Featured Product

    IAIS Report Reviews Supervisory Initiatives on Cyber Risk Underwriting

    December 21, 2020

    IAIS published a report that identifies the challenges affecting cyber-risk underwriting, along with the supervisory considerations for sustainable market development. The report highlights that current cyber-underwriting practices, while serviceable, are not yet optimal, particularly due to issues surrounding the measurement of risk exposures. Additionally, the supervisory intensity (such as frequency of assessment) and specific toolbox development (such as use of stress tests) are proportionate to the relative importance of the cyber-underwriting market, which is generally limited at this time. With a few exceptions, supervisors have not yet issued guidance on cyber-risk underwriting by insurers. Similarly, supervisory reporting on cyber underwriting is not yet widespread and comprehensive, even in jurisdictions with established regulatory reporting.

    Considering the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, IAIS has included cyber risk underwriting among the issues presenting opportunities, challenges, and risks related to its mission, with a view to assessing and responding to them in the context of its 2020-2024 Strategic Plan (under High Level Goal 1). As a preparatory step toward developing a strategic approach to how supervisory practices can foster sustainable cyber risk underwriting, in the second half of 2019, IAIS appointed a Cyber Underwriting Small Group (CUSG) of experts from its member supervisors and the Organization for Economic Co-operation and Development (OECDto conduct a stock-take exercise on the development of cyber-underwriting market, the supervisory framework and guidance on cyber-risk underwriting, and the supervisory capacity for monitoring cyber-risk underwriting in different jurisdictions. Cyber Underwriting Small Group was also appointed to prepare this report, to present findings and recommendations for a strategic approach and to identify possible follow-up work for consideration by the IAIS Executive Committee.

    The report highlights that modeling cyber risk as an input for underwriting decisions remains under-developed, but the insurance industry continues to make progress in this area. Furthermore, consistent with the lack of specific supervisory guidelines on cyber-risk underwriting, all the respondents indicated that their existing statutory accounting and capital standards do not provide specific treatment for cyber-underwriting risk. The Cyber Underwriting Small Group recognized that measuring cyber risk is inherently challenging, due to which a proactive supervisory attention is required for cyber-insurance underwriting. To this end, the Group recommended to the IAIS Executive Committee that IAIS pursue a strategic approach focused on facilitating the monitoring, understanding, and assessment of cyber-risk underwriting exposure and impact and on assisting supervisors in building relevant capacity to review cyber-risk underwriting practices and exposure. The approach is aimed to address the following:

    • Non-affirmative cyber exposure—IAIS should play an active role in encouraging supervisors to require improved clarity of policy coverage as regards cyber risk. IAIS should monitor progress in addressing non-affirmative cover by insurers and supervisors and possibly set out further guidance.
    • Heterogeneity in data capture (and facilitating data-sharing initiatives)—IAIS should monitor and analyze initiatives for developing a data taxonomy and will consider the potential for IAIS to facilitate this work. Moreover, IAIS should review current data-sharing initiatives, with a view to identifying effective practices.
    • Supervisory reporting on cyber exposure—IAIS should further review supervisory reporting practices and explore the utility of expanded supervisory reporting on cyber-underwriting exposure. Moreover, consideration should be given to gathering cyber-underwriting data to better understand total exposure as part of the Holistic Framework for Systemic Risk in the Insurance Sector.
    • Risk measurement, including development of stress scenarios—IAIS should review industry and supervisory approaches related to risk measurement, along with initiatives for developing stress scenarios to estimate cyber-underwriting exposure, and consider the potential for an IAIS role in furthering such work.
    • Issues related to policy wording—IAIS should analyze issues related to clarity of policy terms, conditions, and exclusions with a view to encouraging convergence in understanding, although the CUSG concurs with stakeholders that compelled standardization of policy wording should not presently be pursued.
    • Development of cyber awareness and expertise among supervisors—IAIS should undertake initiatives to develop and share good practices on supervision of cyber underwriting.

    Keywords: International, Insurance, Cyber Risk, Cyber Underwriting, Cyber Insurance, Proportionality, Stress Testing, Capital Requirements, Cyber Risk Modeling, IAIS

    Featured Experts
    Related Articles
    News

    EBA Publishes Final Regulatory Standards on STS Securitizations

    The European Banking Authority (EBA) published the final draft regulatory technical standards specifying and, where relevant, calibrating the minimum performance-related triggers for simple.

    September 20, 2022 WebPage Regulatory News
    News

    ECB Further Reviews Costs and Benefits Associated with IReF

    The European Central Bank (ECB) is undertaking the integrated reporting framework (IReF) project to integrate statistical requirements for banks into a standardized reporting framework that would be applicable across the euro area and adopted by authorities in other EU member states.

    September 15, 2022 WebPage Regulatory News
    News

    EBA Publishes Funding Plans Report, Receives EMAS Certification

    The European Banking Authority (EBA) has been awarded the top European Standard for its environmental performance under the European Eco-Management and Audit Scheme (EMAS).

    September 15, 2022 WebPage Regulatory News
    News

    MAS Launches SaaS Solution to Simplify Listed Entity ESG Disclosures

    The Monetary Authority of Singapore (MAS) set out the Financial Services Industry Transformation Map 2025 and, in collaboration with the SGX Group, launched ESGenome.

    September 15, 2022 WebPage Regulatory News
    News

    BCBS to Finalize Crypto Rules by End-2022; US to Propose Basel 3 Rules

    The Basel Committee on Banking Supervision met, shortly after a gathering of the Group of Central Bank Governors and Heads of Supervision (GHOS), the oversight body of BCBS.

    September 15, 2022 WebPage Regulatory News
    News

    IOSCO Welcomes Work on Sustainability-Related Corporate Reporting

    The International Organization of Securities Commissions (IOSCO) welcomed the work of the international audit and assurance standard setters—the International Auditing and Assurance Standards Board (IAASB)

    September 15, 2022 WebPage Regulatory News
    News

    BoE Allows One-Day Delay in Statistical Data Submissions by Banks

    The Bank of England (BoE) published a Statistical Notice (2022/18), which informs that due to the Bank Holiday granted for Her Majesty Queen Elizabeth II’s State Funeral on Monday September 19, 2022.

    September 14, 2022 WebPage Regulatory News
    News

    ACPR Amends Reporting Module Timelines Under EBA Framework 3.2

    The French Prudential Control and Resolution Authority (ACPR) announced that the European Banking Authority (EBA) has updated its filing rules and the implementation dates for certain modules of the EBA reporting framework 3.2.

    September 14, 2022 WebPage Regulatory News
    News

    ECB Paper Discusses Disclosure of Climate Risks by Credit Agencies

    The European Central Bank (ECB) published a paper that examines how credit rating agencies accepted by the Eurosystem, as part of the Eurosystem Credit Assessment Framework (ECAF)

    September 13, 2022 WebPage Regulatory News
    News

    APRA to Modernize Prudential Architecture, Reduces Liquidity Facility

    The Australian Prudential Regulation Authority (APRA) announced reduction in the aggregate Committed Liquidity Facility (CLF) for authorized deposit-taking entities to ~USD 33 billion on September 01, 2022.

    September 12, 2022 WebPage Regulatory News
    RESULTS 1 - 10 OF 8514