Cyber underwriting report released by Bermuda Monetary Authority: And it may remind you of another regulator’s recent report
On February 18, 2021, the Bermuda Monetary Authority (BMA) released its annual Bermuda Cyber Underwriting Report based upon the BMA’s analysis of “the cyber underwriting information from the 2019 annual filings for commercial (re)insurers (Classes 3A, 3B, 4, C, D and E), groups and limited purpose (re)insurers (Classes 1, 2, 3, A and B).” For those unfamiliar with the Report, the publication outlines statistics, findings and general recommendations regarding cyber underwriting and, “to a lesser extent,” operational cyber resiliency. Its findings and suggestions were similar to the Cyber Insurance Framework guidance recently published by the New York Department of Financial Services.
In short, the BMA expects insurers to evaluate both affirmative and non-affirmative cyber exposure as a critical process in their “overall governance and risk management framework.” In so doing, it also expects insurers to address several areas with adequate policy and procedures measures. Here is a brief outline of some observations and expectations articulated by the BMA:
- Identify, measure, quantify, monitor and mitigate non-affirmative cyber risk exposures. The BMA expressed concern “that insurers may be unaware of the magnitude and nature of their full cyber exposures.” It “expects” insurers “to implement appropriate and adequate systems in place to identify, measure, quantify, mitigate and monitor non-affirmative cyber risk exposures.” Further, each carrier’s board of directors and senior management “must have a deeper understanding of non-affirmative cyber exposures to serve as a basis for its strategy formulation.”
- Management of tail risk. Given the difficulty to manage exposure, including low probability but high severity events, the BMA expects insurers “to conduct stress and scenario testing for various degrees of both affirmative and non-affirmative exposures and assess the results therein for proper mitigation measures.”
- Modelling of cyber risk. The BMA “expects insurers to take appropriate steps to mitigate the uncertainties associated with modelling cyber risks.” The report states that these steps “must be documented and appropriately adjusted” in a timely manner to reflect material changes in circumstances. Carriers should “implement robust model validation processes to ensure the appropriateness and usefulness of their models.”
As “next steps,” the BMA intends to:
- Require commercial insurers to disclose more explicitly in their CISSA and GSSA filings how they are managing both affirmative and non-affirmative cyber exposures.
- Require insurers to establish appropriate policies and procedures for the identification, measurement, monitoring and mitigation of cyber insurance risk exposures to the extent they have not already done so.
- Require insurers “to clarify whether cyber coverage is provided or not, in non-cyber policies, either by having clear exclusion language or adding the necessary endorsements,” beginning with the January 2022 renewal cycle. Commercial insurers and groups will be required to document their progress in their CISSA/GSSA filings for the 2021 year-end.
- Continue to engage with rating agencies and vendor model providers to understand how models adapt to deal with challenges related to cyber risk underwriting.
What this means. If this sounds familiar, take a look at the New York Department of Financial Service’s (NY DFS) Cyber Insurance Framework, which we wrote about earlier this month. Among the “best practices” outlined by NY DFS in its framework include:
- Insurance carriers should develop and implement a “formal insurance risk strategy” for measuring cyber insurance risk that is reviewed and approved by senior management and board of directors;
- Insurance carriers should identify and evaluate their exposure to silent or non-affirmative cyber risks and “take appropriate steps to reduce their exposure”;
- Insurance carriers should “conduct internal cybersecurity stress tests based on unlikely but realistic catastrophic cyber events”; and
- Insurance carriers should “eliminate” silent cyber risks by “making clear in any policy that could be subject to a cyber-claim whether that policy provides or excludes coverage for cyber-related losses.”
Regulators are taking a clear direction as to how they expect insurance carriers (both cyber and non-cyber) assess, evaluate, and manage cyber risk in their underwriting procedures as policyholder exposures continue to expand in frequency, complexity, and severity. This is an area to continue to monitor in the Bermuda Market and in other markets and jurisdictions.