Germany's Federal Financial Supervisory Authority BaFin published a supervisory notice setting out how insurers should approach the Schwankungsrückstellung (fluctuation reserve) for the new line of business “stand-alone cyber insurance” (Va 26.1), which is separately reported from the 2025 reporting year. BaFin concludes that there is no mandatory requirement to establish a fluctuation reserve for cyber for the 2025 balance sheet because the minimum ten-year observation period for calculating loss ratios is not available; the notice applies immediately and remains in effect until 31 December 2030. Insurers can, however, apply for an individual deviation under section 29 sentence 2 of the Insurance Company Accounting Ordinance (Versicherungsunternehmens-Rechnungslegungsverordnung, RechVersV) to build a cyber fluctuation reserve early, with BaFin emphasising it cannot grant a sector-wide approval. The standard prerequisites for a fluctuation reserve (including earned premiums, the standard deviation of the loss ratio, and the loss and expense ratio) still need to be met and evidenced using the firm’s own records; in this context BaFin may accept a shortened observation period of at least seven years, but firms may not rely on BaFin-published industry loss ratios for the early-build calculation. Where early formation is approved, cyber data must be extracted from the line of business under which cyber was previously reported to avoid double counting, and the firm remains bound to the approved approach while the prerequisites continue to be met. BaFin also explains how a future mandatory requirement would arise once a firm has ten years of cyber data from dedicated profit and loss reporting and meets the other statutory thresholds, illustrating that an insurer writing cyber since 2017 and maintaining the necessary records could potentially meet the conditions in 2027; firms without a full history should use BaFin data to complete the ten-year window, with mandatory formation potentially arising from 2030 if the remaining criteria are met. Separately, BaFin published net loss ratios and gross expense ratios for stand-alone cyber for 2020–2024 based on industry information requests, including for 2024 a net loss ratio of 50.4% and gross expense ratio of 24.3% for direct P&C business, 70.9% and 35.1% for assumed business at P&C insurers, and 75.8% and 25.3% for assumed business at reinsurers.
BaFin 2026-03-12
Germany's Federal Financial Supervisory Authority BaFin issues interim guidance on fluctuation reserves for stand-alone cyber insurance and publishes 2020–2024 loss and expense ratios
BaFin has clarified that insurers are not required to establish a fluctuation reserve for the new stand-alone cyber insurance line (Va 26.1) in the 2025 balance sheet due to the absence of a ten-year loss history, with this position applying until 31 December 2030. Insurers may apply individually under the Insurance Company Accounting Ordinance to build a reserve earlier using at least seven years of their own data, subject to standard prerequisites, while BaFin separately published 2020–2024 net loss and gross expense ratios for stand-alone cyber business.