IAIS published a report that identifies the challenges affecting cyber-risk underwriting, along with the supervisory considerations for sustainable market development. The report highlights that current cyber-underwriting practices, while serviceable, are not yet optimal, particularly due to issues surrounding the measurement of risk exposures. Additionally, the supervisory intensity (such as frequency of assessment) and specific toolbox development (such as use of stress tests) are proportionate to the relative importance of the cyber-underwriting market, which is generally limited at this time. With a few exceptions, supervisors have not yet issued guidance on cyber-risk underwriting by insurers. Similarly, supervisory reporting on cyber underwriting is not yet widespread and comprehensive, even in jurisdictions with established regulatory reporting.
Considering the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, IAIS has included cyber risk underwriting among the issues presenting opportunities, challenges, and risks related to its mission, with a view to assessing and responding to them in the context of its 2020-2024 Strategic Plan (under High Level Goal 1). As a preparatory step toward developing a strategic approach to how supervisory practices can foster sustainable cyber risk underwriting, in the second half of 2019, IAIS appointed a Cyber Underwriting Small Group (CUSG) of experts from its member supervisors and the Organization for Economic Co-operation and Development (OECD) to conduct a stock-take exercise on the development of cyber-underwriting market, the supervisory framework and guidance on cyber-risk underwriting, and the supervisory capacity for monitoring cyber-risk underwriting in different jurisdictions. Cyber Underwriting Small Group was also appointed to prepare this report, to present findings and recommendations for a strategic approach and to identify possible follow-up work for consideration by the IAIS Executive Committee.
The report highlights that modeling cyber risk as an input for underwriting decisions remains under-developed, but the insurance industry continues to make progress in this area. Furthermore, consistent with the lack of specific supervisory guidelines on cyber-risk underwriting, all the respondents indicated that their existing statutory accounting and capital standards do not provide specific treatment for cyber-underwriting risk. The Cyber Underwriting Small Group recognized that measuring cyber risk is inherently challenging, due to which a proactive supervisory attention is required for cyber-insurance underwriting. To this end, the Group recommended to the IAIS Executive Committee that IAIS pursue a strategic approach focused on facilitating the monitoring, understanding, and assessment of cyber-risk underwriting exposure and impact and on assisting supervisors in building relevant capacity to review cyber-risk underwriting practices and exposure. The approach is aimed to address the following:
- Non-affirmative cyber exposure—IAIS should play an active role in encouraging supervisors to require improved clarity of policy coverage as regards cyber risk. IAIS should monitor progress in addressing non-affirmative cover by insurers and supervisors and possibly set out further guidance.
- Heterogeneity in data capture (and facilitating data-sharing initiatives)—IAIS should monitor and analyze initiatives for developing a data taxonomy and will consider the potential for IAIS to facilitate this work. Moreover, IAIS should review current data-sharing initiatives, with a view to identifying effective practices.
- Supervisory reporting on cyber exposure—IAIS should further review supervisory reporting practices and explore the utility of expanded supervisory reporting on cyber-underwriting exposure. Moreover, consideration should be given to gathering cyber-underwriting data to better understand total exposure as part of the Holistic Framework for Systemic Risk in the Insurance Sector.
- Risk measurement, including development of stress scenarios—IAIS should review industry and supervisory approaches related to risk measurement, along with initiatives for developing stress scenarios to estimate cyber-underwriting exposure, and consider the potential for an IAIS role in furthering such work.
- Issues related to policy wording—IAIS should analyze issues related to clarity of policy terms, conditions, and exclusions with a view to encouraging convergence in understanding, although the CUSG concurs with stakeholders that compelled standardization of policy wording should not presently be pursued.
- Development of cyber awareness and expertise among supervisors—IAIS should undertake initiatives to develop and share good practices on supervision of cyber underwriting.
Keywords: International, Insurance, Cyber Risk, Cyber Underwriting, Cyber Insurance, Proportionality, Stress Testing, Capital Requirements, Cyber Risk Modeling, IAIS
Previous ArticleFCA Introduces Rule to Enhance Climate-Related Financial Disclosures
The Board of Governors of the Federal Reserve System (FED) adopted the final rule on Adjustable Interest Rate (LIBOR) Act.
The European Central Bank (ECB) published an updated list of supervised entities, a report on the supervision of less significant institutions (LSIs), a statement on macro-prudential policy.
The Hong Kong Monetary Authority (HKMA) published a circular on the prudential treatment of crypto-asset exposures, an update on the status of transition to new interest rate benchmarks.
The European Commission (EC) adopted the standards addressing supervisory reporting of risk concentrations and intra-group transactions, benchmarking of internal approaches, and authorization of credit institutions.
The China Banking and Insurance Regulatory Commission (CBIRC) issued rules to manage the risk of off-balance sheet business of commercial banks and rules on corporate governance of financial institutions.
The Hong Kong Monetary Authority (HKMA) made announcements to address sustainability issues in the financial sector.
The European Banking Authority (EBA) published regulatory standards on identification of a group of connected clients (GCC) as well as updated the lists of identified financial conglomerates.
The General Board of the European Systemic Risk Board (ESRB), at its December meeting, issued an updated risk assessment via the quarterly risk dashboard and held discussions on key policy priorities to address the systemic risks in the European Union.
The Financial Conduct Authority (FCA) is seeking comments, until December 21, 2022, on the draft guidance for firms to support existing mortgage borrowers.
The Financial Stability Board (FSB) published a report that assesses progress on the transition from the Interbank Offered Rates, or IBORs, to overnight risk-free rates as well as a report that assesses global trends in the non-bank financial intermediation (NBFI) sector.