Emerging risks | Growth Opportunities | APAC Insurance

Wednesday, July 15, 2026

Feature

Statutory floor, compliance mindset leave Korean firms underinsured on cyber risks

Voluntary premiums are climbing fast, yet many firms still carry too little cover for their real exposure.
Statutory floor compliance mindset leave korean firms underinsured on cyber risks  rein asia
July 15, 2026

 • 

6 min read

(Re)in Summary

• Korea’s cyber insurance market has been exhibiting strong growth, though voluntary premiums remain modest.
• Low mandatory coverage requirements have reinforced a compliance-buying mindset, with many organisations purchasing enough cover to satisfy regulations rather than meaningfully transfer cyber risk.
• Market experts say confidence needs to be restored that policies will respond predictably when complex cyber losses occur.
• Larger enterprises are increasingly recognising the need for cyber protection, but the opportunity is to broaden this shift across the wider market, including SMEs.
• Developing the market will require insurers to balance affordable, relevant products with sustainable underwriting and clearer value for buyers.

The low level of mandatory limits set by Korean authorities is reinforcing a compliance-driven mindset, limiting demand for higher levels of cyber protection.

Korea’s Personal Information Protection Act requires firms above a certain size and data thresholds to buy personal information leakage compensation insurance or set aside reserves.

However, insurers and brokers note that the minimum coverage limits are significantly below the scale of potential losses from cyber incidents.

“Exposure varies from company to company. However it’s clear that for the vast majority of mid to large Korean companies their exposure is many multiples of the statutory minimum of KRW 100 million (US$66,000). For the largest Korean corporations, the exposures are easily in the 10s or hundreds of millions of US$,” says Sean Letz, Asia Cyber Leader at Marsh.

A massive data breach at e-commerce company Coupang, which is headquartered in the US but derives most of its business from Korea, shows the dangers of not purchasing sufficient cyber protection. The firm was ultimately fined more than KRW 624.7 billion by Korean regulators – a record amount – while its insurance cover was capped at the statutory minimum of KRW 1 billion. The data breach affected about 33.7 million users.

“Many organisations continue to view cyber risk as something that can be engineered away in the same way as many traditional physical risks,” says Letz. “Unfortunately, cyber and technological risks evolve far more rapidly than conventional risk management frameworks can adapt to. A single technological change, zero-day vulnerability, software flaw or unexpected system failure can suddenly compromise critical systems or render them inoperable.”

Letz adds that Korea is “one of the most dynamic and technologically advanced economies in the world”, suggesting that a major cyber event could cause economic losses “measured in the hundreds of millions or even billions of US dollars”.

“… it’s clear that for the vast majority of mid to large Korean companies their exposure is many multiples of the statutory minimum of KRW 100 million (US$66,000).”
avatar

Sean Letz

Asia Cyber Leader at Marsh

Rapid growth

Despite this cultural reluctance to buying cyber cover, data from Miller Insurance suggests premiums grew by 64% last year – from KRW 28 billion gross written premiums (GWPs) in 2024 to KRW 46 billion in 2025.

However, this was largely driven by demand from larger enterprises, principally those involved in telecommunications, e-commerce and financial services.

Sangsoon Kim, Head of Cyber for Korea at Miller Insurance, says that these companies have a number of things in common, including the handling of large volumes of personal data, heightened exposure to reputational risk and growing alignment with global standards.

Kim says this growth trajectory reflects a structural shift among larger enterprises. The challenge is now to extend this trend onto the smaller segment of the market.

“If senior management does not see a clear linkage between higher limits and the organisation’s most material loss drivers, budgets tend to stay near the minimum.”
avatar

ES Cho

Task Force Lead for Cyber and Digital Assets at Lockton in Korea

Untapped potential

ES Cho, Task Force Lead for Cyber and Digital Assets at Lockton in Korea, says that, in order to shift SMEs in Korea from compliance-driven purchasing toward meaningful risk transfer, the first priority should be to restore confidence that the product will respond predictably in a real loss.

“Many buyers remain anchored to the statutory minimum not because they underestimate cyber risk, but because they are uncertain how coverage will perform once policy conditions, exclusions, documentation requirements and the practical realities of forensic investigation are applied under stress,” he says.

Cho says there are several reasons the compliance-buying mindset persists, even as both the frequency of cyber-attacks and the potential financial impact of those incidents continue to grow.

First, there is a confidence issue. Buyers are not always convinced that larger limits translate into proportionally better financial protection once policy conditions, sub-limits and evidentiary requirements are applied in a real incident.

The claims process itself is often viewed as friction-intensive, typically requiring extensive forensic investigations and documentation.

“That can reduce demand for higher-limit excess layers unless brokers, insurers, and regulators clearly explain the gap.”
avatar

Jon Choi

Director of Insurance Risk Consulting at CyberCube

Finally, Cho says that there is a persistent product-to-risk mismatch: large loss scenarios increasingly come from operational disruption and systemic business interruption, whereas many buyers still associate insurance with data breaches and third-party liability.

“If senior management does not see a clear linkage between higher limits and the organisation’s most material loss drivers, budgets tend to stay near the minimum,” says Cho.

He adds that “companies need clearer, more predictable coverage value – especially for severe, complex loss scenarios – before they move to materially higher limits”.

Jon Choi, Director of Insurance Risk Consulting at CyberCube, argues that the signalling from regulators may not be helping.

“If the legal requirement is small, boards may view that amount as an implicit regulatory signal of adequacy, even when modelled losses are far higher. That can reduce demand for higher-limit excess layers unless brokers, insurers, and regulators clearly explain the gap,” he says.

“With appropriate product design, better risk segmentation, government support, and increased market participation, the SME segment has the potential to become the single most important growth opportunity for the Korean cyber insurance market.”
avatar

Sangsoon Kim

Head of Cyber for Korea at Miller Insurance

Unlocking this opportunity will require insurers to strike a careful balance between expanding access and managing their own risk. While affordable, tailored products could help broaden adoption among SMEs, insurers remain mindful of the profitability challenges involved.

“There is certainly a short-term tension between increasing SME adoption and maintaining insurer profitability,” says Kim. “However, I do not see it as a zero-sum relationship. With appropriate product design, better risk segmentation, government support, and increased market participation, the SME segment has the potential to become the single most important growth opportunity for the Korean cyber insurance market.”