IAIS published a report that identifies the challenges affecting cyber-risk underwriting, along with the supervisory considerations for sustainable market development. The report highlights that current cyber-underwriting practices, while serviceable, are not yet optimal, particularly due to issues surrounding the measurement of risk exposures. Additionally, the supervisory intensity (such as frequency of assessment) and specific toolbox development (such as use of stress tests) are proportionate to the relative importance of the cyber-underwriting market, which is generally limited at this time. With a few exceptions, supervisors have not yet issued guidance on cyber-risk underwriting by insurers. Similarly, supervisory reporting on cyber underwriting is not yet widespread and comprehensive, even in jurisdictions with established regulatory reporting.
Considering the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, IAIS has included cyber risk underwriting among the issues presenting opportunities, challenges, and risks related to its mission, with a view to assessing and responding to them in the context of its 2020-2024 Strategic Plan (under High Level Goal 1). As a preparatory step toward developing a strategic approach to how supervisory practices can foster sustainable cyber risk underwriting, in the second half of 2019, IAIS appointed a Cyber Underwriting Small Group (CUSG) of experts from its member supervisors and the Organization for Economic Co-operation and Development (OECD) to conduct a stock-take exercise on the development of cyber-underwriting market, the supervisory framework and guidance on cyber-risk underwriting, and the supervisory capacity for monitoring cyber-risk underwriting in different jurisdictions. Cyber Underwriting Small Group was also appointed to prepare this report, to present findings and recommendations for a strategic approach and to identify possible follow-up work for consideration by the IAIS Executive Committee.
The report highlights that modeling cyber risk as an input for underwriting decisions remains under-developed, but the insurance industry continues to make progress in this area. Furthermore, consistent with the lack of specific supervisory guidelines on cyber-risk underwriting, all the respondents indicated that their existing statutory accounting and capital standards do not provide specific treatment for cyber-underwriting risk. The Cyber Underwriting Small Group recognized that measuring cyber risk is inherently challenging, due to which a proactive supervisory attention is required for cyber-insurance underwriting. To this end, the Group recommended to the IAIS Executive Committee that IAIS pursue a strategic approach focused on facilitating the monitoring, understanding, and assessment of cyber-risk underwriting exposure and impact and on assisting supervisors in building relevant capacity to review cyber-risk underwriting practices and exposure. The approach is aimed to address the following:
- Non-affirmative cyber exposure—IAIS should play an active role in encouraging supervisors to require improved clarity of policy coverage as regards cyber risk. IAIS should monitor progress in addressing non-affirmative cover by insurers and supervisors and possibly set out further guidance.
- Heterogeneity in data capture (and facilitating data-sharing initiatives)—IAIS should monitor and analyze initiatives for developing a data taxonomy and will consider the potential for IAIS to facilitate this work. Moreover, IAIS should review current data-sharing initiatives, with a view to identifying effective practices.
- Supervisory reporting on cyber exposure—IAIS should further review supervisory reporting practices and explore the utility of expanded supervisory reporting on cyber-underwriting exposure. Moreover, consideration should be given to gathering cyber-underwriting data to better understand total exposure as part of the Holistic Framework for Systemic Risk in the Insurance Sector.
- Risk measurement, including development of stress scenarios—IAIS should review industry and supervisory approaches related to risk measurement, along with initiatives for developing stress scenarios to estimate cyber-underwriting exposure, and consider the potential for an IAIS role in furthering such work.
- Issues related to policy wording—IAIS should analyze issues related to clarity of policy terms, conditions, and exclusions with a view to encouraging convergence in understanding, although the CUSG concurs with stakeholders that compelled standardization of policy wording should not presently be pursued.
- Development of cyber awareness and expertise among supervisors—IAIS should undertake initiatives to develop and share good practices on supervision of cyber underwriting.
Keywords: International, Insurance, Cyber Risk, Cyber Underwriting, Cyber Insurance, Proportionality, Stress Testing, Capital Requirements, Cyber Risk Modeling, IAIS
Previous ArticleFCA Introduces Rule to Enhance Climate-Related Financial Disclosures
ECB published Guideline 2021/975, which amends Guideline ECB/2014/31, on the additional temporary measures relating to Eurosystem refinancing operations and eligibility of collateral.
EIOPA published a report, from the Consultative Expert Group on Digital Ethics, that sets out artificial intelligence governance principles for an ethical and trustworthy artificial intelligence in the insurance sector in EU.
HKMA published the seventh and final issue of the Regtech Watch series, which outlines the three-year roadmap of HKMA to integrate supervisory technology, or suptech, into its processes.
EC launched a targeted consultation to improve transparency and efficiency in the secondary markets for nonperforming loans (NPLs).
BIS, Danmarks Nationalbank, Central Bank of Iceland, Norges Bank, and Sveriges Riksbank launched an Innovation Hub in Stockholm, making this the fifth BIS Innovation Hub Center to be opened in the past two years.
FDITECH, the technology lab of FDIC, announced a tech sprint that is designed to explore new technologies and techniques that would help expand the capabilities of community banks to meet the needs of unbanked individuals and households.
EC released the EU Taxonomy Compass, which visually represents the contents of the EU Taxonomy starting with the EU Taxonomy Climate Delegated Act.
FDIC is seeking comments on a rule to amend the interagency guidelines for real estate lending policies—also known as the Real Estate Lending Standards.
EIOPA published its annual report, which sets out the work done in 2020 and indicates the planned work areas for the coming months.
The ESRB paper that presents an analytical framework that assesses and quantifies the potential impact of a bank failure on the real economy through the lending function.