Insurance Europe has responded to a discussion paper by the European Insurance and Occupational Pensions Authority (EIOPA) on methodologies for cyber stress testing for insurers.
Any stress test exercise should have clear objectives, appropriate timescales and be proportionate to its objectives. There is no one-size-fits-all approach to stress testing of cyber resilience risk and cyber underwriting risk. There are different impacts on group and solo levels and the suitability is determined by factors such as size, type of insurance products, and structures of process and systems, among other factors.
Regarding the design of cyber stress tests, it should be noted that the market is maturing and remains highly specialised. Therefore, any European stress tests will come at a critical time and be influential on the development of the market, as well as regulatory and industry considerations and approaches.
The publication of the results of a cyber stress testing exercise should be approached with extreme caution. In that context, the industry would like to reiterate its position that the publication of results is neither necessary nor appropriate for any stress testing exercise.