网络保险揭秘：企业数字安全网

Cyber insuranceunpacked: the corporatedigital safety net by Adrien Currat, Joe Perry and Jeffery Yong June 2026 JEL classification: G18, G22 Keywords: cyber risk, insurance, operational resilience FSI Insights are written by members of the Financial Stability Institute (FSI) of the Bank for InternationalSettlements (BIS), often in collaboration with staff from supervisory agencies and central banks. The papersaim to contribute to international discussions on a range of contemporary regulatory and supervisory Authorised by the Chair of the FSI, Fernando Restoy, and the Chair of the Executive Committee of theInternational Association of Insurance Supervisors, Toshiyuki Miyoshi. This publication is available on the BIS website (www.bis.org). To contact the BIS Global Media and PublicRelationsteam,pleaseemailmedia@bis.org.Youcansignupforemailalertsat Contents Coverage...................................................................................................................................................................................... 8Non-affirmative coverage...................................................................................................................................................11 Underwriting of cyber insurance......................................................................................................................................13Pricing of cyber insurance ..................................................................................................................................................16Accumulation risk...................................................................................................................................................................20 Size of the gap and the trend ...........................................................................................................................................23Reasons for the gap ..............................................................................................................................................................24Addressing the protection gap.........................................................................................................................................25Section 5 – Conclusion..................................................................................................................................................................30 References..........................................................................................................................................................................................32 Annex 1: Selected list of malicious and non-malicious cyber incidents ....................................................................37 Cyber insurance unpacked: the corporate digital safety net Executive summary In a more digitalised world, particularly with emerging threats amplified by artificial intelligence(AI), cyber risk is increasingly recognised as a significant threat to financial and economic stability. Beyond the financial impacts of cyber attacks, these incidents can also disrupt critical infrastructure, globalsupply chains and consumer trust. For the financial sector, these risks are particularly acute, as cyberincidents can destabilise payment systems and lead to cascading failures and operational disruptionsacross interconnected institutions. The rise in cyber risk is driven by increasingly sophisticated threatcapabilities, geopolitical tensions, growing digitalisation, concentrated digital dependencies and supply Cyberincidents can arise from both malicious and non-malicious causes, includingtechnical malfunctions, human error and internal or external attacks.Malicious incidents such as ransomware, social engineering scams and data breaches are on the rise, with ransomware becoming theleading source of cyber losses. These attacks have evolved into complex, multi-stage operations that canaffect multiple organisations simultaneously, amplifying accumulation risk for insurers. Non-maliciousincidents that involve widespread outages or disruptions have gained in importance and can lead to Against this backdrop, the disconnect between the increase in cyber risk and the use ofcyber insurance as a risk mitigation tool is remarkable.It is estimated that only 1% of global economic cyber losses are covered by cyber insurance, with small and medium-sized enterprises (SMEs) being themost underinsured commercial customers. Although the global cyber insurance market has been growing,the growth has stalled even as insurance availability continues to increase and premium rates fall. The Ambiguity in cyber insurance policy terms persists, leaving uncertainty around the scopeof coverage.Cyber insurance – offered as a standalone policy or add-on to other insurance products – typically provides coverage for both first-party risks (such as incident response and cyber extor