IIF Authors

Status: Will be live at 10/09/2019 12:11

IIF Staff Paper on Cyber Risk Insurance: Advances in Risk Management, Prioritizing Prevention and Protection

This IIF Staff Paper: "Cyber Risk Insurance Update: Advances in Risk Management, Prioritizing Prevention and Protection" reviews how the cyber risk insurance market is maturing and highlights the strong emphasis by insurance providers on prevention, preparation and incident response, as well as protection. The paper also examines innovative advances in the risk management of cyber insurance underwriting and acknowledges a number of challenges remain, including those related to “silent,” or non-affirmative cyber risk, concentration and accumulation risks, and an increase in state-sponsored attacks.

This is a follow-up to an IIF staff paper we published in late 2017 that found that the bourgeoning usage of cyber risk insurance was a growing market responding to increased demand driven by greater public awareness of cyber risk. At the time, the provision of cyber risk insurance was impacted by the rapidly evolving nature of the risk, a lack of historical data, new modeling practices, legal uncertainty, and the potential for accumulation risk due to the potential interconnectedness of large cyber events. Policy makers had also begun focusing more closely on this market and how it fits into the overall regulatory and supervisory framework.

This updated paper discusses the regulatory and supervisory response to cyber risk, noting the shift in focus from resilience and reporting to the emphasis on “silent” cyber risk and sustainable underwriting practices. It also offers support for the development of a common lexicon and taxonomy for cyber risk in order to facilitate further advances in risk management, as well as greater transparency and clarity around policy wordings and scope of coverage. Finally, it advances recommendations to policymakers, regulators and supervisors, including a possible role for the public sector (and/or public-private partnerships) in ad-dressing the cyber risk insurance gap.