IAIS - Issues Paper on Cyber Risk to the Insurance Sector


Return to list

Concern over cybersecurity is growing across all sectors of the global economy, as cyber risks have grown and cyber criminals have become increasingly sophisticated. For insurers, cybersecurity incidents can harm the ability to conduct business, compromise the protection of commercial and personal data, and undermine confidence in the sector. The IAIS has noted that the level of awareness of cyber threats and cybersecurity within the insurance sector, as well as supervisory approaches to combat the risks, appear to vary across jurisdictions.
While many of the most widely publicised cybersecurity incidents involving consumer data have affected retailers, companies in the financial services sector, including insurers, have been victimised as well.
All insurers, regardless of size, complexity, or lines of business, collect, store, and share with various third-parties (e.g., service providers, reinsurers) substantial amounts of private and confidential policyholder information, including in some instances sensitive health-related information. Information obtained from insurers through cyber crime may be used for financial gain through extortion, identity theft, misappropriation of intellectual property, or other criminal activities. Exposure of private data can potentially result in severe and lingering harm for the affected policyholders, as well as reputational damage to insurer sector participants. Similarly, malicious cyber attacks against an insurer’s critical systems may impede its ability to conduct business.
In 2015, the IAIS surveyed its Members on their perceptions of insurance industry cyber risk, their involvement as regulators in combating cyber threats, and supervisory approaches to cybersecurity that are used or under development. Members’ responses to the survey have provided input to this paper. Other inputs include consultations with various Members, insurers, cybersecurity professionals, and other experts, as well as literature cited in this paper. Additional resources are presented in Annex III.
The objectives of this Issues Paper are to raise awareness for insurers and supervisors of the challenges presented by cyber risk, including current and contemplated supervisory approaches for addressing these risks. As an Issues Paper, it provides background, describes current practices, identifies examples, and explores related regulatory and supervisory issues and challenges. This paper focuses on cyber risk to the insurance sector and the mitigation of such risks, but does not cover IT security risks more broadly. It also does not specifically address insurers’ underwriting of cyber risk (i.e., cyber insurance) or risks arising from cybersecurity incidents involving supervisors.
The paper is intended to be primarily descriptive and is not meant to create supervisory expectations. Nevertheless, the paper may shed light on the need for additional, more specific IAIS material to support supervisors in addressing cyber risk.

International Association of Insurance Supervisors

Return to list

Top of page