Cyber insurance guide to aid discussions

30 October 2018

A group of insurance trade bodies has joined forces to produce a guide to buying cyber insurance. The publication aims to help companies of all sizes work with their broker to prepare their insurance submissions and evaluate insurers’ cyber insurance offerings.

The guide has been developed by the Federation of Risk Management Associations (FERMA), working with the European Federation of Insurance Intermediaries (BIPAR) and Insurance Europe, the European insurance trade body. It follows FERMA’s 2017 report on cyber risk governance, which sets out a framework to identify and quantify cyber risk in order to weigh-up risk mitigation strategies and insurance.


‘Preparing for cyber insurance’ is written from the insurance buyers’ perspective and is intended as a practical guide to help organisations understand their cyber risks and potential need for cyber insurance. Recent cyber events have made organisations much more aware of the cyber risks they face and more conscious of the need to manage their cyber security exposures, yet many companies still struggle to translate their cyber security concerns into concrete action, FERMA said.

The market for cyber insurance in the EU has yet to reach its full potential, according to the report. One reason for this is the difficult task insurers face when quantifying risks that are constantly evolving and that can rapidly spread worldwide. Similarly, organisations can find it hard to accurately assess their cyber security exposures and how best to use insurance to mitigate them.

Any organisation wishing to implement some form of risk mitigation for its cyber risks—including insurance—must first assess as accurately as possible its exposures and potential vulnerabilities. As a first step, an organisation needs to conduct internal research and build a picture of its cyber risks and how it manages them. However, conducting this research can be challenging, the report says.


The guide gives advice on how companies can best prepare for discussions with insurance intermediaries and insurers. For example, it helps buyers to prepare the most valuable underwriting information for insurers; outlining what information is required, how it is used in underwriting and where that information is likely to be found within the organisation.

According to the report, insurers will need information on general business risk, corporate culture, information system security (mobile working policies, networks, secure administration and industrial control systems), IT suppliers, IT update information and personal data. While compiling this information may be demanding, it creates a virtuous circle because it also allows the organisation to identify where it can strengthen its policies and procedures, the guide says.

Subscribe to our  Latest Cyber Decoder newsletter


The report also provides tools to help organisations evaluate cyber insurance offers and how they translate in practice. Insurance solutions proposed by insurers are not uniform and will depend on the organisation’s characteristics, including its size, type, sector and level of digitalisation. Cyber insurance solutions typically include prevention advice and mitigation support in the event of a cyber-related incident.

The guide sets out the four pillars of cyber insurance: prevention, assistance, operations and liability. It then gives a brief explanation of examples of cyber-related coverages, a coverage checklist and scenarios detailing how and when cyber insurance can be relevant following a cyber incident.

The scenarios show that many cyber risks can be insured, while some elements of coverage could be available under other lines of insurance. As a result, buyers need to work with their intermediaries and insurers to understand potential cyber coverages and gaps within their current insurance policies and evaluate the value of a stand-alone cyber insurance policy for their organisation.

The benefits of good preparation go beyond informing a discussion with insurers and intermediaries, according to the guide. It serves to gauge the extent to which an organisation is ready to face cyber risks generally, both in terms of prevention and response, should an event occur. Similarly, on the basis of this information, the insurer will be able to offer the coverage that is best suited to the organisation’s needs and, equally importantly, access to pre- and post-incident services.

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on