Cyber risks are rising worldwide, but Korea’s cyber insurance market, intended to help businesses absorb losses from hacking incidents, is still lagging behind major overseas markets, industry officials said, underscoring a growing gap between exposure and available cover.
Korea recorded 2,383 cyber incidents in 2025, nearly double the number reported two years earlier, with server intrusions accounting for the largest share, according to the Korea Internet & Security Agency, reported by Korea Times. Recent attacks affecting SK Telecom, Coupang, YES24, and Lotte Card have highlighted how large companies in telecommunications, financial services, and e-commerce remain exposed to operational and data disruption.
Despite this activity, the use of cyber insurance remains limited. Gallagher Re data from 2024 put Korea’s cyber insurance premiums at about US$3 million, representing roughly 0.02% of global cyber premiums. The worldwide cyber market is estimated at US$16 billion to US$20 billion in 2025 and is forecast by Gallagher to grow to between US$30 billion and US$50 billion by 2030. Regional comparisons show how far Korea trails other markets. Singapore, which has a smaller economy, recorded about US$39 million in cyber premiums, while Thailand recorded about US$5 million. These figures point to a gap between the scale of Korea’s digital economy and the level of risk being transferred to the insurance market.
On the demand side, analysts point to how Korean companies structure their cyber budgets. Many organisations are directing spending toward technical protection measures, such as software, hardware, and external consulting, before considering insurance as part of their response. “Many firms struggle to assess their own risk exposure, so they tend to avoid the cost or handle incidents internally to manage reputational fallout. Once a breach becomes public, the damage can be significant, which also discourages the use of insurance,” said Son Jae-hee, research director at the Korea Insurance Research Institute, as reported by Korea Times.
Son said this often affects where insurance sits in corporate planning. “In terms of budget priorities, spending on security subscriptions, equipment, or consulting usually comes before insurance,” she said. Brokers report that, particularly among small and medium-sized businesses, cyber risk is still frequently treated as an IT issue rather than a financial exposure that can be partly managed via an insurance policy. As a result, take-up rates remain low, and underwriters must rely on a relatively small pool of insureds when assessing local cyber risk.
Insurers operating in Korea face a different set of difficulties. Cyber risk changes quickly, with new attack methods and tools emerging at short intervals. At the same time, incidents can spread across multiple organisations that share common software, cloud environments or IT service providers, raising concerns about large, correlated loss events. “Because the risk evolves so quickly, there is a shortage of data available for product design for insurers,” Son said.
The limited domestic loss history for cyber products restricts the depth of actuarial analysis for pricing and capital allocation. This uncertainty has led to cautious underwriting, closer attention to policy language, and careful use of limits, especially in areas such as contingent business interruption and third-party liability linked to vendors and supply chains. Market participants describe a cycle in which low demand and limited experience slow product development, while the lack of mature local products and data keeps some potential buyers on the sidelines.
Global data present a contrasting picture. North America continues to account for about 60% to 70% of global cyber premiums, while Asia-Pacific is expected to record the fastest growth rate as more economic activity moves online, according to Gallagher’s 2026 Cyber Insurance Market Outlook. Pricing internationally has mostly stabilised after several years of hardening, with many insureds seeing flat renewals. Healthcare remains an exception, where single-digit rate increases are still reported in response to claims activity.
On the loss side, Gallagher cites US House Committee on Homeland Security figures showing the average cost of a data breach in the US reached around US$10 million in 2025. Separate data from Resilience indicate that the average cost of a ransomware incident rose 17% in the first half of 2025, while incurred claims volumes declined by 53%. Ransomware accounted for 91% of incurred claims over that period. Ransom payment behaviour is also changing. Gallagher reported that only 28% to 32% of victims paid ransoms in 2025, down from 37% in 2024. Average ransom payments fell about 10%, to between US$1.2 million and US$1.8 million.
The outlook also points to AI-related exposures and regulatory measures that may affect Korean carriers and their clients, particularly those with operations in the US. Gallagher’s analysis identifies threat actors of concern, including North Korean remote IT workers operating inside foreign firms, criminal group Scattered Spider, and China-linked Salt Typhoon, alongside ongoing supply chain attacks on software-as-a-service vendors and cloud providers.
AI-related incidents are a growing part of the risk picture. Gallagher’s research attributes 30% of reported AI security incidents to supply chain compromise, followed by model inversion at 24% and model evasion at 21%. In response, insurers have been tightening language around contingent business interruption and non-breach privacy claims. At least one insurer has introduced a standalone AI policy, and others are offering endorsements to cover the cost of retraining large learning models. In the US, the Cyber Incident Reporting for Critical Infrastructure Act is scheduled to take effect in May 2026, requiring covered entities to report significant incidents within 72 hours. US states introduced about 200 cybersecurity-related bills in 2025 on issues such as breach notification and ransomware, signalling a more detailed compliance environment for multinational firms.
Given Korea’s low cyber insurance penetration relative to incident levels and digitalisation, analysts say there are questions about how much of the country’s cyber risk can be absorbed by private carriers alone in the short to medium term. Son pointed to the need for more structured approaches to information sharing and risk assessment. She stressed the need to build standardised frameworks and data infrastructure to improve the insurability of cyber threats, adding that government-backed reinsurance pools should also be considered. For Korean insurers, reinsurers, and intermediaries, the challenge will be to move beyond awareness of headline breaches and translate cyber risk into more systematic use of insurance. That will likely involve closer cooperation with regulators and corporate clients on data, standards, and possible public-private arrangements to support a more stable and scalable cyber insurance market.
