Cyber insurance underwriting Part I: Back on the supervisory agenda

At a glance:

• Cyber insurance underwriting risk is quickly re-emerging as a supervisory priority, and there are renewed supervisory concerns given the very rapid growth of the market as a result of steadily increasing and changing demand following the pandemic.
• Insurers should, as a matter of priority, resume the work they paused pre-pandemic in relation to identifying, assessing and managing their cyber insurance underwriting risk in anticipation of heightened supervisory concern and scrutiny. In the UK, insurers should also continue to engage with the PRA on the cyber insurance underwriting scenario that will be included in its 2022 stress test.

The context

Just over a year ago, we published a report that explores how general insurance leaders can respond to regulators’ and supervisors’ developing expectations in relation to cyber underwriting risk. At that point, cyber insurance had come under increasing scrutiny as a result of the accelerating growth of the market and the uncertainty of expected losses. Regulators and supervisors in the UK and internationally were quick to react with guidance and clarifications of expectations.

When COVID-19 hit, cyber insurance underwriting took a backseat to more pressing and immediate concerns in relation to the pandemic. But, as supervisors return to BAU, and as the market demand for cyber insurance continues to grow due to permanent shifts in working patterns following the pandemic, cyber insurance underwriting risk is now quickly re-emerging on the supervisory agenda – and is here to stay.

This blog explores why we think cyber insurance underwriting is back in the spotlight and in fact more pertinent than ever following the pandemic, and how insurers should best respond.

Cyber insurance underwriting back in the spotlight

The pandemic has sparked fresh supervisory concern around cyber insurance underwriting risk given the rapid growth of the cyber insurance market throughout 2020 and 2021. As organisations face increased cyber and operational challenges following COVID-19, including a 300% increase in reported cybercrimes in April 2020, and a 600% increase in phishing between February and April 2020, more of them are looking to purchase insurance to cover potential losses. In 2020, the cyber insurance market was worth USD 7 billion of GWP. While this may not seem particularly striking, put in context, the cyber insurance market grew more than 33% in 2020 alone, and some estimates predict that the global cyber insurance market will reach USD 20 billion of GWP by 2025 (this estimate could be even higher as a result of accelerated digitalisation). This exceptionally rapid growth, coupled with stress test results showing the materiality of cyber risk, with potential losses comparable to large natural catastrophe (NatCat) events (the PRA’s various NatCat scenarios from its 2019 stress test individually result in industry losses between USD 5 – 11 billion) is undoubtedly putting cyber insurance back in the supervisory spotlight.

In light of this, supervisors have now resumed their work in relation to cyber insurance underwriting. In the UK, the PRA recently announced that its 2022 general insurance stress test (GIST) will focus on cyber underwriting risk. The scenario will build on the exploratory cyber scenario included in the 2019 GIST, which reinforced the PRA’s previous concerns in relation to insurers’ ability to assess and manage their cyber exposures. At a European level, we expect EIOPA to apply new vigour in executing its cyber insurance underwriting strategy that it published just before the outbreak of the pandemic. In particular, EIOPA is set to provide more guidance around non-affirmative cyber and accumulation risk, collect more information on cyber underwriting to make available to the public, and continue workshops to promote industry dialogue.

What do you need to do?

Over the coming months, as supervisors ramp up scrutiny in this area and, in the case of the UK, prepare to launch a cyber underwriting focused stress test exercise, insurers will need to go back to the work they paused pre-pandemic in relation to identifying, assessing and managing their cyber insurance underwriting risk. UK insurers should perform a gap analysis to understand where they may fall short of supervisory expectations and, in particular, focus on improving cyber data collection and use capabilities ahead of the September 2022 submission deadline for the PRA’s GIST. Insures may, for example want to develop a data organisation approach that ensures consistent use of in-house cyber data, complemented by data from external providers, or even go so far as to develop a cyber risk taxonomy that events can be tagged against.

UK insurers should also engage with the PRA on its requests for technical input on the structure and parameters of the cyber scenarios that will be included in the GIST. Given the findings from the previous exploratory stress test, we expect the PRA to work closely with the industry to provide more detailed parameters this time around. In the EU, meanwhile, insurers should revisit EIOPA’s cyber strategy to understand where they should focus their efforts in the coming year.

In our report, we set out further detailed, practical steps that insurers can take to help build supervisory confidence in firms’ understanding and management of cyber underwriting risks.