Attacking Cyber Risks in the Insurance Industry


By Annette Hofmann PhD, Director, Lindner Center for Insurance and Risk Management; Associate Professor of Insurance and Risk Management; Virgil M. Schwarm Assoc. Professor of Finance and Investments; Carl H. Lindner College of Business | University of Cincinnati; ​ & Corinna Kulp Senior Manager, IT & Controls Assurance; Audit & Assurance, BDO AG Wirtschaftsprüfungsgesellschaft Hamburg;

In today's digitized world, cyber risks have become a pervasive and increasing threat. They affect not only technology companies, but also traditional industries such as insurance and reinsurance carriers. The risk management industry is particularly vulnerable to cyberattacks due to the large amount of sensitive data it manages. Therefore, it is critical that insurance companies develop and implement effective strategies to manage cyber risks.

Cyber risks refer to the potential losses or damages that can be caused by cyberattacks, data breaches, or other types of IT security incidents. They can include financial losses, business interruption, reputational losses, legal consequences and even physical damage. For (re-)insurance companies, cyber risks can present specific challenges, such as the difficulty of quantifying and modeling cyber risk, the rapid evolution of cyber threats, and the complexity of regulatory requirements in different countries. Both the general lack of data and the fact that cyber represents an extremely heavy-tailed risk are the main reasons why the industry faces a significant bottleneck to risk assessment and pricing; the resulting difficulties in the insurability of cyber risks are widely acknowledged (Eling and Wirfs (2015, 2019), Hofmann et al. (2020), Wheatley et al. (2016)).

Cyber risk assessment and management

As well-known, the first step in dealing with cyber risks is to identify the different types of cyber risk and then conduct a thorough risk assessment. This includes identifying the assets that are most at risk (e.g., customer data, financial information, operating systems), assessing current security measures, and identifying potential vulnerabilities. Based on this assessment, insurance companies can then develop a risk management program that includes measures to mitigate, transfer, self-insure, or accept a given risk. This can include implementing security technologies, training employees, developing contingency plans, purchasing insurance, and adhering to industry best practices and standards.

Taking an insurance perspective on data breaches within the class of cyber risks, data breaches at companies in general can lead to theft and identity fraud, business interruption, public relations scandals, and more. While coverage of cyber events is typically excluded by property and liability policies, the market to cover cyber risks is growing, with insurance against data breaches forming the bulk of coverage. Looking at the United States, the graph below shows the 12-year frequency and median severity of information items compromised by U.S. state. As would be expected, the highest frequencies are in the States of New York and California, followed by Texas and Ohio. The highest severity, interestingly, has Nebraska, followed by Nevada and District of Columbia.

Figure A1 taken from Hofmann et al. (2020). Note: States with ≤ 10 cyber incidents over the 12 years were omitted [i.e. Alaska, Arkansas, Delaware, Hawaii, Idaho, Kansas, Louisiana, Maine, Mississippi, New Hampshire, New Mexico, North Dakota, Rhode Island, South Dakota, Vermont, West Virginia, Wyoming]. The inset panel magnifies the cluster near the origin.

Regulation and compliance

Due to the increasing importance of cybersecurity, many governments and regulators have introduced stricter cybersecurity regulations and standards. Insurance companies must therefore ensure that they comply with these requirements to avoid legal repercussions, penalties, and reputational damage. This may include compliance with regulations such as the EU's General Data Protection Regulation (GDPR), U.S. information security laws and other national and international standards. Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access, personal data transmitted, stored or otherwise processed.” It may also include working with regulators, reporting security incidents, and conducting regular audits and reviews.

As a result, managing cyber risk is a complex and ever-changing challenge for the insurance industry. It requires a deep understanding of the risks, effective risk assessment and management, development of cyber insurance products, compliance with regulatory requirements, and constant vigilance against new threats and developments. Despite these challenges, managing cyber risk also presents opportunities, such as the ability to develop new products and services, strengthen their resilience, and build customer trust. With the right strategy and resources, insurance companies will be able to effectively manage these risks and strengthen their role as trusted protectors in the digital world.


  • Eling, M. and Wirfs, J. H. (2015). Modelling and management of cyber risk. Available online at:
  • Eling, M., and Wirfs, J.H. (2019):  "What are the actual costs of cyber risk events?." European Journal of Operational Research 272.3 1109-1119.
  • Hofmann, A., Sornette, D., & Wheatley, S. (2020). Addressing Insurance of Data Breach Cyber Risks in the Catastrophe Framework. Geneva Papers on Risk and Insurance - Issues and Practice, 46, 53–78.
  • Wheatley, S., Maillart, T., Sornette, D. (2016). The extreme risk of personal data breaches and the erosion of privacy, The European Physical Journal B, 89(7):1-12.
Share this Post:
Posted by Annette Hofmann

Academic Director, Carl H. Lindner III Center for Insurance and Risk Management | Risk Economist | Associate Professor | University of Cincinnati. Annette is the head of the Lindner Center for Insurance and Risk Management at UC's Lindner College of Business. The Center seeks to understand, analyze and improve how economies, enterprises and individuals manage risk. Major research areas include risk economics, insurance markets, risk leadership, behavioral biases in decision-making under risk, and the application of data science to the analysis of decision-making under risk. Outside the academic world, I like to team up with practice leaders to work on InsurTech solutions and innovative risk management ideas.

+++ Author of the new book: The Ten Commandments of Risk Leadership - A Behavioral Guide on Strategic Risk Management +++

Posted by Corinna Kulp

Corinna Kulp Senior Manager, IT & Controls Assurance; Audit & Assurance I BDO AG Wirtschaftsprüfungsgesellschaft Hamburg. She is also an active member of the Information Systems Audit and Control Association, Inc. (ISACA) and is qualified as a CISA® (Certified Information Systems Auditor) and CDPSE® (Certified Data Privacy Solutions Engineer), among others. She writes various articles and gives lectures in the field of IT compliance, data protection and data securit


ad ad

Related articles

Ryan Specialty Appoints to Its Board of Directors Anthony J. Kuczinski, Former President & CEO of Munich Re US

Ryan Specialty Holdings, Inc. (NYSE: RYAN), a leading international specialty insurance firm, announced that Anthony J. Kuczinski has been appointed to its Board of Directors and will serve as a member...

Ryan Specialty Appoints Thomas Nash President of CorRisk Solutions

Ryan Specialty announced effective December 1, 2023 the appointment of Thomas Nash as President of CorRisk Solutions (CorRisk), the wholesale distribution professional liability managing general underwriter,...

In memoriam: Florin Andrreescu

Source: XPrimm Florin ANDREESCU, a seasoned professional in the insurance industry, has left an indelible mark on the sector through his dedicated career spanning several decades. His journey, marked...

Trade Credit Insurance payouts up 23% to protect UK businesses against bad debts

Insurance payouts to help businesses survive bad debts rose by 23% in the first half of the year, to their highest first half yearly figure since 2018 according to figures out today from the Association...

Insurance prices continue to stabilise as the US cyber market records second quarterly decrease since the second half of 2018

London, 1 November, 2023 – Global commercial insurance prices increased 3% in the third quarter of 2023, the same as the prior quarter, according to the Global Insurance Market Index released...

Aon announces new Asia Pacific COO

Aon has named Citibank Asia Pacific executive Jeff Plein as its new Asia Pacific COO.  The appointment follows Bill Hooper’s move to the position of Global COO of Commercial Risk...