The cyber insurance market has grown significantly in the past, with global premiums doubling since 2020 to more than USD 16 billion. However, still the vast majority of cyber risk is not insured. The enormous cyber insurance protection gap can have a direct impact on the economic prosperity not only of individuals and companies, but of society as a whole.

Given the huge potential for damage and the dynamism in the current risk landscape, lately driven also by AI and generative AI adaption, the value of insurance protection to insureds is poised to rise even further. Cyber as a relatively young line of business represents an opportunity for insurers, albeit a challenging one as it is a business area with sparce historical data. Steady investments made by expertise-driven insurers in modelling risks and gaining better understanding of the impact of technology on exposed risks have already laid a solid foundation for the further expansion of risk transfer in a specialised market. The long-term ability and willingness to cover insurable cyber risks is the starting point for effectively bridging the protection gap, consisting of both not yet insured and underinsured risks.

The protection gap in cyber insurance refers to the difference between the economic losses caused by cyber incidents and the extent to which organizations and individuals have protected themselves against these damages via cyber insurance. In other words, it is the gap between the total potential financial impact of cyber risks and the by far smaller amount of insurance cover currently taken out by risk owners. Munich Re Economic Research has compiled comparative figures as at 2025 to illustrate the protection gap for cyber risks:

The potential economic losses from cyber attacks may be estimates, but the scale is impressive. As projected by trends in AI and quantum technology, super-digitization has only just begun. What is evident already is that businesses and society are highly dependent on the smooth functioning of digital technologies.

A large scale catastrophic loss event, whether caused by an attack or a failure, has not yet occurred. However, even limited impact from incidents and attacks keep revealing preparedness or fragility in risk management and can lead to significant reputational and financial damage. For example, a recent study by CyberCube and Munich Re focused on the financial losses scale in relation with cloud outage duration: Cybersecurity experts responded that a single-day outage of their most critical Cloud Service Provider (CSP) would likely result in a financial loss equal to 1% of their yearly revenue. A former study saw eight S&P 500 companies suffering a 10% loss in annual revenue due to a significant cyber incident.

If uninsured, companies, other organizations and private households bear the potentially high costs of cyber losses themselves. Cyber risks may even threaten the existence of a business. The realistic risk of not being able to recover from a security incident or cyber attack should heavily in considerations to take out insurance. The threat of becoming a cyber victim is agnostic in terms of size, industry or management structure; it affects all kinds of large, small and medium-sized enterprises and organisations, as well as families and individuals. General awareness of the cyber risk may have increased, but the gap remains: although a clear majority of company managers consistently cite cyber incidents as their top concern in many surveys yet the coverage gap due to underinsurance or non-insurance remains huge, especially among small and medium-sized companies.

Munich Re’s latest Cyber Risk and Insurance Survey identified the main reasons for the existing protection gap. According to the corporates decision makers surveyed, these are: 

Bridging the protection gap requires efforts on the part of providers, but also on the part of the joint market in various areas. These include strengthening market functionality, ensuring capacity, further improving and tailoring insurance products. Making products easier to understand for policyholders (and sales channels), by reducing complexity and clarifying coverage details will help to increase penetration of the market.

Awareness of the need for cyber risk management in businesses, particularly SMEs, can be raised by insurers, as they seek to also highlight the benefits of cyber insurance.

The value of insurance is increasingly recognised not only in terms of transferring risk, but also in helping to anticipate, mitigate and manage it. In this respect, the industry also plays an important role in the overall economy as a catalyst for strengthened resilience and reduced uncertainty. Coping with the rising macroeconomic costs of cybercrime and vulnerabilities in value chains has long been a challenge for the insurance industry and public sector stakeholders which is best tackled collectively.

As one of the leading players in the cyber insurance market, Munich Re is continually building up its own expertise, which is also meant to lay a solid foundation for sustainable market growth. Experts work together with industry partners on accumulation topics, cooperate with cyber security companies and share modelling insights with the market. Munich Re Group companies continue to design new cyber products and innovate with partners. For example, HSB recently launched CyberPro^TM, and the cooperation with Google Cloud for Cloud Protection + has been extended. With white label products, Munich Re supports its partners in offering cyber coverage all over the globe. In addition, Munich Re actively promotes dialogue between the industry and governmental bodies on ways to jointly strengthen cyber resilience for economies and societies.

Robust and effective cyber insurance protection proves to be an essential component of a company’s overall risk management framework. Insurance is not only part of the post loss indemnification, but also in support of raising threat awareness, increasing cyber security and protecting organisations of all sizes from the huge disruption of an incident. Technical services can therefore represent greater added value as part of the offering for small and medium-sized enterprises than for large global players that operate own IT and support teams.

Protection against cyber risks is no easy task and requires financial resources. However, as with prevention in many other areas, the costs of an incident can be much higher.