European insurance regulatory authority EIOPA has urged national regulators to crack down on the phenomenon known as ‘silent cyber’.  

Publishing a supervisory statement on non-affirmative cyber (or ‘silent cyber’) risks, EIOPA has called for a series of wide-ranging actions from national competent authorities (NCAs), including greater attention to the supervision of cyber underwriting risk.

Other key recommendations include:

• greater engagement with insurers;
• a more holistic and risk-based approach in the supervision of top-down strategy and appetite for underwriting cyber risk;
• identification and measurement of risk exposure with the purpose of implementing sound cyber underwriting practices, with particular regard to silent cyber risk; and
• better cyber underwriting risk management and risk mitigation, including reinsurance strategy

Silent cyber risk refers to instances where cyber coverage is neither explicitly included nor excluded in an insurance policy.

As underwriters in the cyber market will be all too well aware from recent cyber incidents, if a cyber event materialises, this can lead to significant and unexpected losses across lines of business, especially from silent cyber.

As EIPOA states in the paper, “Cyber-related claims are increasing alongside a growth in the frequency and sophistication of cyber incidents across financial and non-financial sectors. Past incidents like the NotPetya attack have demonstrated the large exposure potential of undertakings to non-affirmative and potentially systemic risk.”

 “Until recently, the broader market has systematically underestimated the volatility of the underlying loss distribution of cyber risks.”

“As indicated by feedback received from the industry, undertakings often lack clear strategies, defined risk appetites and robust methods for quantifying exposures. While awareness is increasing, undertakings lack formalised cyber action plans that also account for non-affirmative cyber risk exposures.”

EIOPA adds that NCAs should ensure that those in the cyber insurance sector assess the opportunity to make use of reinsurers’ capacity to be able to bear large cyber events, through the use of specific reinsurance structures:

“The possible use of these structures, as appropriately designed also given the specific nature of cyber risks, should be able to cover both affirmative and non-affirmative exposures. On the same line, it is important to monitor the availability of such reinsurance structures and establish a dialogue with reinsurers to identify possible gaps.”

To access the full paper, click here.