The growth in the volume of premiums in the area of ​​cyber insurance in the Russian Federation for 2023 amounted to about 80%

Insurance companies developing the direction of covering damage from the consequences of cyber attacks in 2023 increased the collection of insurance premiums for a relatively new service by 80%, to 1.3 billion rubles. So far, this type of insurance has been used to a limited extent, including due to the lack of expertise for a preliminary assessment of clients’ protection. The Federation Council is working on a regulatory framework for the development of this area, but the Central Bank urges not to rush into introducing mandatory requirements.

The overall increase in the volume of premiums in the area of ​​cyber insurance in the Russian Federation for 2023 was about 80%, to approximately 1.3 billion rubles, PSB told Kommersant. Most often, such programs are purchased by large clients from the banking sector or industrial enterprises – as a rule, from the fuel and energy sector and metallurgy, said Alexey Nazarov, vice president and director of the department for the development of non-banking services of PSB. The packages, he said, may also include a cyber audit – checking the security of IT systems.

There are also inexpensive solutions on the market for small and medium-sized businesses that allow them to obtain insurance against cyber incidents, mainly related to the consequences of DDoS attacks (attack on the server). However, they do not provide protection against all current cyber threats. “Cyber ​​insurance in Russia remains a highly specialized product,” admits Alexey Nazarov. According to Expert RA, in general, the insurance market in Russia at the end of 2023 grew by 15–16%, and the volume of premiums amounted to about 2 trillion rubles.

“We are seeing an increase in demand for cyber risk insurance by an average of 20% per year – this means the number of companies wanting to buy a policy,” notes VSK Insurance House.

According to Zetta Insurance, the number of new requests for cyber risk insurance has increased by 1.5–2 times over the year. Demand is directly proportional to the increase in incidents of data leaks and hacker attacks, the company believes. In 2023, Roskomnadzor detected 168 leaks (140 in 2022).

Rosgosstrakh notes demand primarily from the banking sector and telecommunications companies, which “today are more susceptible to attacks,” recognizing that in the Russian Federation it has not yet become “significant for the market.” “For now we are talking only about one-time contracts, and not about product lines that can be offered to a wide range of clients,” the company explained.

Commercial Director of BI.ZONE Konstantin Levin notes several key problems of the segment. Firstly, in addition to the insurer and the customer, a third party is needed to analyze the client’s situation, but these procedures, he notes, have not been worked out, and there are no evaluation criteria. Secondly, the expert clarifies, there is no specialized regulation.

Meanwhile, cyber insurance has been discussed since the end of 2022 as one of the mandatory conditions for regulating companies’ liability for information security (see “Kommersant” dated November 7, 2022).

As Artem Sheikin, deputy chairman of the Council for the Development of the Digital Economy under the Federation Council, explained to Kommersant, the idea is to create a mechanism for mandatory financial support for the liability of personal data operators for leaks.

“It is necessary to oblige companies to have financial security to compensate for harm caused to personal data subjects in case of violation of the law. This could be a bank guarantee, an insurance contract, a reserve fund,” he says. According to Mr. Sheikin, the bill is at the final stage of development; it is planned to be discussed with departments and businesses at a meeting in the Federation Council in February.

The Central Bank of Kommersant clarified that the creation of a cyber risk insurance institution is one of the tasks identified in the regulator’s work plan until 2025, however, “to establish uniform requirements for such an insurance product, insurers must gain sufficient experience.”

Tatiana Isakova, Yulia Poslavskaya