The new normal

Shifts in behaviour during the pandemic have changed the landscape of cyber risks

By Stephen Simchak, chair of the GFIA cyber risks working group

The concerns raised in last year’s GFIA Annual Report about the COVID-19 pandemic and the increase in working from home exacerbating cyber risks across society came true. As a result, GFIA’s cyber risks working group spent much of the past year thinking about and responding to what the new remote environment means for cyber risks and policy. At the same time, policymakers shifted their focus back to the cyber issues being discussed before the pandemic in many ways, though those cyber issues have certainly taken on new dimensions due to the new remote-working environment and the ransomware epidemic. Indeed, the pandemic-related cyber developments have added to, rather than replaced, the types of cyber issues with which those of us in the policy world have been grappling.

Report on awareness initiatives

GFIA’s cyber risks working group started 2021 with the publication of a report entitled “Towards a safer cybersecurity environment: Insurance industry cyber-awareness initiatives”, which catalogues and compares the cyber-risk and cyber-insurance awareness initiatives being undertaken by eight GFIA members around the world. The report outlines their goals, communication methods, target audiences and partnerships, while providing observations on the similarities and differences between them.

The working group decided to undertake the research after realising that there is limited information available publicly on best practices in cyber-risk and cyber-insurance awareness efforts around the world. It is hoped that this modest contribution to cyber awareness will serve as a conversation-starter within the industry, in government agencies and in civil society groups around the world, and that learning about the different approaches will inspire others to launch or expand their own cyber-awareness efforts.


Long-awaited IAIS report

Meanwhile, back in late December 2020, the International Association of Insurance Supervisors (IAIS) released its long-awaited report, “IAIS Cyber Risk Underwriting — Identified Challenges and Supervisory Considerations for Sustainable Market Development”. The report is the culmination of an extensive literature review by the IAIS Cyber Underwriting Small Group (CUSG) and stakeholder and member engagement. It highlights challenges for the cyber insurance market and current supervisory approaches, and considers the role the IAIS can play in addressing those challenges and key issues as part of its Strategic Plan.

The IAIS’s outreach to GFIA and other industry stakeholders while formulating the report was extensive and greatly appreciated — and was possibly the best example of collaboration since the IAIS closed its meetings to industry observers. GFIA members participated in several regional IAIS roundtables, and I had the pleasure of meeting with several CUSG members on behalf of GFIA at various points in the process.

The IAIS paper recognises the great potential of the cyber insurance market, but also identifies measurement and clarity as challenges to market growth. Measurement challenges include modelling sophistication, accumulation, uncertainty over non-affirmative risk and a lack of historical data, it states. Clarity issues focus on non-standard wording, non-affirmative issues and the treatment of ransoms, fines, terrorism and war risk, the IAIS asserts. Importantly, the paper states that the IAIS does not support standardised policy wording; a very positive outcome from GFIA's perspective.

Finally, the IAIS recommends pursuing a strategic approach focused on:

  • facilitating the monitoring, understanding and assessment of cyber-risk underwriting exposure and impact; and,
  • assisting supervisors in building the capacity to review cyber-underwriting risk practices and exposures.
“The IAIS recognises the great potential of the cyber insurance market, but also identifies measurement and clarity as challenges to market growth.”

Future engagement

Since the publication of the CUSG report, the IAIS Operational Resilience Task Force (ORTF), which in many ways is a successor to the CUSG, has started to gather information about cyber-resilience issues and supervisory responses to cyber risks. GFIA understands that it intends to develop guidance on the supervision of cyber risks, including as they relate to third-party outsourcing providers.

At this early stage in the process, the ORTF is taking stock of existing practices on operational resilience and IT sourcing, and will engage with stakeholders in the coming months. Its goal is to publish a 2022 issues paper on cyber risks and insurance-sector resilience, including that of third-party outsourcing providers. This work will follow a similar workstream underway at the Financial Stability Board (FSB), which is looking at lessons learnt from the COVID-19 pandemic from a financial stability perspective, including lessons related to the operational and cyber resilience of financial firms.

GFIA has already signalled to the IAIS on several occasions that it expects to engage with the ORTF in its development of a paper, and it was heartened to note the IAIS commitment to early and transparent stakeholder engagement at the IAIS Global Seminar in June 2021. The working group has a lot to offer, given its work on these issues over the years in response to the activities of the FSB and OECD, and its own, proactive thought leadership.

Stephen Simchak

American Property Casualty Insurance Association