In our last article of the “What’s next in Insurance reporting five priorities of 2027 and beyond” series, we explore cyber risk, how it will affect and define corporate reporting going forward, and how insurers can stay ahead of regulatory and stakeholder expectations.
Cyber risk affects insurers both as underwriters and as direct targets
Insurers face cyber risk from two directions. First, they are increasingly exposed to cyber incidents through the policies they underwrite, as cyber insurance becomes a growing line of business. Second, insurers themselves are attractive targets for cyber-attacks due to the volume and sensitivity of data they hold, and their increased investment in digital transformation.
This dual exposure increases the importance of robust internal risk management frameworks, not only to limit financial losses but also to maintain consumer confidence and protect reputation. While cyber risk also presents commercial opportunities, particularly through the expansion of cyber insurance offerings, these opportunities bring additional challenges. Insurers must assess whether policyholders have appropriate controls in place and whether pricing and coverage adequately reflect an evolving risk profile.
Cyber risk introduces new sources of uncertainty into financial reporting
For insurers underwriting cyber risk, financial reporting is complicated by the relative immaturity of the market. Limited historical data, evolving attack methods and the emergence of new claim types make it difficult to identify stable loss patterns.
This uncertainty may result in increased volatility within the financial statements and could require enhanced disclosure to explain key judgements and assumptions. In particular, cyber risk may affect disclosures relating to underwriting risk, claims development and, in some cases, liquidity risk, where the timing and settlement of claims are less predictable.
More broadly, the rapid growth of cyber insurance, combined with frequent changes in policy terms and conditions, may challenge comparability and consistency in reporting across periods.
Current disclosures lag the significance of cyber risk
Despite the scale and immediacy of cyber risk, there are currently no specific reporting requirements that mandate detailed disclosure when it comes to operational cyber risk. This has contributed to a gap between the importance of cyber risk to insurers’ operations and the level of transparency typically provided in financial statements.
Our previous publication highlighted this disparity based on 2023 annual reports. As shown in the chart below, this gap remains evident in 2025, with cyber risk still referenced less frequently than climate risk. This contrast illustrates how regulatory focus and disclosure frameworks can shape reporting practices, even where other risks may be equally, or more, immediate (please see the figure below).
As regulatory expectations around cyber risk continue to develop, insurers may come under increasing pressure to demonstrate that cyber risk is being managed with the same rigour applied to other principal risks.
Key take-aways
What can insurers do to improve cyber risk reporting?
Clear, proportionate and entity-specific disclosures can help bridge the gap between the significance of cyber risk and current reporting practices. In particular, insurers may wish to consider the following:
- Clarify strategy
Explain how cyber risk strategy aligns with IT infrastructure, data management and the wider business model. - Focus on underwriting exposure
Describe pricing approaches, coverage limits and any preventative or advisory services offered to cyber insurance policyholders. - Address third-party risk
Disclose exposure arising from outsourced services and supply chains, particularly where critical operations rely on third parties. - Consider sales and distribution channels
Highlight vulnerabilities associated with digital sales platforms and customer interfaces. - Explain the role of automation and AI
Describe how automation and AI are used both to enhance cyber defences and, where relevant, how they may introduce new risks. - Avoid boilerplate disclosures
Tailor disclosures to reflect the insurer’s specific risk profile, rather than relying on generic descriptions. - Link cyber risk to other principal risks
Explain how cyber risk interacts with other emerging risks, including climate change, geopolitical uncertainty and operational resilience.
| |
Get in touch with our insurance experts To discuss how cyber risk might impact your organisation, speak with one of our experts via the contact button below. Contact us |
