In a recent report, Aon has examined cyber liability cover as well as the approaches being taken and adopted to the increasing risk of cyber attacks and events as well as general risk management approaches concerning cyber risk.

The report suggests that the reluctance by owners to provide some form of cyber risk insurance through their captives derives from the difficulties associated with the estimation of cyber risk exposure and quantification of the consequences of cyber events. Equally, there appears to be a reluctance of organisations to purchase cyber insurance from the insurance market for the same reasons. This is illustrated in the large variance of policy limits in cyber insurance taken up which the report suggests ranges between US$50,000 per occurrence and US$50 million per occurrence. Furthermore, the report highlights that almost all captives writing cyber insurance are issuing standard policy wordings as opposed to bespoke wordings to meet a specific organisation’s exposure.

The US healthcare industry forms the majority of the 1% of those captives writing cyber insurance. It is envisaged that proposed EU legislation which is focused on empowering national data commissioners by providing them with powers to fine companies who violate EU data rules up to 5% of global annual turnover, will spark interest for EU captives in the cyber risk market. In addition, Solvency II promotes the writing of additional insurance covers which it is considered will also prompt interest in writing cyber insurance.

The report highlights that the cyber reinsurance market, accessible through a captive, currently offers significantly greater capacity than the primary insurance market and is particularly relevant for the catastrophe type exposures.

The report also recommends some key first steps to assessing a company’s cyber exposure and offers some guidance for captives in responding to cyber risk insurance challenges. The report can be found at