Close this search box.

We are creating some awesome events for you. Kindly bear with us.

OECD report outlines policy priorities for supporting development of cyber insurance market

OECD report outlines policy priorities for supporting development of cyber insurance market

The Organization for Economic Co-operation and Development (OECD) released a report on ‘Supporting an effective cyber insurance market’ on May 13. The report was prepared for the G7 Finance Ministers and Central Bank Governors meeting on 11-13 May 2017. 

Types of coverage

The report looks at coverage as a stand-alone policy, as a specific endorsement on existing policies or as part of traditional coverages without a specific endorsement.

Cyber-related losses are sometimes excluded from property, crime, kidnap and ransom, liability and other traditional insurance policies. The report notes that exclusions could be in the form of general exclusions of all losses resulting from a cyber-attack or incident or exclusions applied to exclude liability related to data breaches or data restoration. Most stand-alone cyber insurance policies have been developed to close the gaps arising from these inclusions and from the requirement that there be property damage in order for business interruption coverage to be triggered.

Where mentioned exclusions are applied, there might be coverage from traditional insurance policies. This may be explicitly understood by the insurer and policyholder, for example through the inclusion of a specific endorsement providing such coverage. While in other cases, it might take a claim dispute and/or litigation to “discover” the coverage.

Potential coverage for cyber risk in traditional policies (Source: Supporting an effective cyber insurance market, Figure 1)

Challenges in immature market

The stand-alone cyber insurance market reached an estimated USD 3.5 billion in written premiums in 2016. Approximately USD 3 billion was written on behalf of US-based companies and USD 300 million was written on behalf of European companies (miniscule in comparison with USD 373 billion and USD 230 billion of gross written premiums in the motor vehicle and fire/property insurance lines respectively in the G7 countries during 2015).

Take up of commercial property and liability insurance coverage potentially approaches 100% of all businesses in most mature insurance markets. In contrast, only 20% to 35% of all US companies have specific (stand-alone or endorsed) cyber insurance coverage. In Europe and UK, an estimated 20% to 25% of mid-to-large companies (which have a broker) have purchased specific cyber insurance. Few companies have assessed the potential financial impact of a cyber-incident.

There are broad differences in coverage available from different insurers and policies may not be covering some important losses.  

         The report cites examples which are rarely covered in either stand-alone cyber policies or traditional insurance policies, such as a large privacy breach or loss of value of intellectual property due to its theft through cyber-espionage. In both cases, the key impediment to coverage is the difficulty in quantifying the value of the future business that has been lost due to reputational damage or the reduced ability to exploit the commercial value of intellectual property.

Premiums for cyber insurance per million in coverage has been estimated to be three times more expensive than general liability coverage and six times more expensive than property coverage. Reasonable pricing is hindered by the absence of historical data and collection of data is obstructed by the continuing reluctance of victims of cyber incidents to share information on these events and their impacts.

Another factor for the pricing is the high potential for cyber-related losses to be correlated across insured entities, where a number of insured companies are affected by the same or same type of incident, such as through use of commonly-used software with a vulnerability or attacks on common information technology infrastructure, such as a cloud service provider.

Policy priorities 

Better, more comprehensive data on the frequency and impact of cyber incidents would be essential for quantifying exposures. This would provide more confidence in the underwriting of insurance coverage for cyber risk, thereby supporting availability and affordability.

The report states that  the development of a more comprehensive data set on cyber incidents would most probably require 1) a common classification of cyber incidents and types of losses; 2) a trusted party (e.g. government agency) to collect and report the data; and 3) incentives or requirements for reporting by companies affected by cyber incidents and insurance companies that have paid related claims.

There are ongoing initiatives in the insurance sector and in individual countries. The OECD is also exploring these issues as part of its work on improving the evidence base on cybersecurity and privacy policy-making. This report on ‘Supporting an effective cyber insurance market’ is part of a larger report being developed by the OECD on cyber risk insurance. The project was initiated in April 2016 and is expected to produce three reports: Cyber risk insurance: the market and nature of available insurance coverage; Awareness of cyber risks and the role of insurance in risk measurement, mitigation and prevention; and Regulatory and policy issues relevant to the development cyber insurance markets. 

         Most governments have adopted national cybersecurity or digital security strategies. But they do not always address cybersecurity as an economic and social risk management issue. National strategies could provide incentives for businesses to measure and manage their exposure to cyber risk. They could also consider the benefit of further co-operation and coordination between government bodies in charge of cyber security, which could include insurance regulators.

The report says that governments can also play a role in ensuring that clarity is provided on the extent of coverage for cyber risk included in stand-alone and traditional policies. This could be done by encouraging the insurance and policyholder communities to develop a common understanding about the appropriate place for cyber coverage and/or establishing requirements for insurers to provide greater transparency on the coverage provided and losses that are excluded).

Read the full report here.


Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.


As a Titanium Black Partner of Dell Technologies, CTC Global Singapore boasts unparalleled access to resources.

Established in 1972, we bring 52 years of experience to the table, solidifying our position as a leading IT solutions provider in Singapore. With over 300 qualified IT professionals, we are dedicated to delivering integrated solutions that empower your organization in key areas such as Automation & AI, Cyber Security, App Modernization & Data Analytics, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Renowned for our consulting expertise and delivering expert IT solutions, CTC Global Singapore has become the preferred IT outsourcing partner for businesses across Singapore.


Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit


SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.


HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 


IBM is a leading global hybrid cloud and AI, and consulting services provider, helping clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,800 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity, and service. For more information, visit