BIS has indicated that cyber threats—intensified by advancements in artificial intelligence—pose growing risks to financial stability and broader economic activity. These incidents, whether from deliberate attacks or accidental failures, can halt operations, compromise sensitive information, disrupt supply chains, and undermine public confidence.
BIS added that financial institutions are especially vulnerable, as breaches may cascade through payment networks and interconnected entities, amplifying systemic effects.
Key drivers include sophisticated hacking tools, geopolitical conflicts, rapid digital expansion, reliance on concentrated technology providers, and fragile supply chains.
Frontier AI developments could bolster defenses through faster vulnerability detection or escalate dangers by empowering attackers with automated, large-scale exploits.
Outcomes hinge on whether protective measures or offensive capabilities gain the upper hand.
Cyber events stem from malicious actions like ransomware, phishing, data theft, and denial-of-service assaults, as well as non-malicious issues such as software glitches or employee mistakes.
Ransomware stands out as the primary driver of insured losses, often involving multi-stage tactics like data encryption combined with extortion threats.
These can simultaneously impact numerous organizations, heightening correlated exposures for providers.
The BIS update added that non-malicious disruptions, including widespread outages, are also rising due to heightened system interdependencies.
Cyber insurance serves as a vital risk transfer mechanism, offering first-party protection for direct costs (e.g., response efforts, extortion payments, operational downtime, and data recovery) and third-party liability for claims involving privacy violations, regulatory penalties, or affected parties.
Policies may appear as dedicated products or extensions to existing coverage, with increasing standardization in covered perils, though differences and restrictions persist across providers and regions.
Many terms remain untested in legal settings.
A persistent challenge is “silent” or non-affirmative coverage, where policies neither clearly affirm nor rule out cyber-related claims.
Historical attacks, such as the 2017 NotPetya incident, revealed how losses often surfaced under traditional property or liability lines unprepared for digital risks.
Industry participants and overseers have responded with clearer language, explicit inclusions/exclusions, and endorsements.
Nonetheless, carve-outs for state-linked operations, terrorism, or broad systemic failures remain common, and emerging AI-driven scenarios introduce fresh uncertainties around unintended exposures.
Underwriting and pricing cyber policies demand sophisticated approaches amid scarce historical data, fast-changing threats, and complex linkages.
The BIS update also noted that conventional actuarial techniques falter with evolving (non-stationary) risks and interdependencies.
Providers turn to scenario modeling, catastrophe simulations from specialized vendors, and expert assessments to gauge potential losses.
Premiums fluctuate with reinsurance expenses, competitive pressures, and appetite for risk, creating volatility.
Accumulation—the potential for one event to trigger widespread claims via shared cloud services or software—is a core underwriting focus, managed through caps and restrictions but capable of straining solvency in extreme cases.
Despite market expansion, a substantial protection gap endures: roughly 99% of global cyber-related economic damages go uninsured.
Small and medium enterprises face the widest shortfalls, though even major firms encounter coverage limits insufficient for catastrophic scenarios.
The BIS update added that demand-side barriers (awareness, cost) outweigh supply constraints, and the divide may widen with accelerating digital vulnerabilities.
Closing this gap calls for collaborative action. Authorities and insurers can advance baseline security practices through training, incentives tying premiums to controls, and better incident data sharing.
Public-private initiatives, including specialized pools for extreme risks, may cover otherwise uninsurable perils. Regulators should balance enhanced transparency with affordability concerns.
Ultimately, cyber insurance cannot substitute for proper internal defenses but functions as a crucial safety net. The BIS update concluded that prudent market growth, risk-aligned pricing, and heightened awareness will help firms and economies better withstand digital disruptions, fostering overall stability.