Cyber risk and operational resilience
Cyber risk has been increasing for several years, in line with increased digitisation, interconnectedness and cyber threats. Insurers are not only exposed to cyber risks in their operations but are also active takers of cyber risk through their cyber underwriting activities. As digitisation, interconnectedness and cyber threats continue to expand, cyber insurance has the potential to become an increasingly more significant part of the non-life market and to play a greater role in mitigating the risks associated with cyber incidents. In view of the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, cyber insurance underwriting has increasingly attracted supervisory attention.
Financial stability
The IAIS performs a forward-looking role in identifying key trends and developments that could reshape the insurance industry and impact on financial stability. Cyber risk is a key area of focus for the IAIS as rapid technological change and innovation has dramatically increased cyber threats and risks to cyber resilience, both of which have been further compounded by the rapidly changing work environments that came about during the Covid-19 pandemic.
The 2023 special topic edition of the Global Insurance Market Report (GIMAR) explored the impact of cyber risks on the insurance sector and its potential ramifications for financial stability. Specifically, the report focuses on the global cyber insurance market and the cyber resilience of the global insurance sector. It provides an overview of the key trends and aspects of the cyber insurance market and examines the sector’s cyber resilience and its implications for financial stability. The report draws on data collected by the IAIS from its 2022 Global Monitoring Exercise (GME), which covers cyber underwriting activities and cyber resilience data as of year-end 2021. To access the report, please go to bottom of this page.
The IAIS continues to collect data on cyber risks as part of its Global Monitoring Exercise and will publish a further update in the 2025 GIMAR to be published in December.
Supervisory practices
The IAIS´ Operational Resilience Working Group (ORWG) published a draft Application Paper on operational resilience objectives and toolkit on 1 July 2025, with comments due by 29 September. The draft Application Paper provides a sound and consistent foundation to support supervisory authorities in developing and strengthening their approaches to supervising insurers’ operational resilience.
In May 2023 the IAIS published its Issues Paper on insurance sector operational resilience on supervisory practices with respect to cyber resilience, IT third-party outsourcing and business continuity management.
In 2020, the IAIS published a Report on cyber risk underwriting and identified challenges and supervisory considerations for sustainable market development. The report recognised that as digitisation and cyber threats continue to expand, cyber insurance is becoming increasingly significant to the non-life insurance market. The report concluded that current cyber underwriting practices, while serviceable, are not optimal, in particular due to issues surrounding the measurement of risk exposures.
This work builds on initiatives undertaken by the FSB and other standard setting bodies on a cross-sector basis.
Recent and upcoming events
- On 17 July 2025 , a public background session on the Application Papers on artificial intelligence and operational resilience will be held from 13:00 – 14:30 CEST. Click here for more details.
- On 10 September 2024, a public background session was held from 14:00-15:00 CEST.
- The Issues Paper on Insurance Sector Operational Resilience and Resolution of Comments for the public consultation phase were published on May 2023.
- On 31 May 2023, a public discussion session was held on the Issues Paper on Insurance Sector Operational Resilience.
Related publications by Partners
FSB:
- Format for Incident Reporting Exchange (FIRE): Final report
- Enhancing Third-Party Risk Management and Oversight – A toolkit for financial institutions and financial authorities
- Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report
- Cyber Lexicon: Updated in 2023
- Effective Practices for Cyber Incident Response and Recovery
BCBS:
- Principles for the sound management of third-party risk (consultative document)
- Principles for Operational Resilience
IMF:
OECD: