Key cyber insurance takeaways from Asia-Pacific: Addressing unique challenges with innovative models

Authors: Harry Lawrence, Associate Director - Customer Success Management, Insurance, Moody's; Mila Stevanic, Moody's Analytics Graduate, Insurance

The cyber insurance landscape in the Asia-Pacific (APAC) region is transforming. With less than 10% of global cyber insurance gross written premiums (GWP) currently, but with a growing digital economy and increasing reliance on technology, insurers see significant growth potential in the region.

To explore the issues and trends emerging in this rapidly evolving market, a diverse group of stakeholders, including representatives from leading insurance companies, technology firms, regulatory bodies, and cybersecurity experts, recently gathered at Gallagher Re’s Asia Cyber Conference 2025.

 

Adapting to each country’s cyber insurance market

In a region distinct from the more established markets of the US and Europe, understanding the nuances of the APAC market and the diversity of its needs from country to country is crucial for insurers to succeed.

Questions arised as the conference highlighted the low levels of cyber insurance penetration among small and medium-sized enterprises (SMEs) in APAC. For example, an Australian cyber insurer recently estimated the penetration rate for cyber insurance among SMEs in the country to be below 10%.

Educational initiatives and tailored products to address the unique cybersecurity needs of SMEs across the different APAC countries are required. But what levels of adaptation to the regional variations in risk profiles and regulatory environments will be needed to capture a larger share of the cyber insurance market in Asia?

 

Meeting the needs of a diverse region

The differences between countries within the APAC cyber insurance market were raised at the conference, and are largely based on the sophistication of a country’s digital economy,  understanding of cyber risk, and differing cultural attitudes toward business risk. For instance, if cyber risk is not deemed that important within a country, some businesses will prioritize traditional forms of insurance—such as property insurance—over cyber coverage.

Each country is also at a different stage of regulatory development, leading to a varied regulatory environment that reflects each country’s unique cybersecurity and data protection regulations.

Countries like Singapore, Hong Kong, and Japan have implemented stringent regulatory frameworks that require businesses to adhere to high standards of data security, competing with U.S standards in terms of cyber insurance offerings.

Other nations may have less developed regulations, meaning insurers must navigate a patchwork of compliance requirements, complicating the underwriting process and risk assessment.

It’s not just tech-heavy businesses in the region that need cyber risk coverage. The integration of physical and digital systems in industries like manufacturing and transportation means cyber has the potential to disrupt physical operations, introducing unique cyber-physical risks.

Multinational companies working with Asian partners must recognize the potential for cyber threats and their physical consequences, necessitating coverage that addresses interconnected systems risk.

In terms of lines of business, in more mature APAC country markets, commercial lines dominate, but in less developed markets, there is a growing demand for personal cyber insurance products. As individuals become more connected, their vulnerability to cyber threats increases, requiring insurers to create tailored offerings that address personal data protection and identity theft.

 

Key challenges to address

So, what were the three key challenges discussed at the conference that insurers need to address for successful growth in the APAC cyber insurance market?

1.      Education gap: There is a notable lack of cyber risk literacy at both the C-suite and underwriting levels. Many executives do not fully understand cyber risks, which hampers informed decision-making regarding insurance coverage.

2.      Data quality: Insurers face challenges related to inconsistent or insufficient data from clients, making it difficult to assess risk accurately. The difficulty in translating security data into insurance-relevant metrics further complicates the underwriting process.

3.      Limited use of cyber models: The adoption of cyber models by insurers in APAC is still in its infancy. Many insurers do not utilize comprehensive cyber risk models, which limits their ability to offer tailored policies that reflect the true risk exposure of their clients.

Several speakers at the conference emphasized that businesses are demanding a deeper understanding of cyber risks and the importance of insurance. Stakeholder education is paramount to increasing market maturity in the APAC region.

In terms of data quality and use of cyber models, the industry can leverage technology and forge strategic partnerships to overcome these challenges and enhance its analytical capabilities.

At a recent workshop session, our collaboration partner BitSight demonstrated the critical role of cyber risk intelligence and actionable technographic data in enhancing insurance underwriting processes.

Their innovative platform provides insurers with valuable insights into the cybersecurity posture of businesses, enabling a more comprehensive understanding of risk. Our collaboration to integrate BitSight’s technographic data into underwriting processes allows insurers to significantly enhance risk assessment quality.

The workshop underscored the importance of this partnership, demonstrating how combining Moody's analytical expertise with BitSight's technographic data and cybersecurity insights empowers insurers to make more informed decisions.

 

Fostering innovation

By embracing growth and tailoring innovative products and solutions to the region's specific market conditions, insurers have a remarkable opportunity to lead in innovation, be responsive to the evolving needs of their clients, and position themselves as trusted partners in risk management.

Products must address traditional cyber threats but also account for the potential consequences of cyber incidents on physical operations. A renewed focus on understanding the cyber-physical impacts of technology on insurance is required, where interconnected business systems blur the lines between digital and physical risks.

 

Different industry approaches

The conference discussed the key approaches insurers are adopting to achieve growth. They are increasingly investing in advanced technologies to enhance their capabilities in risk assessment and management, including the implementation of sophisticated modeling tools that analyze complex cyber risks more effectively.

The use of catastrophe models is proving to be a key component in navigating the evolving landscape of cyber risk, becoming essential for evaluating systematic risks and potential correlations across different exposures.

Enhancements to Moody’s RMS™ Cyber Solutions Version 9.0 now provide deeper insights into correlation and diversification, particularly when assessing global exposures, essential for insurers to understand the complexities of systemic cyber risks.

The widespread adoption of mainstream cloud service providers (CSPs) is not limited by geography; many APAC companies utilize cloud infrastructure hosted in the U.S. or Europe.

Our accidental cloud outage model, which integrates BitSight's cloud dispersion analytics dataset, estimates the probability that companies, graded by size and sector, rely on major CSPs such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, along with their specific regions and services.

Moreover, using models that integrate a robust and diverse event set is imperative when evaluating malware and systemic data breach events. While systemic events may target specific software families, recognizing how these vulnerabilities can transcend regional boundaries is key to developing a comprehensive risk profile.

In conclusion, as cyber risk continues to evolve in the region, alongside advancements in technology, cybersecurity practices, and the ever-changing threat landscape, the importance of cyber insurance becomes increasingly clear. It serves as a critical component in the comprehensive management of these risks, complemented by effective regulation and the adoption of robust cyber data, models, and analytics.

 

Bringing the industry together

Organizations such as Gallagher Re, Moody's, and BitSight are well-positioned to empower insurers to seize these opportunities, enhancing their ability to navigate the complexities of cyber risk and ultimately fostering a more resilient insurance market.

The Moody’s Cyber Industry Steering Group brings together Gallagher Re, BitSight and other leading companies for multiple perspectives from across the cyber insurance market to help accelerate growth in the global cyber insurance market. Moody’s is committed to significant investment in cyber modeling, as we see this effort as central in our role to help develop new markets for the industry’s growth.

With the industry steering group focusing on research, analytics, and market education as its core pillars and by collaborating and leveraging innovative solutions, we are looking forward to delivering for the industry so it can better protect businesses from the growing tide of cyber threats.