News + Resources

Industry news, Astaara press releases & maritime cyber risk resources

Thursday, December 1, 2022
What has EIOPA published on cyber and insurance?

The European Insurance and Occupational Pensions Authority EIOPA have just published a consultation paper seeking insurance industry engagement to establish a framework for stress testing plausible cyber scenarios for the insurance community.

The paper is the first step in formulating a stress test benchmark for insurers to assess capital and solvency adequacy for cyber exposure within the EU.


EIOPA is seeking to rationalise capital modelling and solvency for insurance companies.

The paper sets out in great clarity the issues that each firm faces in respect of cyber exposure and includes (but not limited to) scenarios, underwriting, resilience, assumptions, and guidance.

Consultation on what?

The consultation paper seeks contributions to two principal areas:

1. Approach to understanding the cyber resilience of insurance firms, and

2. Using plausible cyber scenarios to calibrate an understanding of the capital and solvency needed

Which companies fall within scope?

EU regulated firms and equally large or small; regional / national / international regulated firms are captured.

Affirmative vs silent cyber?

Insurers with no affirmative cyber will be required to allocate capital and evidence adequate solvency for silent cyber or non-malicious cyber.

What classes of insurance?

All Classes – specifically referenced include but importantly are not limited to:

General liability/ Property /Business interruption/ Credit Insurance/ Crime / K&R / Marine / Aviation /Transport / Motor / Workers Comp / Medical / Life Insurance.

Other Cyber underwriting resources

The first regulator to address cyber insurance underwriting risk was the Prudential Regulation Authority (PRA) through the Supervisory Statement 2017/4.  The PRA set out in some detail the approach to non-affirmative cyber risk (chapter 2); cyber risk strategy and risk appetite (chapter 3) and cyber expertise (chapter 4). Capital adequacy and solvency requirements being addressed under Solvency II framework.

Astaara’s view

  1. We recommend this paper should be used as reference material for all insurers EU / UK/ US / Singapore / Japan.
  2. EIOPA framework should be read in conjunction with PRA ss2017/4.
  3. The combination of both approaches will fast track adoption of a toolset relevant for your insurance business.
  4. It is salient that that EIOPA have adopted the term “plausible” cyber scenario. We applaud the normalisation of cyber scenarios.
  5. P&I clubs are currently underwriting cyber on a silent basis relying on war and terror scenarios to exclude the cyber risks. Scenario testing will need to include exposure in adverse underwriting where the exclusions do not work and or reinsurance does not follow.

Reference documents

EIOPA Consults on Cyber component in its insurance stress testing framework

Bank of England / Prudential Regulation / Cyber Insurance Underwriting

Astaara and Cyber solutions

Astaara has the right blend of insurance, cyber security and marine experience to help insurers calibrate appropriate and proportionate scenarios for all marine insurers – LMX/ International and P&I Clubs. 

Through our shared experience, we understand the interactions between people, processes and technology; and how important it is to ensure that scenarios are grounded in reality.

  • Robert Dorey