cyberthreats should always be a top priority. However, current situation with cybercrimes prevention is far from ideal. Requirements of the NIS Information Security Directive for Operators of Essential Services (OES) and Digital Service Providers (DSP) will take effect on May 10, 2018 and according to a recent study (Honeywell, 2017), 45% out of 130 surveyed industrial enterprises do not have an information security specialist in their staff, 60% do not monitor suspicious network activity, while 53% of respondents have been a victim of cyberattacks at least once.

It is obvious that companies that are not aware of cyber threat and are not working on reduction of cyber risks are far from thinking about insurance protection for events.

If we assume the hypothesis of following demand, the demand for cyber insurance in this segment of policyholders is in the stage of formation.

Online Business

In terms of demand for cyber insurance products, online services and financial institutions are in a much more advanced state than industrial enterprises. Unlike the latter, this category of policyholders suffers from insufficient supply.

Companies in this sector are most vulnerable to cyberattacks. Banks and insurance companies are vulnerable to direct material losses. Moreover, there is significant risk of cumulation. Recent examples are cyberattack targeting systems operated by Domain Name System (DNS) provider DYN on October 21, 2016, and the Amazon S3 Service Disruption on February 28, 2017. Because of these incidents, clients of both companies suffered significant losses, once again proving that it is not necessary to be the target of cyberattack to suffer from it.

In addition to cumulation, the main risk for online services is business interruption. Policyholders require insurance protection for a large amount of intangible assets, since the cost of tangible assets of online companies is relatively small.

Both circumstances significantly restrain supply of cyber insurance products for online business.

Cyber liability or data breach insurance is currently the flagship of cyber insurance. This is the most massive segment, which allows both policyholders and insurers to gain necessary experience as well as understand and assess risks. This is the first step that will allow all participants of the market to switch to other types of cyber insurance: already existing and those that might emerge in future. In view of this, implementation of the GDPR shall significantly increase insurance protection of the EU business against cyber threats.


  1. Graham, L. 2017. Cybercrime costs the global economy USD450 billion [online]. CNBC Cyber Security. Available at:
  2. Allianz Risk Barometer, 2017.
  3. Outreville, J. F. (2013). The Relationship between Insurance and Economic Development:85 Empirical Papers for a review of the Literature. Risk Management and Insurance Review, 16(1), 71-122.
  4. S. Romanosky, «Examining the costs and causes of cyber incidents» Journal of Cybersecurity, Volume 2, Issue 2, pp. 121-135, December 2016.
  5. Net Diligence, «2017 Cyber claims study» 2017
  6. AON Inpoint. Global Cyber Market Overview. Uncovering the Hidden Opportunities. June 2017.
  7. Honeywell. Putting Industrial Cyber Security at the Top of the CEO Agenda. December 2017.
Larisa SACHENKO, Expert

Related articles


CEE, FY2017: GWP and paid claims increased at the same pace: 11.5%

The CEE insurance market saw a 11.5% y-o-y growth in 2017, statistical data gathered by XPRIMM show. Overall, GWP amounted to EUR 36.12 billion. With a similar increase, paid claims reached almost EUR 22 billion. The forthcoming issue of the XPRIMM Insurance Report for FY2017, to be launched on May 14, will present in depth information in this regard.


SERBIA: New Law on Compulsory Traffic Insurance announced

By 2020, Serbia should adopt new regulation in the field of insurance, which would follow the requirements in the process of European integration. The biggest challenge will be the adoption of the new Law on Compulsory Traffic Insurance, to replace the current Law adopted in 2009.


Europe's future may lie in its pensions

The EU is set to introduce an entirely new class of pension products, according to a proposal by the European Commission currently under debate. Here comes the... PEPPs.


Allianz Risk Barometer 2018 - Business Interruption and cyber-related incident, top threats for companies globally; NatCat risks return on the top risk agenda

Evolving nature of risk, and rise in cyber-related incidents, means business interruption ranks as top threat for companies globally, according to 1,900+ risk experts from 80 countries, the latest Allianz Risk Barometer shows. On the other hand, while the economic state of the global economy seems to arouse less concern, the strong wave of Nat Cat events brought by the second half of 2017 has placed once again natural catastrophes and climate change up on the risk agenda.


S&P's: Introducing compulsory cessions could support Russia's domestic reinsurance market, or undermine it

In a recently published report S&P Global Ratings said that operating conditions for Russian reinsurers have become considerably more complex over the past few years In the agency's view, the market has become more concentrated, in part because of an increase in minimal capital requirements since 2012. The Russian reinsurance market lacks internal capacity and remains heavily dependent on reinsurance protection from developed markets.


Online insurance in Europe reached more than 100 billion EUR in 2016

Online and direct channels are the fastest growing business models in both life and non-life insurance industry in Europe. The market share of the online/direct channel business was, in 2015, 8.2% of the total business, while the total gross written premiums of this channel throughout all Europe reached 99.3 billion EUR.


S&P Global: Polish motor insurers face a decade of uncertainty due to retrospective bereavement damages claims

Over 12 months, average prices for Poland's mandatory motor third-party liability (MTPL) insurance have shot up by about 47%. S&P Global Ratings attributes part of this spike in policy prices to the rising cost of bodily injury compensation claims in Poland over recent yearsPolish motor insurers have also seen fierce competition and inflation in spare parts claims, reads a study recently published by S&P Global. Courtesy to S&P's, XPRIMM readers are exclusively offered access to the study's findings.




FIAR 2018 - Motor Insurance Conference (I & II): with the right use of technoloogy, clients' expectations and MTPL insurer's profitability may go hand in hand

The first and second parts of the Motor Insurance Conference taking place at FIAR 2018 focused on the new MTPL Law in Romania and the way it changed the market after almost 1 year of implementation, as well as the consequences of the new legislative framework and the operational challenges this brings, but also the most suitable solutions for balancing regulation, insurers' appetites and customer expectations on the MTPL market.


FIAR 2018: Brokers' Conference (II): digitization and technology are needed for efficient operations, but will not replace the human touch in consultancy

The second part of the Brokers' Conference taking place at FIAR 2018 analyzed the impact of European Union's legislative overhaul - IDD & GDPR -, also bringing into debate study cases and real-life scenarios of what the brokers face on the market, and, last but not least, trying to see whether digitization and InsurTech could truly lead to disintermediation.


Brokers' Conference (I): Until 1 July, when we will see the final version of the IDD, we cannot say for certain if we are ready and how ready we actually are

The second day of debates at FIAR 2018 started with The Brokers' Conference, the event dedicated to the mediation market in Romania and in the CEE region. The first part of the conference focused on a market overview and also analyzed the challenges of the IDD implementation, as well as the potential impact of IPID for MTPL and PAD.


INSURANCE IN A DIGITAL WORLD Conference: capacity, consistency and culture are the three key success factors in the digital transformation of insurers

The INSURANCE IN A DIGITAL WORLD Conference, taking place at FIAR 2018, brought into debate the impact of digitization on the insurance industry. The first part of the conference focused on risks & opportunities of digitalization for both industry and consumers, as well as case studies and best practices: BigData & IoT, BlockChain, Peer-to-Peer, and AI.


Insurance Market Trends Conference (II): GDPR and IDD, European regulations affecting all business lines, as well as the compliance with the Solvency II framework, are the main challenges ahead for the Romanian market

During the second part of the Insurance Market Trends Conference, taking place at FIAR 2018, the debates focused on the current situation in Romania and the sustainable development for a growing and stable insurance market, as well as the challenges and opportunities for the local insurers.


See all