On February 28, the IIF responded to the European Insurance and Occupational Pensions Authority (EIOPA) consultation on Methodological Principles of Insurance Stress Testing with a focus on Cyber Risk. The discussion paper set forth a series of theoretical and practical approaches to support the design phase of potential future insurance stress tests focused on cyber resilience and cyber underwriting.

In its response, the IIF encouraged EIOPA to adopt a focused, proportionate and practical approach to stress testing that allows for simplifications and approximations as cyber stress testing continues to evolve and improve. Given the evolving state of cyber risk management, the IIF encouraged EIOPA to recognize that granular data may not always be available, and that firms should be able to use estimates, proxies and approximations and submit higher level, less granular information until the robustness of data improves. The IIF also highlighted the sensitivity of the data that would be provided to EIOPA in these stress testing exercises, and called for strict protocols to ensure the security and confidentiality of this information.

The IIF encouraged EIOPA to offer flexibility to firms to determine whether a group or solo approach would be most appropriate to their organizational structure, their information technology, and their risk management architecture. EU-headquartered companies should liaise with their group supervisors to discuss any issues related to stress testing at the group versus solo level, rather than with individual jurisdictional supervisors. With respect to groups headquartered outside of the EU, the IIF noted that EIOPA should limit its requirements to the EU-based operations.

Finally, the IIF encouraged EIOPA to consider the lessons learned from the cyber underwriting stress test exercises that have been conducted by a number of national supervisors to-date.