In early August 2022, the European Insurance and Occupational Pensions Authority (EIOPA) published a draft supervisory statement on non-affirmative cyber risks and held a public consultation on the draft statement.
In late September 2022, EIOPA published a feedback statement summarising the main findings of the consultation and a resolution of comments paper outlining the individual comments they received and their responses to the comments. The supervisory statement is now in final form.
The statement deals with potential cyber-related losses through insurance policies where cyber coverage is neither explicitly included nor excluded, i.e. non-affirmative coverage. With economic and financial activities becoming more digitalised in recent years, the frequency and sophistication of cyber incidents in the financial sector have increased significantly. As underwriters in the cyber market will be well aware, incidents such as the NotPetya attack in 2017 can lead to significant systemic risk and unexpected losses. These incidents often lead to time-consuming, expensive, and unpredictable litigation.
Against this backdrop, EIOPA recommended that national competent authorities (NCAs) (such as the Central Bank of Ireland (CBI)) must pay greater attention to insurance undertakings’ assessment of the terms and conditions of their existing insurance products covering cyber risks. Particular attention is required for undertakings with significant exposures and those without plans to identify risks. Greater engagement between NCAs and insurance undertakings is needed.
Strategy and Risk Appetite
NCAs should ensure that cyber underwriting is a primary aspect of an undertaking’s overall strategy and that the undertaking considers its risk appetite for cyber underwriting. The strategy should factor in non-affirmative cyber components and define inclusions or exclusions related to cyber risks. Undertakings must align, monitor, and regularly adjust pricing and capital consideration regarding the overall cyber risk exposure to ensure compliance with the undertaking’s risk appetite.
Identification of Risk Exposure
Undertakings should identify their risk exposure around non-affirmative cyber risk to implement sound cyber underwriting practices. When determining their exposure, EIOPA recommends that undertakings:
- Measure exposure.
- Clarify coverage.
- Define cyber terminology.
- Monitor exposure.
EIOPA notes that the outcome of this review should lead to terms and conditions that are clear, simple and aligned with the undertaking’s overall strategy and cyber risk appetite while also providing value for money to policyholders in line with the target market.
The statement notes that (re)insurance undertakings must develop a comprehensive understanding of potential non-affirmative cyber insurance risk scenarios and manage their respective exposure, taking into account concentration and accumulation risk. EIOPA recommends that undertakings regularly evaluate and make use of available reinsurance capacity to mitigate risk related to cyber threats and ensure that overall solvency requirements are adhered to.
War and Terrorism Exclusions
EIOPA notes that undertakings should devote particular attention to traditional war and terrorism exclusions that may not take into account the digital aspects of modern warfare and, therefore, might lead to ambiguity regarding coverage.
Central Bank of Ireland
The CBI has previously cautioned undertakings about silent cyber- where policy wording fails to exclude cyber risks. These risks could potentially leave insurers open to claims from customers who suffer cyber-attacks which insurers have not provided for financially. It would be akin to the business interruption claims made against insurers by businesses shut by the pandemic, which the industry had failed to anticipate.
Covid-19 highlighted weaknesses with ambiguous wording in some policies where risk exposures had not been adequately priced and reserved for by some undertakings. The CBI recommended that firms conduct periodic reviews of policy terms, limits and exclusions to ensure their product offerings are structured to respond in the manner intended, are within their risk appetite and are adequately priced.
In light of this supervisory statement (which echoes the sentiment of the CBI warnings), Irish authorised (re)insurance undertakings should expect an increasing supervisory focus from the CBI.
EIOPA’s supervisory statement promotes supervisory convergence in how NCAs address cyber risks. The statement addresses the need for a top-down strategy and risk appetite considerations for (re)insurance undertakings underwriting or wishing to underwrite cyber risk. It also reflects the need for a review of policies for cyber coverage and the need to communicate such a review to undertakings in a clear and timely manner.
Please click here to access the supervisory statement. For further information on how the EIOPA supervisory statement may impact you, please contact John Larkin, Eoin Caulfield, Ian Murray or your usual William Fry contact.
Contributed by Rory Carbery