The European Insurance and Occupational Pensions Authority (EIOPA) published today two Supervisory Statements on:
- exclusions related to systemic events such as pandemic, natural catastrophes or large cyber-attacks, and on
- the management of non-affirmative cyber exposures.
Supervisory statement on exclusions in insurance products in relation to risks arising from systemic events
As the frequency of systemic events increases, there is a risk that insurance products covering them become unaffordable or unavailable. At the same time, products covering such events or products silent about the coverage may explicitly exclude them in the future. These developments have the potential to further widen existing protection gaps, which can have a detrimental effect on consumers and make our economies and societies less resilient.
EIOPA’s supervisory statement aims to promote supervisory convergence in how national competent authorities assess the treatment of exclusions as part of the product design and terms and conditions drafting process. The statement seeks to ensure that the interests of existing and prospective policyholders are duly taken into account when products are developed or revised or when events casting doubt on the scope of the coverage materialise.
Beyond general contract clarity and language simplicity requirements, EIOPA recommends that national competent authorities monitor whether insurance manufacturers appropriately assess the terms and conditions and the scope of coverage whenever the risk arising from a systemic event becomes uninsurable or there is lack of clarity as to whether the risk is covered or not.
More broadly, beyond general product oversight and governance requirements, when new products are developed, EIOPA recommends assessing the target market’s needs, objectives and characteristics with respect to the exclusion of risks arising from systemic events – including when determining whether risks stemming from systemic events are covered or not.
While there may be a limit to insurability, EIOPA is of the view that consumers and small businesses can assess the risks involved better – including those stemming from systemic events – when coverage is clear and aligned to the target market’s needs. The supervisory statement therefore advocates greater clarity and specific tailoring to the target market.
Supervisory statement on the management of non-affirmative cyber exposures
Insurers are exposed to potential cyber-related losses through cyber insurance policies and insurance policies that do not explicitly take cyber risks into account (non-affirmative coverages). Given undertakings’ exposure to this burgeoning risk category, EIOPA recommends that national competent authorities pay closer attention to insurance undertakings’ assessment of the terms and conditions of their existing insurance products covering cyber risks.
EIOPA’s supervisory statement aims to promote supervisory convergence in how national competent authorities address the market regarding cyber risks. The statement addresses the need for a top-down strategy and a risk appetite definition for (re)insurance undertakings underwriting or wishing to underwrite cyber risk. It also reflects on the potential need for a review of the terms and conditions of the contracts regarding their cyber coverage and the need to have in place a strategy on how to communicate such a review to policyholders clearly and in a timely manner.
Undertakings should devote particular attention to traditional war and terrorism exclusions that may not take into account the digital aspects of modern warfare and thus lead to uncertainty and ambiguity regarding coverages. The outcome of this exercise should result in terms and conditions that are clear, simple and aligned with the undertaking’s overall strategy and cyber risk appetite, while at the same time providing value for money to the policyholder in line with the target market.
The statement also highlights the need for undertakings to identify and measure their exposure to cyber risk with the purpose of implementing sound cyber underwriting practices. The management of non-affirmative cyber exposures is of particular importance, including a regular evaluation and use of available reinsurance capacity to mitigate accumulation risk related to cyber risk.
Both supervisory statements have greatly benefitted from the feedback EIOPA received from stakeholders during the public consultation phase. The responses have been duly considered and published in a resolution table accompanying the statements.