Stressing cyber risks

In its July dashboard, EIOPA (the European Insurance and Occupational Pensions Authority) revealed that digitalisation and cyber risks have become one of the most important risks for the European insurance sector, which a risk level equating to market and macro risks. The main driver is cyber security risk, followed by cyber underwriting risk. Elements contributing are the current war between Russia and Ukraine, increased reliance on remote and telework and on digital solutions and infrastructure. In that context, EIOPA published on 24 November 2022 a Discussion Paper on Methodological Principles of Insurance Stress Testing with focus on Cyber Risk. Deadline for response is 28 February 2023.

EIOPA has been running stress tests regularly. These are called bottom-up stress tests. These are exercises run by a supervisor or regulatory authority, in which participants are requested to perform the calculations. The supervisor provides the stress testing framework, methodologies, adverse stress scenarios, prescribed shocks and guidance on the application of the shocks. Participants calculate the impact of the prescribed shocks on their financial position according to the guidance provided and using their own models.

This discussion paper is part of a broader effort to improve EIOPA’s stress testing framework. Previous papers focused on liquidity and climate risks. So far, according to EIOPA, there seems to be limited experience with conducting standard bottom-up stress tests with a focus on cyber risk aimed at the supervisory assessment of the financial impact of adverse cyber scenarios. Work in this area seems to be more advanced with regards to the assessment of cyber underwriting risk, with at least three supervisors having included cyber underwriting scenarios in their insurance stress tests (the British PRA, the National Bank of Belgium (NBB) and the Singapore Monetary Authority (MAS)).

EIOPA aims at laying the groundwork for an assessment of insurers’ financial resilience under severe but plausible cyber incident scenarios. The paper elaborates on two main aspects:

• cyber resilience, understood as the capability of an insurance undertaking to sustain the financial impact of an adverse cyber event;
• cyber underwriting risk, understood as the capability of an insurance undertaking to sustain – from a capital and solvency perspective – the financial impact of an extreme but plausible adverse cyber scenario affecting underwritten business.

In its discussion paper, EIOPA suggests that the application of cyber resilience shocks and the calculation of the impacts should rely as much as possible on the standard EIOPA framework for stress testing with respect to: estimation of the impacts (fixed balance sheet), evaluation of the impacts (Solvency II balance sheet) and to the Solvency II framework.

Pro memoria: in the Commission’s Solvency II review proposal, an amendment is being proposed to include in the insurer’s operational risk management system cyber security (article 44). Solvency requirements for operational risk are to be found in Article 204 of the L2 act and are a fixed factor of earned premium or technical provisions, whichever is highest.

In its Guidelines on information and communication technology (ICT) security and governance, EIOPA provides a definition of ICT and security risk as a sub-component of operational risk. This includes cyber risks as well as information security risks resulting from inadequate or failed internal processes or external events including cyberattacks or inadequate physical security. So, where the Commission refers to cyber security (operational) risk, EIOPA refers to cyber risks and information security risk.

Lieve Lowet