5
2023 GIMAR SPECIAL TOPIC EDITION
broad view of the issues, while insurer-level data provide
enough granularity to add nuance to the analysis.
The report also provides potential data templates for
jurisdictions that are beginning to collect data on cyber
risks.
15
Lastly, this analysis provides information on
potential emerging risks that should help inform the need
for future work. By publishing this report, the IAIS aims
to contribute to the debate on the impact of cyber risk
on the insurance sector, cyber protection gaps, cyber
risks posed to nancial stability, and the associated
supervisory responses.
1.1 SCOPE AND CONTEXT
This report covers a general overview of trends and key
aspects of the cyber insurance market and the cyber
resilience of insurers from a supervisory perspective. It
is not intended to be a technical analysis of the various
actuarial and operational issues covered by the overview.
For instance, while this analysis briey covers data
issues, it does not provide a rigorous analysis on data
availability and suitability. Moreover, data limitations
also constrain the depth of the analysis. Due to the
lack of data, the report does not quantitatively assess
the risks posed by cyber insurance exposures. While
the assessment of the cyber resilience of the insurance
sector focuses on security threats and third-party risks,
it does not cover other issues, such as internal threats,
systems failures and human error.
This report builds on previous IAIS work on this
topic. In 2016, the IAIS published an issues paper
that aimed to raise awareness about the challenges
presented by cyber risk for insurers and supervisors.
16,17
It recommended the IAIS develop and publish an
application paper to further explore cyber risk, cyber
security and cyber resilience and propose supervisory
practices for the insurance sector. An Application Paper
on Supervision of Insurer Cyber Security was published
in 2018. While these earlier papers focused on cyber
resilience, the IAIS published an additional paper in 2020
focused on the cyber underwriting market.
20
Cyber risk
was also a macroprudential theme of the 2021 GIMAR.
21
Most recently, in October 2022, the IAIS’ Operational
Resilience Task Force (ORTF) published for consultation
a draft Issues Paper on Insurance Sector Operational
Resilience, which included the topic of cyber resilience.
22
1.2 STRUCTURE
The rest of this report is structured as follows:
❚ Section 2 describes the data collection
process, the samples and the data limitations.
❚ Section 3 presents a general overview of key
aspects and trends in the cyber insurance market,
analyses the risks posed by afrmative and non-
afrmative coverage and the different mitigation
strategies adopted, considers the likely impact current
trends may have on the cyber insurance protection
gap and discusses the supervisory assessment.
❚ Section 4 analyses the risk-management
strategies and cyber security posture of insurers
in the sample, discusses limitations of this
evaluation and presents the supervisory assessment.
❚ Section 5 evaluates how the cyber insurance
market and the resilience of insurers could
pose a threat to nancial stability.
❚ Section 6 concludes the discussion
and presents recommendations.
15
For a copy of the technical specifications of the data collection and the data templates, see GIMAR 2022 Annex 4.
16
IAIS Issues Papers provide background on particular topics, describe current practices, actual examples or case studies pertaining to a particular topic
and/or identify related regulatory and supervisory issues and challenges.
17
See IAIS, Cyber Risk to the Insurance Sector (August 2016).
18
IAIS Application Papers provide supporting material related to specific IAIS supervisory material.
19
See IAIS, Supervision of Insurer Cybersecurity (November 2018).
20
See IAIS, Cyber Risk Underwriting Identified Challenges and Supervisory Considerations for Sustainable Market Development (December 2020).
21
See IAIS, GIMAR 2021 (November 2021).
22
See IAIS, Insurance Sector Operational Resilience (October 2022).