EIOPA publishes paper on methodological principles of insurance stress testing of cyber risks

EIOPA published a paper on methodological principles of insurance stress testing of the cyber component, aiming to assess insurers‘ financial resilience under severe but plausible cyber incident scenarios.
It focuses on two main aspects: cyber resilience, which measures insurers‘ ability to withstand adverse cyber events, and cyber underwriting risk, which evaluates insurers‘ capacity to endure the financial impact of extreme but plausible cyber scenarios affecting liability portfolios.
The paper provides a set of theoretical and practical rules, guidelines, and approaches to support the design of future insurance stress tests focusing on cyber risks. It covers relevant regulation and supervisory experience in the field and benefits from stakeholder feedback received during a public consultation (eventid=18342).
Key concepts in the paper include cyber risk, cyber resilience, and cyber attacks. Cyber risk is defined as risks emanating from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks. Cyber resilience refers to the preservation of confidentiality, integrity, and availability of information stored in and/or ICT systems themselves, with the objective of withstanding cyber attacks. Cyber attacks can have various motivations, such as financial gain, espionage, or sabotage, with financial institutions being prime targets due to the potential for monetary gains and the sensitive data they handle.
Potential threat actors in cyber attacks against insurers can vary widely, and common profiles include financially motivated hackers seeking unauthorized transactions, stealing financial data, or extorting entities using ransomware or denial of service attacks. While other threat actors aiming for espionage or sabotage may exist, financially motivated attacks are generally more prevalent and relevant for insurance undertakings.
The paper lays down scenarios and guidelines for cyber underwriting and cyber resilience stress tests. The scenarios cover various cyber incidents, such as data breaches, ransomware attacks, and infrastructure damage, enabling the assessment of insurers‘ exposure to cyber risks. The methodology and approach proposed in the paper are subject to potential future adjustments based on developments in the assessment of cyber risks at the European and global levels.