Cyber risk has moved from the margins of operational risk management to the centre of economic and financial stability debates. In a deeply digitalised economy, cyber incidents no longer affect only IT departments. They can paralyse production, interrupt payment systems, disrupt supply chains, compromise sensitive data, trigger litigation and undermine trust in institutions. The FSI-IAIS analysis by Adrien Currat, Joe Perry and Jeffery Yong describes cyber insurance as a corporate digital safety net – but also makes clear that this safety net is under strain.
The core tension is stark: cyber risk is rising rapidly, while the insurance market covers only a fraction of the economic losses. According to the study, around 99% of global economic cyber losses remain uninsured. At the same time, the cyber insurance market faces structural difficulties: ambiguous coverage, limited data, volatile claims experience, accumulation risk, dependency on critical digital infrastructure and a protection gap that is particularly severe for small and medium-sized enterprises.
Cyber incidents can be malicious, such as ransomware, cyber-enabled fraud, data breaches and distributed denial-of-service attacks. They can also be non-malicious, such as human error, technical failure, software malfunction or cloud outage. Both categories matter. Malicious incidents continue to dominate cyber losses, but non-malicious failures are becoming more relevant as firms rely increasingly on cloud infrastructure, software platforms and interconnected service providers.
Fig. 01: Number and cost of cyber incidents [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 1, p. 4]
The cyber insurance market is growing – but not fast enough
The global cyber insurance market has expanded considerably. The study reports global gross written premiums of USD 15.3 billion in 2024, roughly double the level recorded in 2020. North America remains the dominant market, accounting for around two thirds of global premiums, followed by Europe and Asia/Oceania.
Yet the market’s momentum has slowed. After sharp rate increases during the ransomware wave of the Covid-19 period, pricing has moderated, underwriting capacity has increased and US premiums declined for the first time in 2024. The result is an ambivalent market picture: cyber insurance has become a recognised corporate risk transfer instrument, but market growth remains far below the growth in cyber exposure.
Fig. 02: Cyber insurance market – gross written premiums by region and cyber exposure/rate change [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 2, p. 6]
Insurance availability is improving, but demand is not keeping pace with the underlying risk. This is problematic because cyber risk is not a marginal cost item. Severe attacks can threaten liquidity, interrupt production, affect suppliers and, in extreme cases, contribute to insolvency.
Cyber insurance is not only a payout mechanism
The value of cyber insurance is broader than indemnification. Modern cyber policies often include access to incident response services, digital forensics, legal support, notification services, crisis communication, data restoration and specialist recovery assistance. These services can be decisive in the first hours and days after an attack.
In this sense, cyber insurance operates as an operational resilience instrument, not merely as a financial compensation product. Underwriting itself can also improve cyber hygiene. Insurers increasingly require minimum controls such as multifactor authentication, endpoint detection and response, patch management, backup procedures, network segmentation and oversight of third-party providers.
This creates a market-based incentive to strengthen cyber resilience. The study is careful, however, not to overstate this role: insurance must complement cyber resilience, not replace it.
Pricing cyber risk: the actuarial problem
Cyber insurance is difficult to price because cyber risk does not behave like traditional insurance risk. Historical data are scarce, fragmented and often not comparable. Many incidents are underreported due to reputational concerns, legal uncertainty or reporting thresholds. Even where data exist, they may quickly become outdated because threat actors, technologies and attack methods evolve rapidly.
Traditional actuarial models rely on relatively stable assumptions about frequency and severity. Cyber risk violates these assumptions. It is non-stationary, highly dependent on human behaviour and deeply interconnected. A single software vulnerability, cloud outage or supply-chain compromise can affect thousands of companies across sectors and jurisdictions.
Fig. 03: Average cyber insurance premium rates by size of business [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 3, p. 6]
For this reason, insurers increasingly rely on scenario analysis, cyber catastrophe models, expert judgment and stress testing. These methods are not a technical refinement; they are a necessity in a market where past loss data cannot fully describe future systemic events.
Claims frequency stabilises, but severity rises
The study points to a nuanced claims picture. In major markets, claims frequency appears to be stabilising or declining in some segments, partly because insured firms have improved their cyber security controls. But average severity is rising, particularly for large corporates.
Business interruption, data breach costs, privacy litigation and recovery expenses can drive claim sizes sharply upward. This distinction matters for insurers and risk managers alike. A lower number of claims does not automatically imply a lower-risk environment.
Fig. 04: Frequency and average severity of cyber claims in the United States [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 4, p. 7]
The cyber insurance challenge is not the average event. It is the correlated tail event: ransomware campaigns, cloud outages, widely exploited vulnerabilities, destructive malware or attacks against critical infrastructure. These events can trigger simultaneous losses across many policyholders and multiple insurance lines.
The coverage problem: where does cyber end?
Cyber insurance typically covers both first-party and third-party risks. First-party coverage includes direct losses such as incident response, business interruption, cyber extortion and data restoration. Third-party coverage responds to liabilities such as privacy claims, regulatory defence costs, network security liability and payment card liability.
Yet the boundaries of coverage remain complex. Coverage gaps often arise around contingent business interruption, cyber theft, fraud, physical damage, infrastructure failure, war, terrorism and state-sponsored attacks. These exclusions may be justified from a prudential perspective because insurers cannot absorb unlimited systemic losses. But from the policyholder’s perspective they can create uncertainty precisely when clarity is most needed.
Fig. 05: How a cyber incident can trigger insurance claims under different policies and potential overlaps [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 5, p. 11]
Silent cyber, silent AI – and the next ambiguity
Cyber incidents may trigger claims not only under cyber policies, but also under property, liability, crime, directors and officers, and kidnap and ransom policies. This overlap is one reason why non-affirmative cyber risk – also known as silent cyber – remains a major supervisory concern. Silent cyber occurs when cyber coverage is neither explicitly included nor explicitly excluded.
The 2017 NotPetya event demonstrated the scale of the problem: the study notes that around 85% of insured losses were reported through property policies that had not been designed to cover cyber risk. Regulators and insurers have made progress in clarifying cyber coverage, but ambiguity persists, particularly where cyber incidents interact with state activity, infrastructure disruption, physical damage or AI-enabled attacks.
The study also introduces the emerging concept of silent AI. As artificial intelligence becomes embedded in business processes and cyber operations, AI-related losses may trigger claims under cyber, professional indemnity, directors and officers, product liability or property policies. The question is whether policy wordings have evolved quickly enough to address this new exposure. If they have not, AI could repeat the silent cyber problem under a new label.
Accumulation risk: the core underwriting challenge
Accumulation risk is perhaps the most important prudential issue in cyber insurance. It describes the possibility that one event or vulnerability triggers losses across many policyholders simultaneously. Cyber accumulation can arise through shared cloud providers, widely used software libraries, managed service providers, operating systems, critical infrastructure or AI service providers.
This is fundamentally different from many traditional insurance lines, where diversification across geography or policyholders reduces risk. In cyber insurance, diversification can be misleading. Two companies in different countries and sectors may still depend on the same cloud region, the same software component or the same managed service provider. A single failure can therefore become a portfolio-wide event.
Insurers manage this risk through limits, exclusions, sub-limits, coinsurance, reinsurance, exposure caps and scenario-based stress testing. But these are imperfect tools. The study emphasises that systemic cyber events could still threaten insurer solvency if accumulation risk is underestimated.
The protection gap: the market’s unresolved policy problem
The cyber protection gap is large and likely to grow. The study estimates that only around 1% of global economic cyber losses are covered by cyber insurance. Coverage is particularly low among SMEs and in emerging market and developing economies. Large corporates dominate the market, but even they may face limits that fall short of plausible losses from major attacks or systemic disruptions.
The Munich Re survey results cited in the study show that the main reasons for not buying cyber insurance are price, lack of awareness, lack of understanding, insufficient scope of services and lack of trust. These are primarily demand-side barriers. The implication is important: the protection gap is not only caused by insurers refusing to provide capacity. It also reflects confusion, affordability constraints, product complexity and uncertainty about whether policies will respond in practice.
Fig. 06: Reasons for not taking cyber insurance [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 6, p. 25]
Why SMEs remain underinsured
SMEs face a double disadvantage. They often lack the resources to build advanced cyber resilience, yet they are increasingly exposed to the same digital dependencies as larger firms. Many rely on cloud services, outsourced IT, software-as-a-service platforms and digital payment systems. But they may not have dedicated cyber security teams, legal expertise or brokers to navigate policy wording.
The study reports that in North America and Europe, 60% to 70% of large corporates purchase cyber cover, compared with only 10% to 20% of SMEs. This creates a macroeconomic vulnerability. If SMEs are underinsured and underprepared, cyber incidents can spread through supply chains, affect larger firms and weaken broader economic resilience.
Public-private partnerships: where private insurance reaches its limits
Not all cyber risks are commercially insurable. State-sponsored attacks, cyber terrorism, breakdowns of critical infrastructure and highly systemic vulnerabilities may exceed the risk-bearing capacity of private insurers. In these areas, the study argues that public-private partnerships may be necessary.
The protection-gap framework separates the gap into several layers: risks that are insurable and purchased, risks that are affordable but not purchased, risks that are unaffordable, and risks that are unavailable because of high uncertainty or correlated losses. This framework is useful because it avoids a simplistic conclusion. Some parts of the gap can be reduced through better products, education and pricing incentives. Other parts require public policy, backstops or cyber terrorism pools.
Fig. 07: Stylised illustration of the attribution of the cyber risk protection gap [Source: Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, June 2026, Graph 7, p. 28]
The role of supervisors and governments
Insurance supervisors have a delicate role. They must support a sustainable cyber insurance market without encouraging underpricing or excessive risk-taking. Risk-based pricing is central. If insurers price cyber risk properly, companies with stronger cyber hygiene should benefit from better terms, while weaker risks face higher premiums or stricter underwriting requirements.
Governments have a broader responsibility to reduce systemic cyber exposure. They can set minimum cyber hygiene standards, improve incident reporting, share non-sensitive threat intelligence, support SMEs and clarify whether public backstops will be available for extreme cyber events. But public support must be designed carefully. A fully government-funded ex post rescue mechanism could create moral hazard and weaken incentives for prevention.
The AI acceleration
Artificial intelligence intensifies both sides of the cyber equation. Defensive AI can help identify vulnerabilities, accelerate patching, improve monitoring and strengthen incident response. Offensive AI can automate reconnaissance, phishing, exploit development and social engineering.
The study therefore frames AI not simply as a new risk category, but as an amplifier of existing cyber insurance challenges: silent coverage, accumulation risk, underwriting uncertainty and protection gaps. Frontier cyber AI models are particularly relevant because they may compress the time between vulnerability discovery and exploitation.
Underwriting models based on annual questionnaires or static assessments may become insufficient. The market may need to move toward continuous cyber risk assessment, dynamic exposure monitoring and more granular mapping of software and third-party dependencies.
Conclusion: cyber insurance is necessary – but not sufficient
The FSI-IAIS study’s central message is balanced. Cyber insurance can strengthen corporate resilience, support recovery and contribute to financial stability. It can also incentivise better cyber hygiene and provide access to specialist services that many firms could not build internally. But cyber insurance cannot absorb all cyber risk, and it should not substitute for sound cyber resilience.
The future of the market depends on disciplined underwriting, clearer policy wording, robust accumulation risk management, better data, risk-based pricing and coordinated public-private action. The cyber insurance market must grow, but it must grow prudently. Otherwise, the very instrument designed to stabilise firms after cyber shocks could itself become a source of financial vulnerability.
Principal source
- Currat, Adrien / Perry, Joe / Yong, Jeffery (2026): Cyber insurance unpacked: the corporate digital safety net, FSI Insights on policy implementation, No 75, Financial Stability Institute / International Association of Insurance Supervisors, June 2026.




