S.14.03 — Cyber underwriting risk
Download PDFS.14.03 — Cyber underwriting risk
General comments
This section relates to annual submission of information for individual entities.
This template is relevant to non-life insurance and reinsurance undertakings which underwrite products covering cyber risks as defined in these instructions.
Undertakings are required to provide information related with cyber risk underwritten by product group code and by Product Identification. When more than one commercial product is provided for the same Product Identification, for same set of LoB and the same set of Risk Coverage, products shall be reported using a single line, providing a “Product Group Code” defined by the undertaking to identify the group of reported products. Products within the same Product Identification not sharing the mentioned characteristic cannot be aggregated and therefore shall be reported using individual lines.
When a special justification is needed, the explanation is not to be submitted within the reporting template but shall be part of the dialogue between undertakings and the National Competent Authorities (NCAs).
The template shall be subject to the application of a threshold based on the following:
- The sum of premiums earned for standalone cyber policies and policies with cyber as add-on coverage (where only the (estimated) premiums earned for cyber risk should be taken into account) is greater than 5% of the overall non-life business pursued by the undertaking or greater than 5 million €
OR
- Number of policies that include cyber coverage (i.e. standalone cyber and/or cyber ad add-on policy) represent more than 3% of the total number of policies of the non-life business).
| ITEM | INSTRUCTIONS | |
|---|---|---|
| C0010 | Product Group Code | Internal product group ID code defined by the undertaking. |
| The Product Group Code shall be consistent over time. |
||
| In the cases where the same product group needs to be reported in more than one row the content of C0010 shall follow the specific pattern: |
||
| {}{Product Group code}}/+/{}{cardinal number}}. For example ‘AB222/+/1’. |
||
| C0020 | Target Market | Identification of the Target Market. One of the options in the following closed list shall be used: |
| 1- B2B (Business to Business) 2- Private 3- Both |
| Given the granularity of Risks identified in the cell C0060, option 3 is expected only as an exceptional case of the regular identification of the Target Market for product categories. |
||
|---|---|---|
| C0030 | Product Identification | Identification of the Product Category. One of the options in the following closed list shall be used: |
| First Party Loss (1) Third Party Loss (2) Costs and related services (3) |
||
| First Party Loss includes losses that relate to policyholders’ own data or loss of income, including any negative consequence that can cause, as a result of an event, a data breach or cyber attack to the policyholder’s business/personal sphere. |
||
| Third Party Loss includes losses that relate to policyholders’ liability for damage caused to others’ data or income, including any negative consequence that can cause, as a result of an event, a data breach or cyber attack to the policyholder’s business/personal sphere. |
||
| Costs and related services include coverages that only relate to costs or services delivered by the coverage issuer to restore systems and data after a cyber event (including legal costs). |
||
| In principle, only one item can be chosen from the list to characterise the Product Identification; however, in exceptional cases and in case of reporting from Reinsurance undertakings, multiple selection is allowed. |
||
| The Product Identification is uniquely defined by the combination of Line(s) of Business and Description of Risks included in the Coverage, provided that the latter is not filled in as “Other” or that multiple selections of the items available in the list is performed. If this is the case, two Product Categories characterised by same LoB(s) and Description of Risks included in the Coverage as “Other” cannot be considered as the same Product Identification and will need to be reported as separate lines. |
||
| C0040 | Cyber coverage in the Product Identification |
Identification of the Cyber coverage included in the commercial products included in the Product |
| identification. One of the options in the following closed list shall be used: |
||
|---|---|---|
| (1) Cyber Standalone Coverage (2) Cyber as add-on coverage but main risk being covered (3) Cyber as add-on coverage and not as main risk being covered |
||
| Cyber Standalone Coverage includes all the coverages where cyber is the provided as standalone (i.e. unique) coverage. |
||
| Cyber as add-on coverage but main risk being covered (>50%) includes all coverages where cyber is an add-on item but represents the main risk being covered. |
||
| Cyber as add-on coverage and not as main risk being covered (<50%) includes all coverages where cyber is an add-on item but does not represent the main risk being covered. |
||
| Only one item can be chosen from the list to characterise the Product Identification. |
||
| C0050 | Line(s) of Business | Identification of the Line of Business covered in the commercial products. Options in the following closed list shall be used: |
| 1 - Medical Expense Insurance |
||
| 2 - Income Protection Insurance |
||
| 3 - Workers’ Compensation Insurance |
||
| 4 - Motor Vehicle Liability Insurance |
||
| 5 - Other Motor Insurance |
||
| 6 - Marine, Aviation and Transport Insurance |
||
| 7 - Fire and other Damage to Property Insurance |
||
| 8 - General Liability Insurance |
||
| 9 - Credit and Suretyship insurance |
||
| 10 - Legal Expenses Insurance |
||
| 11 - Assistance |
||
| 12 - Miscellaneous Financial Loss |
||
| 13 - Proportional reinsurance - Medical Expense Insurance |
||
| 14 - Proportional reinsurance - Income Protection Insurance |
| 15 - Proportional reinsurance - Workers’ Compensation Insurance |
|
|---|---|
| 16 - Proportional reinsurance - Motor Vehicle |
|
| Liability Insurance | |
| 17 - Proportional reinsurance - Other Motor Insurance |
|
| 18 - Proportional reinsurance - Marine, Aviation and Transport Insurance |
|
| 19 - Proportional reinsurance - Fire and other Damage to Property Insurance |
|
| 20 - Proportional reinsurance - General Liability Insurance |
|
| 21 - Proportional reinsurance - Credit and Suretyship insurance |
|
| 22 - Proportional reinsurance - Legal Expenses Insurance |
|
| 23 - Proportional reinsurance - Assistance |
|
| 24 - Proportional reinsurance - Miscellaneous Financial Loss |
|
| 25 - Non-Proportional reinsurance - Health |
|
| 26 - Non-Proportional reinsurance – Casualty |
|
| 27 - Non-Proportional reinsurance - Marine, Aviation and Transport |
|
| 28 - Non-Proportional reinsurance - Property |
|
| C0060 Description of Risk(s) included in the coverage |
Description of the risks included in the coverage using the options in the following closed list: |
| (1) Network Interruption (refers to a network security failure leading to business interruption. Examples may include a Distributed Denial of Service or “DDoS” attack (i.e. website being overloaded with requests organized by a malicious party) or a hacker accessing the network and deleting critical files, or adding malicious code that causes the system to fail) |
|
| (2) Network Interruption OSP (where OSP stands for Open Settlement Protocol (OSP), i.e. a client-server protocol that manages access control, accounting, usage data and inter-domain routing to make it easier for Internet service providers (ISPs) to support IP telephony) |
(3) Network Interruption: system failure (which may include an “unintentional or unplanned outage” on the network.
The failure could be due to human error, system error or both. (e.g. a company upgrading its accounting system may unexpectedly cause the entire network to freeze in the process)
- (4) Cyber Extortion (a form of online crime in which a website, e-mail server, or computer system is subjected to repeated denial of service (DDoS) or other attacks by malicious hackers, who demand money in return for promising to stop the attacks)
- (5) Electronic Data Incident (incident in which sensitive, confidential or otherwise protected data is accessed and/or disclosed in an unauthorized fashion. Data breaches may involve personal health information ( PHI ), personally identifiable information ( PII ), trade secrets or intellectual property)
- (6) Cyber Theft (may include online fraud or other similar illicit activities)
- (7) Data Restoration (refers to the process of copying backup data from secondary storage and restoring it to its original location or a new location. A restore is performed to return data that has been lost, stolen or damaged to its original condition or to move data to a new location)
- (8) Extra expense
- (9) System clean-up costs
- (10) Administrative investigation and penalties
- (11) Physical injury
- (12) Data Protection and Cyber Liability (includes also GDPR implications regarding third party data protection)
- (13) Media Liability (i.e. reputational risk)
- (14) Wrongful collection of information
- (15) Media Content infringement/defamatory content
- (16) Violation of notification obligations (notification of data breaches is provided in
| defined time lags by law and or GDPR provisions) |
||
|---|---|---|
| (17) First Response (costs incurred in responding quickly to attacks to restore service) |
||
| (18) Event management (all activities needed to restore normal activities) |
||
| (19) Communication Costs (big data breaches may require mass communication of the outcomes of the breach) |
||
| (20) Credit/Identity monitoring (ensure the restoration/block of credit or identity data collected from customers/employees, etc.) |
||
| (21) Criminal Reward Fund (contribution to government funds established to cover cyber liabilities towards third parties) |
||
| (22) Contingent business interruption | ||
| (23) Financial Fraud | ||
| (24) Other | ||
| More than one options may be reported. | ||
| C0070 | Other risk detailed description |
A detailed description of the risks if other risk is chosen. |
| C0080 | Sum(s) insured | Amount of the total sum(s) insured for the reported Product Identification. |
| C0090 | Premium(s) | Amount of the total premium(s) earned for the reported product Identification. |
| C0100 | Sum(s) reinsured | Amount of the total sum(s) ceded to reinsurance undertakings for the reported product Identification. |
| C0110 | Number of Claims settled with Payment |
Number of Claims, for the relevant product category, that have been settled with payment during the reporting year. |
| C0120 | Amount of Claims Paid | Amount of claims paid, for the relevant product Identification, for claims that have been settled with payment during the reporting year. |
| C0130 | Number of Claims settled without payment |
Number of Claims, for the relevant product Identification, that have been settled without payment during the reporting year. |
Solvency II software
| C0140 | Technical Provisions | Amount of technical provisions, for the relevant product Identification. |
|---|---|---|