Germany's Federal Financial Supervisory Authority published a circular setting out the conditions under which it will treat the underwriting of ransom insurance by primary insurers as permissible under public policy. It applies to all insurers authorised for direct non-life business in Germany, including EU and EEA insurers operating in Germany under services or establishment freedoms, and it consolidates previously modified expectations without changing their substance. The circular defines ransom insurance as cover for ransom demands, including in kidnapping or violent threat cases, cyberattacks and product extortion. Core conditions include a ban on advertising, a prohibition on bundling with other insurance products except where combined with cyber risk cover, and a maximum contract term of one year, with sums insured required to be proportionate to the policyholder’s economic circumstances. Insurers must require preventive advice based on a security concept from a competent security company, impose strict confidentiality on policyholders and generally limit knowledge of the cover to no more than three named trusted persons (with limited exceptions in commercial settings). Administration and claims handling must be concentrated in a single unit reporting directly to the management board, with encrypted contract data, enhanced confidentiality obligations for staff and audits by the board or a suitably capable security firm; in a loss event, the policyholder, trusted persons and insurer must report the offence to the police without delay and support state law enforcement interests. Renewal policies are permitted only if the contract requires an annual “renewal statement” submitted before the cancellation deadline and provides for automatic termination if it is not received; the business is to be classified under risk type 16k (other financial losses) under the German Insurance Supervision Act. The circular applies from 1 April 2026 and replaces Circular R 3/1998 (VA).

Original source View in tracker