Insurance Europe responded to methodology for cyber stress testing for insurers

Insurance Europe has responded to a discussion paper by the European Insurance and Occupational Pensions Authority (EIOPA) on methodologies for cyber stress testing for insurers.

Any stress test exercise should have clear objectives, appropriate timescales and be proportionate to its objectives.

There is no one-size-fits-all approach to stress testing of cyber resilience risk and cyber underwriting risk. There are different impacts on group and solo levels and the suitability is determined by factors such as size, type of insurance products, and structures of process and systems, among other factors.

The industry would like to note that any stress test exercise should have clear objectives, appropriate timescales and be proportionate to its objectives.

Specific comments on the proposed relevance of loss factors are as follows:

  • In terms of ransomware, direct losses are low when systems are restored quickly enough. However, there tends to be competing factors in practice, such as the extent of encryption and the quality of backups. Therefore, the rating of moderate is plausible.
  • The denial of service is a relevant scenario but, in general, not deemed significant. For most insurers and pension providers, an outage would need to be of a long duration to be significant. “Simple” denial-of-service attacks can usually be mitigated rather quickly. In addition, denial of service rarely affects all services (which are usually not in the same place because of the multiplication of SaaS services) and is, in most cases, for a relatively short time. Insurance companies seem less affected by these services.
  • For data breach, the impact on “Restoration” should not be “moderate”: it should be “low”, unless the scenario is for both “data theft and deletion of the copy held by the undertaking”. The restoration indeed does not impact the recovery (a company will tend to correct the flaw in question rather than restoring to a version that is likely to have the same flaw or is obsolete).
  • There is no link between availability and cryptojacking.
  • For the payment infrastructure outage, it would be low, except if the unavailability affects systems supporting tax declarations and if the amounts are evaluated as “moderate”.
  • The “Data Center / Infrastructure” scenarios are usually not the consequence of a cyber act but rather the consequence of an event (for example, natural disaster) affecting IT infrastructures. It is rather a scenario associated with a technical stress. In the cases where a “Data Center/ Cyber Infrastructure” scenario occurs as a result of a cyber-attack, this may be significant if infrastructures are shared across a group and there is an additional cost for policyholders to check data and systems to ensure that they have not been corrupted. Therefore, if the “Data Center/ Infrastructure” scenario should be implemented at all, the nature of the drivers should be taken into account in the design of this scenario.
  • As for power outage, it should be low for direct losses to be consistent with other scenarios. However, a point can be made that out of all scenarios proposed, power outage may be argued to not be included since it is primarily caused by external factors and is not dependent on the maturity of a company in their ability to deal with cyber risk. Therefore, the relevance of having this scenario within a cyber stress test is questioned.

Regarding the design of cyber stress tests, it should be noted that the market is maturing and remains highly specialised.

Therefore, any European stress tests will come at a critical time and be influential on the development of the market, as well as regulatory and industry considerations and approaches.

The publication of the results of a cyber stress testing exercise should be approached with extreme caution. In that context, the industry would like to reiterate its position that the publication of results is neither necessary nor appropriate for any stress testing exercise.

Insurance Europe is the European insurance and reinsurance federation. Through its 36 member bodies — the national insurance associations — it represents all types and sizes of insurance and reinsurance undertakings.

Insurance Europe, which is based in Brussels, represents undertakings that account for around 95% of total European premium income. Insurance makes a major contribution to Europe’s economic growth and development.

European insurers pay out over €1 000bn annually — or €2.8bn a day — in claims, directly employ more than 920 000 people and invest over €10.6trn in the economy.

Nataly Kramer    by Nataly Kramer