IAIS publishes assessment of cyber risks in the insurance sector, financial stability implications

Basel – The International Association of Insurance Supervisors (IAIS) has published the 2023 special topic edition of its Global Insurance Market Report (GIMAR). Based on data collected through its 2022 Global Monitoring Exercise (GME), the IAIS said the report presents an analysis of risks and trends associated with cyber insurance coverage, cyber resilience in the insurance sector and the impact these risks may have on financial stability.

“Cyber risk has become an important area of focus for insurance supervisors as it poses not only an operational risk but also an underwriting one”, said Vicky Saporta, IAIS Executive Committee Chair. “This report aims to offer a data-driven global perspective on the impact of cyber risk on the insurance sector and the associated supervisory responses.”

The association said the report shows that an expanding cyber attack surface, growing dependencies on technology, and a complex cyber threat landscape contributed to an increased demand for cyber insurance products, pushing written premiums to record levels in 2021 and improving profitability.

According to the data, said the association, the cyber insurance market saw substantive changes in underwriting controls, including tighter terms and conditions, and stricter risk selection and underwriting standards in response to higher-than-expected ransomware losses in 2020. As a result, clients not reaching minimum cyber hygiene standards found it harder to secure coverage.

Additionally, the analysis highlights the potential catastrophic dimension that cyber risk can have and how this can pose insurability issues. Despite this, the severity of claims related to large cyber events has been relatively low compared to those arising from natural disasters.

The report also finds that most insurers in the sample have implemented various cyber security measures, indicating a positive awareness and management of their own cyber risk. However, the effectiveness of their cyber security frameworks is difficult to evaluate due to data gaps and jurisdictional differences. The analysis shows that the global shortage of cyber security professionals compounds the cyber operational risks that insurers face.

In terms of systemic risk, the cyber underwriting activities of insurers in the sample were not assessed to pose a threat to financial stability, it said, adding that this is because the market was too small and tail losses arising from affirmative coverage would have been absorbed with the level of coverage being offered. However, there remain important data gaps to gauge the systemic risk posed by non-affirmative coverage.

“Cyber risk is a unique, growing and evolving risk that impacts businesses and broader society”, said Romain Paserot, IAIS Acting Secretary General. “The IAIS will continue to monitor the global cyber insurance market development and engage with stakeholders on this important topic.”

The IAIS added that it will host a cyber underwriting and operational risk roundtable to further discuss this report, as well as the Association’s supervisory practices work on operational resilience, at the IAIS Global Seminar, 15-16 June in Seattle, USA.