Home Knowledge EIOPA Supervisory Statement on the Management of Non-affirmative Cyber Exposures

EIOPA Supervisory Statement on the Management of Non-affirmative Cyber Exposures

December 14, 2022
EIOPA Supervisory Statement on the Management of Non-affirmative Cyber Exposures
Partner
Eoin Caulfield
Consultant
John Larkin
Partner
Ian Murray

In early August 2022, the European Insurance and Occupational Pensions Authority (EIOPA) published a draft supervisory statement on non-affirmative cyber risks and held a public consultation on the draft statement.

In late September 2022, EIOPA published a feedback statement summarising the main findings of the consultation and a resolution of comments paper outlining the individual comments they received and their responses to the comments. The supervisory statement is now in final form.

The statement deals with potential cyber-related losses through insurance policies where cyber coverage is neither explicitly included nor excluded, i.e. non-affirmative coverage. With economic and financial activities becoming more digitalised in recent years, the frequency and sophistication of cyber incidents in the financial sector have increased significantly. As underwriters in the cyber market will be well aware, incidents such as the NotPetya attack in 2017 can lead to significant systemic risk and unexpected losses. These incidents often lead to time-consuming, expensive, and unpredictable litigation.

Recommendations

Against this backdrop, EIOPA recommended that national competent authorities (NCAs) (such as the Central Bank of Ireland (CBI)) must pay greater attention to insurance undertakings’ assessment of the terms and conditions of their existing insurance products covering cyber risks. Particular attention is required for undertakings with significant exposures and those without plans to identify risks. Greater engagement between NCAs and insurance undertakings is needed.

Strategy and Risk Appetite

NCAs should ensure that cyber underwriting is a primary aspect of an undertaking’s overall strategy and that the undertaking considers its risk appetite for cyber underwriting. The strategy should factor in non-affirmative cyber components and define inclusions or exclusions related to cyber risks. Undertakings must align, monitor, and regularly adjust pricing and capital consideration regarding the overall cyber risk exposure to ensure compliance with the undertaking’s risk appetite.

Identification of Risk Exposure

Undertakings should identify their risk exposure around non-affirmative cyber risk to implement sound cyber underwriting practices. When determining their exposure, EIOPA recommends that undertakings:

  • Measure exposure.
  • Clarify coverage.
  • Define cyber terminology.
  • Monitor exposure.

EIOPA notes that the outcome of this review should lead to terms and conditions that are clear, simple and aligned with the undertaking’s overall strategy and cyber risk appetite while also providing value for money to policyholders in line with the target market.

Risk Management

The statement notes that (re)insurance undertakings must develop a comprehensive understanding of potential non-affirmative cyber insurance risk scenarios and manage their respective exposure, taking into account concentration and accumulation risk. EIOPA recommends that undertakings regularly evaluate and make use of available reinsurance capacity to mitigate risk related to cyber threats and ensure that overall solvency requirements are adhered to.

War and Terrorism Exclusions

EIOPA notes that undertakings should devote particular attention to traditional war and terrorism exclusions that may not take into account the digital aspects of modern warfare and, therefore, might lead to ambiguity regarding coverage.

Central Bank of Ireland

The CBI has previously cautioned undertakings about silent cyber- where policy wording fails to exclude cyber risks. These risks could potentially leave insurers open to claims from customers who suffer cyber-attacks which insurers have not provided for financially. It would be akin to the business interruption claims made against insurers by businesses shut by the pandemic, which the industry had failed to anticipate.

Covid-19 highlighted weaknesses with ambiguous wording in some policies where risk exposures had not been adequately priced and reserved for by some undertakings. The CBI recommended that firms conduct periodic reviews of policy terms, limits and exclusions to ensure their product offerings are structured to respond in the manner intended, are within their risk appetite and are adequately priced.

In light of this supervisory statement (which echoes the sentiment of the CBI warnings), Irish authorised (re)insurance undertakings should expect an increasing supervisory focus from the CBI.

Conclusion

EIOPA’s supervisory statement promotes supervisory convergence in how NCAs address cyber risks. The statement addresses the need for a top-down strategy and risk appetite considerations for (re)insurance undertakings underwriting or wishing to underwrite cyber risk. It also reflects the need for a review of policies for cyber coverage and the need to communicate such a review to undertakings in a clear and timely manner.

Please click here to access the supervisory statement. For further information on how the EIOPA supervisory statement may impact you, please contact John Larkin, Eoin Caulfield, Ian Murray or your usual William Fry contact.

 

Contributed by Rory Carbery

Related Practice Areas
Insurance & Reinsurance
Technology
Related Sectors
Technology, Data & Comms

Recommended Insights

See all
Article and Insights
18
Apr 2024
EIOPA Publishes Supervisory Statement on Reinsurance from Third-Country Reinsurers
EIOPA finalises its supervisory statement on reinsurance concluded with third-coun...
WF_author_blank
Partner
Eoin Caulfield
Article and Insights
18
Apr 2024
SEAR Regulations signed and other Individual Accountability Framework Developments
We look at updates on the IAF including the SEAR Regulations recently signed by th...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
9
Apr 2024
Central Bank Updates Approach to Authorising Payment Institutions / E-Money Institutions
We look at updates to the Central Bank's approach to authorising Payment and E-Mon...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
5
Apr 2024
Insurance Newsletter Q1 2024 – Central Bank of Ireland Highlights Two Key Issues
The Central Bank of Ireland published its Insurance Industry newsletter for Q1 202...
WF_author_blank
Partner
Ian Murray
Article and Insights
14
Mar 2024
CBI Publishes Consultation Paper on Consumer Protection Code Revision
We look at CP158 - The Central Bank Consultation Paper on its proposals to revise ...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
8
Mar 2024
Payments and E-Money Sector – Central Bank Event and Report
We look at key supervisory priorities for the payments and e-money sector based on...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
6
Mar 2024
Central Bank Publishes 2024 Regulatory and Supervisor Outlook
We look at the Central Bank’s view on the key trends and risks facing the financia...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
23
Feb 2024
IFSAT Critical of the Central Bank’s Decision on PCF Roles
We look a IFSAT decision concerning the Central Bank's refusal of an individual’s ...
WF_author_blank
Partner
Shane Kelleher
Article and Insights
14
Feb 2024
IAF Fitness & Probity Reforms
We provide an overview of the new regulations and updated Central Bank documentation.
WF_author_blank
Partner
Shane Kelleher
Article and Insights
23
Jan 2024
Central Bank Newsletter Highlights Key Issues for (Re)Insurers in 2024
The Central Bank of Ireland newsletter for Q4 2023 highlights recent regulatory de...
WF_author_blank
Partner
Eoin Caulfield
prev
next
See all