LogoRegulatory Alerts
2025-03-28

GFSC Guidance Note on Cyber Insurance Underwriting Risk

The Gibraltar Financial Services Commission issued this guidance to establish prudential expectations for insurance and reinsurance firms regarding cyber insurance underwriting risk. The document requires firms to robustly assess and manage both affirmative and non-affirmative cyber exposures by integrating clear risk appetite statements into their strategies and maintaining specialized cyber expertise across all defense lines. Additionally, firms must ensure board oversight of these risks, conduct regular stress tests, and align capital provisions with identified cyber threats to enhance market certainty and resilience.

Gibraltar Financial Services Commission logo

Gibraltar

Gibraltar Financial Services Commission

Click to view thumbnail

Version: 2 Publication Date: 28/03/2025 www.gfsc.gi GFSC Guidance Note Cyber Insurance Underwriting Risk

Gibraltar Financial Services Commission Guidance Note on Cyber Insurance Underwriting Risk 2 Table of Contents

  1. Introduction..................................................................................................................................... 3
  2. Non-affirmative cyber risk............................................................................................................... 3
  3. Cyber risk strategy and risk appetite............................................................................................... 4
  4. Cyber expertise................................................................................................................................ 5

Gibraltar Financial Services Commission Guidance Note on Cyber Insurance Underwriting Risk 3

  1. Introduction 1.1 This Guidance Note sets out the Gibraltar Financial Services Commission’s (‘GFSC’s’) expectations of firms regarding cyber insurance underwriting risk. For the purposes of this Guidance Note, cyber insurance underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to cyber-related losses resulting from malicious acts (e.g. cyber attack, infection of an IT system with malicious code) and non-malicious acts (e.g. loss of data, accidental acts or omissions) involving both tangible and intangible assets. 1.2 This Guidance Note is relevant to all Gibraltar insurance and reinsurance firms and groups (‘firms’ or ‘insurers’). 1.3 This Guidance Note is intended to complement existing legislation, policies and guidance and is not intended to conflict with, amend or supersede them. It should be read in conjunction with: • The Financial Services (Insurance Companies) Regulations 2020 (‘the Insurance Companies Regulations’)1 ; • The GFSC’s ‘Approach to Insurance Regulation’;2 • The European Insurance and Occupational Pensions Authority (EIOPA) Guidelines, particularly Guidelines 3, 17, 19, 20, 46, 47, 50, 56 and 61 on Systems of Governance and Valuation of Technical Provisions;3 and • Articles 9, 11, 17 and 18 of the Financial Services (Solvency 2)(Technical Standards) Regulations 2025 (the ‘Solvency 2 Technical Standards’4 . 1.4 This Guidance Note expands on the GFSC’s general approach as set out in its Approach to Insurance Regulation. By clearly and consistently explaining its expectations of firms in relation to the particular areas addressed, the GFSC seeks to advance its statutory objectives. 1.5 The GFSC expects firms to be able to identify, quantify and manage cyber insurance underwriting risk. This includes both of the following sources of cyber insurance underwriting risk: (a) Affirmative cyber risk, i.e. insurance policies that explicitly include coverage for cyber risk; and (b) Non-affirmative cyber risk, i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk. This latter type of cyber risk is sometimes referred to as ‘silent’ cyber risk by insurance professionals. 1.6 The GFSC’s expectations are split into three broad areas: • Non-affirmative cyber risk (Chapter 2); • Cyber risk strategy and risk appetite (Chapter 3); and • Cyber expertise (Chapter 4).
  2. Non-affirmative cyber risk 1 https://www.gibraltarlaws.gov.gi/legislations/financial-services-insurance-companies-regulations-2020-4808 2 https://www.fsc.gi/publications/2019/05/Approach%20to%20Insurance%20Regulation.pdf 3 https://www.eiopa.europa.eu/publications/guidelines-system-governance_en 4 https://www.gibraltarlaws.gov.gi/legislations/financial-services-solvency-2-technical-standards-regulations-2025- 7559

Gibraltar Financial Services Commission Guidance Note on Cyber Insurance Underwriting Risk 4 2.1 The GFSC expects that all insurers robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non￾physical damage. Such firms are expected to introduce measures that reduce the unintended exposure to this risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board. To achieve this, besides making adequate capital provisions that clearly link with this risk, as they would for any other risk type, firms could consider any of the following (the list is not exhaustive): • Adjusting the premium to reflect the additional risk and offer explicit cover; • Introducing robust wording exclusions; and/or • Attaching specific limits of cover. 2.2 Should a firm decide to offer cyber cover at no extra premium for a specific product or line of business, the GFSC would expect to see that the board has confirmed that a comprehensive assessment of the potential resulting losses has been carried out, and that the overall non￾affirmative cyber exposure falls within the stated risk appetite. In this case the contract may be reworded to clarify that cyber cover is offered as part of this product or line of business. 2.3 The GFSC is not a pricing regulator and does not look to design products. The short-to-medium term aim is to enhance the ability of firms to monitor, manage and mitigate non affirmative cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold. The GFSC expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort. 3. Cyber risk strategy and risk appetite 3.1 Cyber underwriting is a key area of risk and it is important that this is reflected in the firm’s strategy and risk appetite statements. 3.2 The GFSC expects that all insurers that underwrite affirmative cyber insurance policies and/or those that are exposed to non-affirmative cyber risk will have clear strategies on the management of the associated risks, which are owned by the board. The cyber strategy should include clearly articulated risk appetite statements with both quantitative and qualitative elements, for example defining target industries to focus on, strategy for managing non￾affirmative cyber risk, specifying rules for line sizes, aggregate limits for industries, splits between direct and reinsurance, etc. (this list is not exhaustive). 3.3 The overall cyber strategy, associated risk appetite statements and relevant management information (MI) should be reviewed on a periodic basis by the board. The strategy and overall cyber insurance underwriting risk exposure levels of non-affirmative cyber risk should be reviewed by the board at least on an annual basis. For affirmative cyber risk the review should be more regular. The MI should include as a minimum: • Clear articulations of the risk appetite statements and measurements against these; • Aggregate cyber underwriting exposure metrics for both affirmative and non-affirmative cyber risk; and • Cyber insurance underwriting risk stress tests that explicitly consider the potential for loss aggregation (e.g. via the cloud or cross-product exposures) at extreme return periods (up to

Gibraltar Financial Services Commission Guidance Note on Cyber Insurance Underwriting Risk 5 1 in 200 years) and are consistent with the insurance stress tests carried out periodically by the GFSC. 3.4 By articulating these issues boards will understand and own the overall strategy for cyber risk and the associated prudential risks. 4. Cyber expertise 4.1 Both affirmative and non-affirmative cyber risk elements present significant challenges and are underpinned by technological development. Firms active in this space are faced with the necessity of investment in knowledge and expertise. 4.2 The GFSC expects that all insurance firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk. This extends to both affirmative and non-affirmative elements of cyber risk. The GFSC expects that this knowledge and understanding should be fully aligned to the level of risk and any growth targets in this field, and should cover all three lines of defence (business, risk management, and audit). 4.3 Regardless of any external input or advice obtained in relation to such risks, responsibility and accountability for this risk remains with the firm. The firm will be responsible for the appropriate management of these risks. The GFSC expects the board to have oversight of the effectiveness of the firm’s risk management and controls in this area. 4.4 In this way, firms will have sufficient expertise to understand the risks associated with cyber insurance underwriting.

Published by: Gibraltar Financial Services Commission PO Box 940 Suite 3, Ground Floor Atlantic Suites Europort Avenue Gibraltar www.gfsc.gi © 2025 Gibraltar Financial Services Commission

Share