The EU’s cyber security agency, the European Agency for Network and Information Security (ENISA), has proposed a more standardised approach to cyber insurance and cyber risk assessment.
As part of its ongoing work to support the growth of the cyber insurance market in the EU, ENISA is currently looking at the potential harmonisation or standardisation of risk assessment language in cyber insurance. In October, the organisation published its preliminary findings and recommendations in a draft report.
The study considered the language used by insurance companies as part of their underwriting process, including the questions asked during the risk assessment, as well as the definitions used by underwriters in their policy wordings.
ENISA found that the cyber insurance market is growing rapidly, but its development is being hampered by a lack of data, particularly for aggregated loss scenarios, as well as a lack of standardisation in cyber insurance policies and risk assessments.
ENISA concluded that there is currently no consensus on security standards used by the cyber insurance industry. It also found that cyber insurance underwriting is not uniform and that underwriters ask entirely different questions to assess the same risk factors.
As a result, the cyber security agency has set out preliminary recommendations for insurers and EU policy makers to promote harmonisation.
The draft report proposes that EU policy makers and the insurance industry move to standardise cyber insurance policy language and underwriting questionnaires, as well as develop industry standards to define terminology, coverage, incident types and policy trigger parameters.
In particular, ENISA proposes that policymakers create minimum coverage requirements on top of which insurers can build extra coverage. It also proposes the active participation of the European Commission and ENISA to develop guidelines for cyber insurance.
For the insurance industry, ENISA suggests the development of standardised policy language and underwriting questionnaires to help insurers and customers mutually understand what they are selling and buying while avoiding the potential for coverage disputes and costly litigation.
ENISA says that language harmonisation efforts should focus on industries and sectors. It also proposes that insurers improve communication on affirmative or silent coverage for cyber exposures whenever policy language and conditions change.
One recommendation that chimes with the needs of insurers is around cyber incident data reporting.
ENISA proposes that the Commission leverage the upcoming mandatory incident reporting schemes under the NIS Directive and the General Data Protection Regulation (GDPR) to produce meaningful data that could be used by the cyber insurance industry to expand its evidence base. It also proposes the creation of a central EU wide repository of incidents to provide aggregate data from multiple sources.
As part of the study, ENISA held a validation workshop in Brussels in October to discuss the draft. At the event, brokers and insurers welcomed ENISA’s interest in cyber insurance, but cautioned against moves to standardise cyber insurance at this early stage of the market’s development.
ENISA will now take on board feedback and produce final recommendations in the winter of 2017.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org