Cyber risk and operational resilience
Cyber risks are increasing with growing digitisation, interconnectedness and cyber threats. Insurers are not only exposed to cyber risks in their operations but also as takers of cyber risk through their cyber underwriting activities. As digitalisation, interconnectedness and cyber threats continue to expand, the cyber insurance market has the potential to grow. Given the potential scale of the cyber insurance market and the ubiquitous and significant nature of cyber risk, cyber insurance underwriting has attracted supervisory attention.
Financial stability
The IAIS performs a forward-looking role in identifying key trends and developments that could reshape the insurance industry and impact on financial stability. Cyber risk is an area where the IAIS has undertaken analysis to understand risks posed to the sector. The 2025 Global Insurance Market Report (GIMAR) provides an update on cyber risks in the insurance sector looking at both the operational risks for insures and developments in the underwriting of cyber risks. The report considers this risk on two dimensions:
- Underwriting risk, which includes:
- Affirmative cyber coverage which may be through standalone policies or included in existing non-life policies with endorsements or other measures by insurers to limit liability; and
- Non-affirmative coverage (“silent cyber”): where policies may inadvertently cover cyber risks. Insurers generally manage non-affirmative exposure primarily through policy exclusions, affirmative endorsements for specific cyber risks and comprehensive risk identification processes.
- Own risk: where an insurers’ operations are exposed to risks from cyber-attacks, similar to any other actor in the financial system and real economy. Here the IAIS’ focus is on the operational resilience of insurers.
The IAIS published a 2023 special topic edition of the GIMAR which explored the global cyber insurance market and any impact on financial stability. It provides an overview of the key trends and aspects of the cyber insurance market and examines the sector’s cyber resilience and its implications for financial stability.
Supervisory practices
The IAIS also supports efforts to develop effective supervisory practices to address cyber risks and operational resilience. The IAIS published an Application Paper on operational resilience objectives and toolkit in February 2026.
The Application Paper, which was publicly consulted on through 2024-2025, consists of the operational resilience objectives (the objectives) and supporting practices and tools (the toolkit). The first component, the objectives, provides the basis for a high-level framework for meeting the ICPs, while the second component, the toolkit, provides supervisors with practical implementation approaches.
The Application Paper covers three overarching objectives with the following themes:
- The relationship between operational resilience, governance and operational risk management.
- The key elements of a sound approach to operational resilience. Here the paper shares a wide variety of practices adopted by supervisors for the key elements of operational resilience regimes.
- Specific objectives for insurance supervisors. It highlights guidance for insurance supervisors, including coordination with supervisory authorities, transparent stakeholder communication and fostering a culture of continuous improvement and learning in operational resilience.
In May 2023 the IAIS published its Issues Paper on insurance sector operational resilience, which focuses on supervisory practices with respect to cyber resilience, IT third-party outsourcing and business continuity management.
In 2020, the IAIS published a Report on cyber risk underwriting and identified challenges and supervisory considerations for sustainable market development. The report recognised that as digitisation and cyber threats continue to expand, cyber insurance is becoming increasingly significant to the non-life insurance market. The report concluded that current cyber underwriting practices, while serviceable, are not optimal, in particular due to issues surrounding the measurement of risk exposures.
This work builds on initiatives undertaken by the FSB and other standard setting bodies on a cross-sector basis.
Recent and upcoming events
- On 19 February 2026, a public discussion webinar was held via webinar to present the Application Paper on operational resilience objectives and toolkit and answer questions from stakeholders. Click here for more details.
- On 10 September 2024, a public background session was held from 14:00-15:00 CEST.
- The Issues Paper on Insurance Sector Operational Resilience and Resolution of Comments for the public consultation phase were published on May 2023.
- On 31 May 2023, a public discussion session was held on the Issues Paper on Insurance Sector Operational Resilience.
Related publications by Partners
FSB:
- Format for Incident Reporting Exchange (FIRE): Final report
- Enhancing Third-Party Risk Management and Oversight – A toolkit for financial institutions and financial authorities
- Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report
- Cyber Lexicon: Updated in 2023
- Effective Practices for Cyber Incident Response and Recovery
BCBS:
- Principles for the sound management of third-party risk (consultative document)
- Principles for Operational Resilience
IMF:
OECD: