Eiopa quali rischi e quali stress test per cybersec e fintech

The European Insurance and Occupational Pensions Authority (EIOPA) published today a Discussion Paper on Methodological Principles of Insurance Stress Testing with focus on Cyber Risk.

This discussion paper contains a set of theoretical and practical approaches to support the design phase of potential future insurance stress tests with a focus on cyber risk. This should further enrich the bottom-up stress test toolbox with additional elements to be potentially applied in future exercises.

EIOPA aims at laying the groundwork for an Assessment of insurers’ financial resilience under severe but plausible cyber incident scenarios. The paper elaborates on two main aspects:

• cyber resilience, understood as the capability of an insurance undertaking to sustain the financial impact of an adverse cyber event;
• cyber underwriting risk, understood as the capability of an insurance undertaking to sustain – from a capital and solvency perspective – the financial impact of an extreme but plausible adverse cyber scenario affecting underwritten business.

EIOPA invites stakeholders to share their feedback using the provided template no later than 28 February 2023. Contributions should be sent to the following email address: eiopa.stress.test@eiopa.europa.eu.

The feedback received will be considered in the preparation of a final methodological paper to be published on EIOPA's website.

Go to the discussion paper

Background

This discussion paper is part of a broader effort to enhance EIOPA’s stress testing framework. In 2019, EIOPA initiated the enhancement of its methodology for bottom-up stress testing with its first paper on Methodological Principles of Insurance Stress Testing. This was followed by work on specific stress testing related topics such as the Assessment of liquidity positions under adverse scenarios and of vulnerabilities towards climate-related risks, leading to the publication of the second paper on Methodological Principles of Insurance Stress Testing with a focus on Liquidity and the third paper on Methodological Principles of Insurance Stress Testing with a focus on Climate Risks.

Ecco l'indice del testo disponibile qui 31 JANUARY 2023 Discussion paper on methodological principles in insurance stress testing - Cyber component.pdf English(1.3 MB - PDF) Download

CONTENTS1 Introduction

2 Cyber risk for insurers2.1 Cyber risk: main concepts2.2 Cyber resilience: insurers as direct targets of cyber attacks2.2.1 Motivation of cyber attacks against insurers2.2.2 Perpetrators of cyber attacks against insurers2.2.3 Types of cyber attacks against insurers2.2.4 Impact of cyber attacks against insurers2.3 Cyber underwriting: insurers exposed through underwritten products2.3.1 Cyber insurance market2.3.2 Affirmative cyber2.3.3 Silent cyber2.3.4 Accumulation risk

3 Key assumptions

4 Scope4.1 Criteria

5 Scenarios5.1 Scenario selection5.2 Scenario narratives and specifications5.2.1 Data Center/Infrastructure Damage (cloud outage)5.2.2 Ransomware / Data Theft5.2.3 Denial of Service (DoS)5.2.4 Data Breach5.2.5 Power outage5.3 Scenarios not retained for the purpose of this paper

6 Cyber underwriting: shocks, specifications and metrics6.1 General guidance6.2 Shocks6.3 Metrics6.4 Examples of applications6.4.1 Ransomware6.4.2 Cloud outage6.4.3 Power Outage6.5 Silent cyber: additional guidance6.6 Data elements

7 Cyber resilience: shocks, specifications and metrics7.1 General guidance7.2 Shocks7.3 Metrics7.4 Examples of applications7.4.1 Cloud outage7.4.2 Ransomware7.4.3 Denial of Service (DoS)7.4.4 Data breach7.4.5 Power outage7.5 Data elements

8 Communication of results

9 Annexes

9.1 ANNEX: Glossary of cyber risk terms9.2 ANNEX: MITRE ATT&CK9.3 ANNEX: Cyber insurance coverages9.4 ANNEX: Example of data templates for cyber underwriting9.4.1 Example template for impact of cyber scenarios per product9.4.2 Example template for impact of cyber scenarios per economic sector9.4.3 Example template for accumulation exposure cyber insurance per IT service provider

Table 1 – Impact of various cyber resilience scenarios .................................................................................... 21Table 2 - Advantages and disadvantages of targeting solo or group undertakings for the purposes of stresstesting cyber risk ............................................................................................................................................. 32Table 3 - Reference metrics for inclusion of undertakings in the scope of a stress test with focus on cyber risk......................................................................................................................................................................... 34Table 4 – Categories of cyber incidents and associated risk factors ................................................................ 37Table 5 – Cloud outage scenario ...................................................................................................................... 40Table 6 – Ransomware / Data Theft scenario .................................................................................................. 41Table 7 – Denial of Service (DoS) scenario....................................................................................................... 42Table 8 – Data Breach scenario ........................................................................................................................ 44Table 9 – Power outage scenario ..................................................................................................................... 45Table 10 – Cyber underwriting scenarios and their shocks ............................................................................. 50Table 11 – Cyber underwriting metrics............................................................................................................ 53Table 12 – Ancillary indicators ......................................................................................................................... 54Table 13 – Ransomware shocks ....................................................................................................................... 57Table 14 – Cloud outage shocks ....................................................................................................................... 58Table 15 – Power outage shocks ...................................................................................................................... 59Table 16 – Cyber resilience scenarios and their shocks ................................................................................... 64Table 17 – Cyber resilience metrics ................................................................................................................. 65Table 18 – Cloud outage shocks ....................................................................................................................... 67Table 19 – Ramsomware shocks ...................................................................................................................... 69Table 20 – DoS shocks ...................................................................................................................................... 70Table 21 – Data breach shocks......................................................................................................................... 71Table 22 – Power outage shocks ...................................................................................................................... 72