The EU cyber insurance market in the run-up to GDPR implementation

Cyber-risk insurance is becoming an increasingly significant part of Insurance programs for corporate clients.

On the one hand, it is caused by cardinal technological changes in the main ways of doing business. Digital technologies can significantly reduce costs, improve business efficiency and give completely new opportunities in many areas.

On the other hand, along with these positive changes, the degree of cyberthreats is also growing. In 2016, the damage to world business from cyber-attacks was estimated at USD 450 bn. (Graham, 2017), while cyber risks ranked third in importance for business (Allianz, 2017).

Cyber-risk insurance is also showing significant growth over the past few years. However, for a more accurate understanding of the prospects of this market, it is necessary to outline its main segments that are fundamentally different in terms of the nature of the risks and the level of maturity.

Policyholders of cyber-risks can be divided into the following groups:

• companies processing large amounts of personal data (telecom- and media companies, health care, education, etc.);

• critical infrastructure companies (energy, communications);

• companies whose business is based on online transactions (retail, payment systems, financial institutions);

• a combination of the above (transport companies, health care).

The main driver of the growth of cyber insurance is the segment associated with the protection of personal data. At the same time, the largest losses are observed and expected in the financial sector and critical infrastructure companies. Thus, at this stage of the development of the cyber insurance market, there is a clear imbalance between the needs of policyholders and the capabilities of the insurance market.

The reason for the apparent imbalance may be the fact that the development of an insurance market in this direction requires generation of a conscious, qualitatively and quantitatively estimated demand. If we assume the hypothesis of two differently directed reasons for the growth of the insurance market: "demand following" and "supply leading" (Outreville, 2013), without going into detailed hypothesis testing, we can attribute cyber risks market on the current stage to the first group. Therefore, the growth of cyber-risks insurance market is currently a consequence of the corresponding demand.

We can support our assumption with the example of data breach insurance in the United States.

The growth of the US cyber insurance market in 2011-2015 was due to the introduction of legislation in most states to take appropriate security measures to protect against cyber risks and report serious breaches to national authorities. This led to an increase in demand for cyber insurance products covering personal data breach.

Data leaks became better identified and recorded, which enabled analysis of the related data. Figure 1 shows a clear upward trend of identified personal data leaks and the synchronous growth of the cyber-risk insurance market.

Between 2011 and 2015, when most of states actively introduced data breach legislation, cyber-risks market demonstrated an annual growth rate of about 30%. S. Romanosky (2016), in his research gives somewhat different data on the dynamics of the detected data leaks. Figure 2 shows moderate decrease in the total number of disclosed personal data breaches.

Figure 3 shows a similar trend in respect of the average size of the claimed loss for cybersecurity policies.

After initial growth, there is a slight decrease in the amount and average severity of the reported losses.

This may indicate the positive effect of personal data breach legislation and increasing maturity of information security management processes in insured companies.

Along with the policyholders, who were actively engaged in information security of their companies, insurers also learned how to deal with the new line of business. The effect of their effort is shown by the cost dynamics in Figure 4. Insurers spent less on Crisis Services Costs, such as forensic, credit card monitoring services, notification services for victims, legal support and PR services

Thus, judging by these trends, we can talk about the growing maturity of cyber insurance market in the US. This process takes place simultaneously for both: policyholders and insurers.

Policyholders pay more attention to cybersecurity and reduce the risk of personal data breaches. This leads to a better understanding of cyber risks and necessary conditions for cyber insurance policies.

Insurance companies, for their part, gain experience in claims settlement, improve policy terms, and work out interaction with Crisis services providers.

There is also a recent trend towards increasing demand for cyber insurance among medium-sized companies and small businesses.

European Opportunities

For European companies, the situation in the cyber insurance market before the adoption of the GDPR is quite similar to the market conditions in the US in 2011. The total volume of the cyber insurance market is estimated at about USD 135m (AON, 2017). The main policyholders are large companies with a turnover of more than USD 1bn. These are generally financial institutions, large retailers and hotel sector companies. Cover for cyber-extortion and business interruptions account for most of demand. (AON, 2017).

However, there are several significant differences from the US experience.

First, during the past 7 years the world business has faced many serious cyber-incidents, which affected the activities of many companies and made management aware of the possible consequences of such events.

Secondly, implementation of the European GDPR regulation and serious fines for its violation became known long before May 25, 2018. Consequently, the European business had enough time and incentives to prepare and ensure information security of its companies.

The third difference is that the world's leading insurers now have significant shares of both American and European markets. They are ready to apply the experience from the United States to the insurance of European companies in the field of personal data protection in accordance with GDPR.

All these prerequisites can help EU insurers to pass infant period of cyber insurance market with lower losses and less time. However, there might be some difficulties because of lower culture of cybersecurity among European companies as well as some unclarified issues regarding insurance coverage according to GDPR.

Critical infrastructure companies

Critical infrastructure enterprises frequently demand insurance coverage for cyber-risks even more than personal data operators. Such enterprises can suffer considerable material losses due to cyber incidents, and what is more dangerous, severe damage, including damage to life and health, can be caused to third parties. Despite this, only relatively small amount of such companies is currently buying cyber risks insurance policies.

Insurance is only one of the elements in building a cyber security system for enterprises. Technical and organizational measures to prevent cyberthreats should always be a top priority. However, current situation with cybercrimes prevention is far from ideal. Requirements of the NIS Information Security Directive for Operators of Essential Services (OES) and Digital Service Providers (DSP) will take effect on May 10, 2018 and according to a recent study (Honeywell, 2017), 45% out of 130 surveyed industrial enterprises do not have an information security specialist in their staff, 60% do not monitor suspicious network activity, while 53% of respondents have been a victim of cyberattacks at least once.

It is obvious that companies that are not aware of cyber threat and are not working on reduction of cyber risks are far from thinking about insurance protection for events.

If we assume the hypothesis of following demand, the demand for cyber insurance in this segment of policyholders is in the stage of formation.

Online Business

In terms of demand for cyber insurance products, online services and financial institutions are in a much more advanced state than industrial enterprises. Unlike the latter, this category of policyholders suffers from insufficient supply.

Companies in this sector are most vulnerable to cyberattacks. Banks and insurance companies are vulnerable to direct material losses. Moreover, there is significant risk of cumulation. Recent examples are cyberattack targeting systems operated by Domain Name System (DNS) provider DYN on October 21, 2016, and the Amazon S3 Service Disruption on February 28, 2017. Because of these incidents, clients of both companies suffered significant losses, once again proving that it is not necessary to be the target of cyberattack to suffer from it.

In addition to cumulation, the main risk for online services is business interruption. Policyholders require insurance protection for a large amount of intangible assets, since the cost of tangible assets of online companies is relatively small.

Both circumstances significantly restrain supply of cyber insurance products for online business.

Cyber liability or data breach insurance is currently the flagship of cyber insurance. This is the most massive segment, which allows both policyholders and insurers to gain necessary experience as well as understand and assess risks. This is the first step that will allow all participants of the market to switch to other types of cyber insurance: already existing and those that might emerge in future. In view of this, implementation of the GDPR shall significantly increase insurance protection of the EU business against cyber threats.


  1. Graham, L. 2017. Cybercrime costs the global economy USD450 billion [online]. CNBC Cyber Security. Available at:
  2. Allianz Risk Barometer, 2017.
  3. Outreville, J. F. (2013). The Relationship between Insurance and Economic Development:85 Empirical Papers for a review of the Literature. Risk Management and Insurance Review, 16(1), 71-122.
  4. S. Romanosky, «Examining the costs and causes of cyber incidents» Journal of Cybersecurity, Volume 2, Issue 2, pp. 121-135, December 2016.
  5. Net Diligence, «2017 Cyber claims study» 2017
  6. AON Inpoint. Global Cyber Market Overview. Uncovering the Hidden Opportunities. June 2017.
  7. Honeywell. Putting Industrial Cyber Security at the Top of the CEO Agenda. December 2017.
Larisa SACHENKO, Expert

Follow XPRIMM Publications on LinkedIn, for more data on the insurance and financial industry.

Share |

Related articles

BI non-physical losses: the UK solution

With the Royal Assent being given to the Counter-Terrorism and Border Security Bill 2018 - allowing Pool Re to cover non-physical losses incurred following a terrorist attack -, the British market has set a precedent at global level, by finding solving a challenging issue born by the changed character of the terrorist attacks of the recent years.


WEF's global Top 5 most concerning trends 2019: changing climate, cyber dependency and increasing social disparities and national sentiment

Rising geopolitical and geo-economic tensions are the most urgent risk in 2019, while environmental degradation is the long-term risk that defines our age, with four of the top five most impactful global risks in 2019 related to climate. Rapidly evolving cyber and technological threats are the most significant potential blind spots; we still do not fully appreciate the vulnerability of networked societies. These are some of the main conclusions of the World Economic Forum's Global Risks Report 2019.


Global economic growth is solid but slowing, and emerging Asia will continue to power the insurance market, sigma says

Global premiums are forecast to grow by around 3% annually in 2019 and 2020, mostly driven by the high growth rates in emerging Asia which may be as by three times more than the global average. The economic power shift from west to east will drive insurance sector development to 2020 and beyond. Expanding the boundaries of insurability for corporate intangible assets will be another main growth area for insurers


Insurance, a key player in building resilience

"The frequency of natural disasters is increasing, and the damage they cause will be greater as the world population becomes more urban and concentrated in areas prone to catastrophe," one of the latest analysis published by Aon under the Global Insurance Market Opportunities titles sates.



Supervisory Board Chair NN Group steps down

NN Group announces that Jan HOLSBOER, chair of the Supervisory Board of NN Group, has decided to step down as of the close of the annual general meeting (AGM) on 29 May 2019. The Supervisory Board has elected David COLE as Jan HOLSBOER's successor.


Peter CLARKE named VP & COO of FAIRFAX

FAIRFAX Financial Holdings Limited announced that Peter CLARKE has been appointed Vice President (VP) and Chief Operating Officer (COO) of FAIRFAX, reporting to FAIRFAX President, Paul RIVETT.



Inclusive Insurance - just a week to the second edition of IIF - CEE & SEE Regional Actuarial Insurance Conference in Skopje

Insurance should be accessible to all social classes, regardless of their wealth & income status. Products offered today are conventional insurance products, largely inspired from the developed markets as "one-size-fits-all" solutions, affordable to only middle- and high-income clients in the Eastern Europe's emerging & developing markets. Inclusive insurance's goal is making insurance available to all, with responsible insurance offers, thus making up for a solution to narrow the insurance coverage gap in the region.


Latest trends and challenges in the property and motor insurance lines under scrutiny, in Vienna

Property and motor insurance lines are providing for about 75% of the non-life insurance business in the CEE region, but are responsible for over 77% of the claims expenses. As such, although other classes of risks are emerging, for the time being and most probably for a rather long period ahead, property and motor insurance lines will continue to be at the heart of CEE's insurance market architecture.


FIAR 2019: Register before 28 February and save EUR 400 of the attendance fee

To the satisfaction of its traditional guests, FIAR returns in 2019 to its historical hometown, Sinaia. The forthcoming edition will benefit from the comfort and professional facilities of a new venue, the Conference Center of the International Hotel ****, located in the heart of the beautiful mountain resort. Registration is opened at a significantly discounted early bird rate until 28 February.


See all