IAIS Report Reviews Supervisory Initiatives on Cyber Risk Underwriting

Considering the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, IAIS has included cyber risk underwriting among the issues presenting opportunities, challenges, and risks related to its mission, with a view to assessing and responding to them in the context of its 2020-2024 Strategic Plan (under High Level Goal 1). As a preparatory step toward developing a strategic approach to how supervisory practices can foster sustainable cyber risk underwriting, in the second half of 2019, IAIS appointed a Cyber Underwriting Small Group (CUSG) of experts from its member supervisors and the Organization for Economic Co-operation and Development (OECD) to conduct a stock-take exercise on the development of cyber-underwriting market, the supervisory framework and guidance on cyber-risk underwriting, and the supervisory capacity for monitoring cyber-risk underwriting in different jurisdictions. Cyber Underwriting Small Group was also appointed to prepare this report, to present findings and recommendations for a strategic approach and to identify possible follow-up work for consideration by the IAIS Executive Committee.

The report highlights that modeling cyber risk as an input for underwriting decisions remains under-developed, but the insurance industry continues to make progress in this area. Furthermore, consistent with the lack of specific supervisory guidelines on cyber-risk underwriting, all the respondents indicated that their existing statutory accounting and capital standards do not provide specific treatment for cyber-underwriting risk. The Cyber Underwriting Small Group recognized that measuring cyber risk is inherently challenging, due to which a proactive supervisory attention is required for cyber-insurance underwriting. To this end, the Group recommended to the IAIS Executive Committee that IAIS pursue a strategic approach focused on facilitating the monitoring, understanding, and assessment of cyber-risk underwriting exposure and impact and on assisting supervisors in building relevant capacity to review cyber-risk underwriting practices and exposure. The approach is aimed to address the following:

• Non-affirmative cyber exposure—IAIS should play an active role in encouraging supervisors to require improved clarity of policy coverage as regards cyber risk. IAIS should monitor progress in addressing non-affirmative cover by insurers and supervisors and possibly set out further guidance.
• Heterogeneity in data capture (and facilitating data-sharing initiatives)—IAIS should monitor and analyze initiatives for developing a data taxonomy and will consider the potential for IAIS to facilitate this work. Moreover, IAIS should review current data-sharing initiatives, with a view to identifying effective practices.
• Supervisory reporting on cyber exposure—IAIS should further review supervisory reporting practices and explore the utility of expanded supervisory reporting on cyber-underwriting exposure. Moreover, consideration should be given to gathering cyber-underwriting data to better understand total exposure as part of the Holistic Framework for Systemic Risk in the Insurance Sector.
• Risk measurement, including development of stress scenarios—IAIS should review industry and supervisory approaches related to risk measurement, along with initiatives for developing stress scenarios to estimate cyber-underwriting exposure, and consider the potential for an IAIS role in furthering such work.
• Issues related to policy wording—IAIS should analyze issues related to clarity of policy terms, conditions, and exclusions with a view to encouraging convergence in understanding, although the CUSG concurs with stakeholders that compelled standardization of policy wording should not presently be pursued.
• Development of cyber awareness and expertise among supervisors—IAIS should undertake initiatives to develop and share good practices on supervision of cyber underwriting.

Keywords: International, Insurance, Cyber Risk, Cyber Underwriting, Cyber Insurance, Proportionality, Stress Testing, Capital Requirements, Cyber Risk Modeling, IAIS