Cyber risk

Cyber risk has been increasing for several years, in line with expanding digitisation, interconnectedness and cyber threats. Insurers are not only exposed to cyber risks in their operations but are also active takers of cyber risk through their cyber underwriting activities. As digitisation, interconnectedness and cyber threats continue to expand, cyber insurance has the potential to become an increasingly more significant part of the non-life market and to play a greater role in mitigating the risks associated with cyber incidents. In view of the potential scale and pace of the growth of the cyber insurance market and the ubiquitous and significant nature of cyber risk, cyber insurance underwriting has increasingly attracted supervisory attention.

Financial stability

The IAIS performs a forward-looking role in identifying key trends and developments that could reshape the insurance industry and impact on financial stability. Cyber Risk is a key area of focus for the IAIS as rapid technological change and innovation has dramatically increased cyber threats and risks to cyber resilience, both of which have been further compounded by the rapidly changing work environments that came about during the Covid-19 pandemic.

Therefore, in 2022 the IAIS focuses its special topic edition of the Global Insurance Market Report (GIMAR) on cyber risk. These reports allow the IAIS to delve deeper into relevant topics to assess the potential risks to global financial stability and identify the need for further work.

Supervisory practices

In 2020, the IAIS published a report on Cyber Risk Underwriting and Identified Challenges and Supervisory Considerations for Sustainable Market Development. The report recognises that as digitisation and cyber threats continue to expand, cyber insurance is becoming increasingly significant to the non-life insurance market. The report concluded that current cyber underwriting practices, while serviceable, are not optimal, in particular due to issues surrounding the measurement of risk exposures.

On the supervisory front, the report identified that supervisory intensity and specific toolbox development (such as the use of stress tests) are generally proportionate to the size of the cyber risk underwriting market; however, given the scale and pace of the future growth of this market, it will become increasingly important to address the challenges associated with the measurement of risk exposures, cyber incident reporting and clarity of policy wording.

The IAIS established the Operational Resilience Task Force (ORTF) in 2020, focused on developing supervisory supporting materials on issues related to cyber resilience, including implication of cyber risk to IT 3rd party outsourcing and business continuity management. The ORTF is reviewing how existing insurance core principles support cyber resilience concepts, and is taking stock of recent publications relevant to its mandate.

In 2022, the ORTF is developing further supporting material on operational resilience in the insurance sector, specifically on IT third-party outsourcing and insurance sector cyber resilience, building on work undertaken by the FSB on a cross-sector basis.

Partners

Cyber resilience and sound cyber risk underwriting practices play an important role in ensuring safe and stable insurance markets for policyholders, and supporting financial inclusion among traditionally underserved communities and individuals, including reducing the insurance protection gap.

In this regard, the work of A2ii is relevant to the IAIS activities related to cyber risk.