EIOPA published a supervisory statement on the management of non-affirmative cyber exposures. By virtue of the statement, EIOPA recommends that National Competent Authority's dedicate higher attention to the supervision of cyber underwriting risk, in particular to (re)insurance undertakings that have potentially significant exposure to non-affirmative cyber insurance risk and to those who have not yet developed a plan to identify and manage non-affirmative cyber underwriting risk, including tailored considerations regarding the specificities of the multiple Lines of Business and products impacted.

The statement in particular, recommends to NCAs to engage in a supervisory dialogue with the undertakings and follow a more holistic and risk-based approach in the supervision of at least the following aspects:

  1. top-down strategy and appetite for (re)insurance undertakings to underwrite cyber risk;
  2. identification and measurement of risks exposure with the purpose of implementing sound cyber underwriting practices, with particular regard to the non-affirmative cyber risk;
  3. cyber underwriting risk management and risk mitigation, including the reinsurance strategy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.