CYBER RISKS
Risk and resilience
GFIA focuses on both insurers’ underwriting of the cyber risks of others and on their own cybersecurity
By Robert Gordon, chair of the GFIA Cyber Risks Working Group
GFIA’s Cyber Risks Working Group has spent much of its time over the last 12 months engaging with international organisations such as the International Association of Insurance Supervisors (IAIS) and the Financial Stability Board (FSB) on their projects relating to cyber risk and operational resilience as well as feeding into the GFIA study on protection gaps. The Working Group also expects to exchange views before the end of 2023 with the IAIS secretariat and the chair of the IAIS Operational Resilience Working Group on IAIS/FSB developments and expectations for the year ahead and to report on industry priority workstreams and concerns/challenges.
The last year has been a busy one at GFIA on cyber issues, with a comprehensive chapter on cyber risk included in the GFIA protection gaps study (see separate article here) in addition to responding to standard-setter consultations and direct inquiries from the IAIS on cyber risk.
Feedback on operational resilience
In GFIA’s comments in December 2022 in response to the IAIS consultation on an Issues Paper on insurance sector operational resilience, it emphasised the need to harmonise requirements, as well as the importance of both proportionality in supervisory approaches and a continued understanding of and respect for confidentiality requirements.
The IAIS published the final Issues Paper in May 2023, aiming to identify issues impacting operational resilience in the insurance sector and to provide examples of how supervisors are approaching these developments, with consideration of lessons learnt during the COVID-19 pandemic. The paper addresses three areas the IAIS Task Force considers to present significant and increasing operational risk and therefore to be of immediate interest to supervisors: cyber resilience; third-party IT outsourcing; and business continuity management
“Global cyber insurance premiums have continued to grow despite tighter terms and conditions and stricter risk selection.”
Comments on incident reporting
In GFIA’s December 2022 response to the FSB consultation on achieving greater convergence in cyber incident reporting, we encouraged the FSB to consider the added strain posed by conflicting compliance requirements and supported its recommendation to allow participation and engagement to be tailored as appropriate for the given financial authority or institution.
Cyber premiums continue to grow
GFIA also provided input to the IAIS for its 2023 Global Insurance Market Report (GIMAR) special topic edition, which presented an analysis of the risks and trends associated with cyber insurance coverage, cyber resilience in the insurance sector and the impact risks may have on financial stability. The IAIS Report finds that global cyber insurance premiums have continued to grow despite tighter terms and conditions and stricter risk selection.
Supervisors are actively developing and implementing macroprudential supervision frameworks for cyber risks. These include incorporating cyber scenarios into stress tests, collecting data on common vulnerabilities and supporting international initiatives to enhance the resilience of the financial sector. The cyber underwriting activities of insurers in the sample were not found to pose a threat to financial stability due to the currently limited volumes of affirmative cyber insurance underwriting. However, significant data gaps make it difficult to gauge the systemic risk posed by non-affirmative coverage.