Germany's BaFin Confirms Legal Permissibility of Ransom Insurance, Expands Supervisory Powers

Germany's Federal Financial Supervisory Authority (BaFin) has provided important regulatory clarity to the insurance market by issuing a circular confirming the legal permissibility of ransom insurance under German supervisory law. The circular, issued in April 2026, consolidates previous regulatory requirements and offers clearer guidance for both insurers offering such products and the policyholders purchasing them — an increasingly relevant area as ransomware attacks and extortion-based cyber incidents continue to proliferate.

Ransom insurance — coverage designed to respond to kidnapping, extortion, and ransomware demands — has long operated in a somewhat ambiguous regulatory space in many jurisdictions, given the sensitive policy questions around whether insuring ransom payments might inadvertently encourage criminal activity. BaFin's circular addresses this by confirming the products' permissibility while consolidating the supervisory requirements that apply, giving the German market a firmer legal foundation.

The ransom insurance clarification is part of a broader expansion of BaFin's regulatory reach and supervisory intensity in 2026. Under the BRUBEG legislation, which entered into force in its key provisions on March 31, 2026, BaFin gained expanded investigative powers. The Act, which transposes the EU's sixth Capital Requirements Directive (CRD VI) into German law, also obliges BaFin — as a general rule — to disclose information on the nature and character of regulatory breaches without conducting a further proportionality assessment, and converts the previous maximum five-year publication period for penalties into a minimum period. These expanded powers apply to primary and reinsurance undertakings, including cross-border EU and EEA insurers operating in Germany.

The developments build on BaFin's intensifying focus on cyber and digital risk. In late May 2026, the regulator published its third survey of the German cyber insurance market, having introduced a separate insurance class for cyber risks with a dedicated reporting obligation from the 2025 financial year. BaFin has repeatedly flagged systemic accumulation risk — the danger that a single large-scale cyber event could trigger widespread simultaneous losses across many insurers — as its primary supervisory concern in the cyber space. Together, these measures position BaFin as one of Europe's most active regulators in adapting the insurance supervisory framework to the realities of digital and cyber risk.