EIOPA issues supervisory statement on the management of non-affirmative cyber risk exposures Author: Ganado Advocates Published on October 10, 2022 The digitalisation of economic and financial activities, as well as the COVID-19 pandemic have increased companies’ reliance on digital infrastructures which consequently increases companies’ and consumers’ exposure to cyber-related incidents. Cyber-related incidents can lead to potentially significant and unexpected losses both for insurers as well as for policyholders, especially where insurance policies do not explicitly take cyber risks into account (i.e. non-affirmative cyber exposure, also referred to as ‘silent cyber’). Therefore, it is vital for (re)insurance undertakings (“undertakings”) to be aware of these risks and take them into account in risk management and calculation. The European Insurance and Occupational Pensions Authority (“EIOPA”) has published a supervisory statement (the “Supervisory Statement”) addressing its concerns regarding these non-affirmative cyber risks. Non-affirmative cyber underwriting exposure Non-affirmative cyber underwriting exposure refers to those occurrences of cyber coverages which are not expressly included or excluded from an insurance policy. This creates a level of uncertainty which leads to discrepancies between the expectations of policyholders concerning their estimated coverage and the actual pay-outs in the event of cyber incidents. Cyber risk exposures could also arise from cyber coverages which use ambiguous terms and conditions. If the cyber event materialises, it could potentially result in substantial and unpredicted losses which could lead to litigation. Similar outcomes have been witnessed throughout the COVID-19 pandemic in respect of denial of claim pay-outs in cases of ambiguity in coverage. EIOPA has in fact addressed this issue in 2020 by implementing the Strategy on Cyber Underwriting, which inter alia, prioritises the requirement to ensure adequate cyber underwriting and cyber risk management practices to establish the necessary supervisory policies and procedures, with the aim of safeguarding financial stability, market integrity and investors’ protection. EIOPA’s Supervisory Statement The Supervisory Statement calls on undertakings and supervisory authorities to engage in a supervisory dialogue to: consider a top-down approach and appetite for undertakings to underwrite cyber risk; National competent authorities are expected to ensure, inter alia, that: when material, cyber underwriting is included as a key component of an undertaking’s overall strategy, it should include risk appetite considerations, both at qualitative and quantitative level; the administrative management or supervisory body applies the appropriate governance and supervision of strategy of the undertaking with regard to cyber underwriting; undertakings ensure compliance with their overall business strategy and risk appetite, also considering the non-affirmative cyber component and defined inclusions or exclusions related to cyber risks; and align, monitor and frequently adjust pricing and capital consideration regarding the overall cyber risk exposure to ensure compliance with the undertaking’s risk appetite. Furthermore, pursuant to the Supervisory Statement, EIOPA encourages the national competent authorities to recommend that any undertakings which have not yet initiated the process of recognising the requirement for review of the terms and conditions of the contracts regarding cyber coverage, to prepare a plan outlining the procedures to do so, which also includes an effective and efficient plan to communicate the review of the terms and conditions with policyholders, in turn keeping policyholders updated about the extent of their insurance cover. identify and measure non-affirmative cyber exposures and coverages, and to dedicate higher attention to the supervision of cyber underwriting risk by implementing sound management of non-affirmative cyber exposures; National competent authorities are expected to ensure that undertakings employ sufficient resources with multidisciplinary expertise to assist with the revision of the terms and conditions regarding cyber coverages, and to promptly identify, manage, and monitor their exposure to potential non-affirmative cyber insurance risk. Undertakings must evaluate their potential exposure to non-affirmative cyber insurance risk, whilst also considering the developing nature of cyber risk, the lack of data on cyber events, and losses arising therefrom and the challenges in assessing the policyholder’s exposure to cyber risk, to complement the quantitative assessment. This evaluation of potential risk exposure should be a task which is carried out regularly. Once the undertaking identifies its potential exposure, it can revise and amend (or otherwise) the terms and conditions, whilst ensuring the adequacy of the wording to explicitly include or exclude cyber risks. In drafting the terms and conditions, undertakings should ensure that the use of cyber terminology is consistent throughout all departments of the undertaking, and that mutual understanding of contractual definitions is aligned with internal and external stakeholders. As a consequence of this exercise, the terms and conditions should be clear to policyholders and in line with the undertaking’s overall business strategy and risk appetite. Additionally, the advertisement and pre-contractual information of the cyber insurance product should outline the risk coverage and the exclusions to allow for policyholders to make informed decisions in comparing and choosing a cyber insurance product. Furthermore, national competent authorities should recommend that undertakings devote the necessary attention towards the conventional war and terrorism exclusions, which may need to be reviewed and updated to take the current digital realities into account. consider cyber underwriting risk management and risk mitigation, which may include reinsurance strategy. The appropriate risk management practices can only be implemented if undertakings have the appropriate knowledge and awareness of potential risks. In order to ensure such knowledge and awareness, the national competent authorities are expected to ensure that undertakings develop a comprehensive understanding of potential non-affirmative cyber insurance risk scenarios by utilising quantitative and qualitative assessments to evaluate and manage their respective exposures, whilst also taking into account concentration and accumulation risk. Undertakings should also evaluate and utilise existing reinsurance capacities to mitigate accumulation risk related to cyber risks on a regular basis. The availability of these structures, as appropriately designed also given the specific nature of cyber risks, should be able to cover both affirmative and non-affirmative exposures. This, therefore, leads to the requirement of monitoring the availability of such reinsurance structures and establish a dialogue with reinsurers to identify possible gaps. In the event that the undertaking concludes that there is, or may be, any material exposure to non-affirmative cyber exposures, this should be reflected in the decision and in the design of scenarios used and documented in the own risk and solvency assessment process. Conclusion The overall objectives of the Supervisory Statement are to ensure that measures are implemented in order to identify any potential cyber underwriting exposure; to ensure sound cyber underwriting and cyber risk management practices to mitigate non-affirmative cyber risk exposures; to establish good supervisory practices; and to safeguard financial stability, market integrity and investors’ protection. Go back