EIOPA Supervisory Statement On The Management Of Non-affirmative Cyber Exposures – Insurance Laws and Products

In early August 2022, the European Insurance and Occupational
Pensions Authority (EIOPA) published a draft
supervisory statement on non-affirmative cyber risks and held a
public consultation on the draft statement. In late September 2022,
EIOPA published a feedback statement summarising the main
findings of the consultation and a resolution of comments paper outlining the
individual comments they received and their responses to the
comments. The supervisory statement is now in final
form.

The statement deals with potential cyber-related losses through
insurance policies where cyber coverage is neither explicitly
included nor excluded, i.e. non-affirmative coverage. With economic
and financial activities becoming more digitalised in recent years,
the frequency and sophistication of cyber incidents in the
financial sector have increased significantly. As underwriters in
the cyber market will be well aware, incidents such as the NotPetya
attack in 2017 can lead to significant systemic risk and unexpected
losses. These incidents often lead to time-consuming, expensive,
and unpredictable litigation.

Recommendations

Against this backdrop, EIOPA recommended that national competent
authorities (NCAs) (such as the Central Bank of
Ireland (CBI)) must pay greater attention to
insurance undertakings’ assessment of the terms and conditions
of their existing insurance products covering cyber risks.
Particular attention is required for undertakings with significant
exposures and those without plans to identify risks. Greater
engagement between NCAs and insurance undertakings is needed.

Strategy and Risk Appetite

NCAs should ensure that cyber underwriting is a primary aspect
of an undertaking’s overall strategy and that the undertaking
considers its risk appetite for cyber underwriting. The strategy
should factor in non-affirmative cyber components and define
inclusions or exclusions related to cyber risks. Undertakings must
align, monitor, and regularly adjust pricing and capital
consideration regarding the overall cyber risk exposure to ensure
compliance with the undertaking’s risk appetite.

Identification of Risk Exposure

Undertakings should identify their risk exposure around
non-affirmative cyber risk to implement sound cyber underwriting
practices. When determining their exposure, EIOPA recommends that
undertakings:

• Measure exposure.




• Clarify coverage.




• Define cyber terminology.




• Monitor exposure.

EIOPA notes that the outcome of this review should lead to terms
and conditions that are clear, simple and aligned with the
undertaking’s overall strategy and cyber risk appetite while
also providing value for money to policyholders in line with the
target market.

Risk Management

The statement notes that (re)insurance undertakings must develop
a comprehensive understanding of potential non-affirmative cyber
insurance risk scenarios and manage their respective exposure,
taking into account concentration and accumulation risk. EIOPA
recommends that undertakings regularly evaluate and make use of
available reinsurance capacity to mitigate risk related to cyber
threats and ensure that overall solvency requirements are adhered
to.

War and Terrorism Exclusions

EIOPA notes that undertakings should devote particular attention
to traditional war and terrorism exclusions that may not take into
account the digital aspects of modern warfare and, therefore, might
lead to ambiguity regarding coverage.

Central Bank of Ireland

The CBI has previously cautioned undertakings about silent
cyber- where policy wording fails to exclude cyber risks. These
risks could potentially leave insurers open to claims from
customers who suffer cyber-attacks which insurers have not provided
for financially. It would be akin to the business interruption
claims made against insurers by businesses shut by the pandemic,
which the industry had failed to anticipate.

Covid-19 highlighted weaknesses with ambiguous wording in some
policies where risk exposures had not been adequately priced and
reserved for by some undertakings. The CBI recommended that firms
conduct periodic reviews of policy terms, limits and exclusions to
ensure their product offerings are structured to respond in the
manner intended, are within their risk appetite and are adequately
priced.

In light of this supervisory statement (which echoes the
sentiment of the CBI warnings), Irish authorised (re)insurance
undertakings should expect an increasing supervisory focus from the
CBI.

Conclusion

EIOPA’s supervisory statement promotes supervisory
convergence in how NCAs address cyber risks. The statement
addresses the need for a top-down strategy and risk appetite
considerations for (re)insurance undertakings underwriting or
wishing to underwrite cyber risk. It also reflects the need for a
review of policies for cyber coverage and the need to communicate
such a review to undertakings in a clear and timely manner.

Contributed by Rory Carbery

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.