In July 2023, the European Insurance and Occupational Pensions Authority (EIOPA) published a document on methodological principles for the application of cyber risk resilience testing in insurance institutions. The document comprises a set of theoretical and practical standards, guidelines and approaches, and is intended to support the design of future insurance stress tests focusing on cyber resilience risk and cyber underwriting risk.
Insurance cyber risk stress testing
Executive summary
EIOPA has published a methodological principles document for the application of cyber risk resilience testing in insurance institutions. With this publication, EIOPA aims to provide the basis for the assessment of insurers' resilience to severe cyber incident scenarios, focusing on the financial consequences of such scenarios. The methodological principles are developed based on the definition of two types of cyber risk: cyber resilience risk and cyber underwriting risk.
Main content
Based on the definition of risks, the document defines different applicable cyber incident scenarios depending on the type of risk. This differentiation makes it possible to subsequently detail for each type of risk the possible types of impacts that the institution would suffer if the scenario materialises.
- Cyber resilience risk characterizes a direct attack on the entity. Cyber resilience risk is about how the impact of a cyber-attack can lead to increased operational, detection and recovery costs. Possible scenarios around this type of risk include a power outage, ransomware, a cloud failure, a denial of service and a data breach. Operational and financial metrics exist to assess and measure the degree of cyber resilience and its impact on the insurer. However, these metrics are still in their infancy and further development is expected in the future. The paper also provides a practical approach to managing cyber resilience risk impacts.
- Cyber underwriting risk exemplifies a claim against the entity by a customer for a materialized cyber incident. Here, the impact of a cyber-attack can lead to an increase in the frequency of claims against the company, as well as higher costs. Possible scenarios relating to this risk include a power outage, cloud failure and ransomware. Metrics are available that provide an overview of the main drivers of the impact of the described scenarios on the balance sheet, equity and solvency capital requirement (SCR) ratio. The paper also includes a practical approach to managing the impacts of cyber underwriting risk.
Download the technical note on Insurance cyber risk stress testing.