Methodological principles of insurance stress testing - cyber component

This paper aims to set the ground for an assessment of insurers’ resilience under severe but plausible cyber incident scenarios, focusing mostly on the financial consequences of such scenarios. It elaborates on two main aspects:

• Cyber resilience, intended as the capability of an insurance undertaking to sustain the financial effect of an adverse cyber-event. The economic impacts should be informed by more operational oriented data on a firm’s capability to restore its operations at a sufficient level and in a time horizon which do not generate potential systemic effects on the financial sector and eventually on the real economy;
• Cyber underwriting risk, intended as the capability of an insurance undertaking to sustain by a capital and solvency perspective the financial impact of the materialization of an extreme but plausible adverse cyber scenario impacting the insurance coverages contained in the liability portfolios.

The purpose of the paper is two-fold. Firstly, it sets the stage for a discussion on the assessment of the exposure of insurers towards cyber risk. Secondly, it lays down the approaches to design and operationalise a cyber risk assessment in the context of the EIOPA bottom-up stress testing framework. The paper benefits from the engagement with stakeholders during a public consultation that took place between November 2022 and February 2023.