EIOPA has published a supervisory statement on non-affirmative cyber (or 'silent cyber') risks.

Silent cyber risk refers to instances where cyber coverage is neither explicitly included nor excluded in an insurance policy. If a cyber event materialises, this can lead to significant and unexpected losses across lines of business, ultimately leading to time-consuming, expensive, and unpredictable litigation.

As experienced with business interruption claims following the pandemic, denial of claims in case of uncertainty in coverage may lead to lengthy court cases, significant losses for the sector or a loss of confidence from policyholders.

EIOPA recommends that national competent authorities, such as the Central Bank of Ireland:

  • dedicate higher attention to the supervision of cyber underwriting risk;
  • engage with insurers and follow a more holistic and risk-based approach in the supervision of, at least, the following aspects:
    • top-down strategy and appetite for (re)insurance undertakings to underwrite cyber risk;
    • identification and measurement of risk exposure with the purpose of implementing sound cyber underwriting practices, with particular regard to silent cyber risk;
    • cyber underwriting risk management and risk mitigation, including reinsurance strategy.

Irish authorised (re)insurance undertakings should expect an increasing supervisory focus on silent cyber risk as a result.

Supervisory statement on the management of non-affirmative cyber exposures

https://www.eiopa.europa.eu/document-library/supervisory-statement/supervisory-statement-management-of-non-affirmative-cyber_en