Is EIOPA trying to democratise cyber breach data?

The European Insurance and Occupational Pensions Authority (EIOPA) has published a short note setting out its strategic priorities regarding the European cyber insurance market.

EIOPA sees a functional cyber insurance market as being critical to the digital economy. While the cyber resilience of insurance undertakings (and other financial sector entities) has been a central focus for regulators recently, there has plainly been a realisation that this alone is not sufficient for the digital economy to flourish.

The note sets out four objectives, which seek to ensure that:

• the cyber underwriting and risk management processes employed by insurers are appropriate;
• the correct tools are in place to identify and mitigate potential systemic cyber risk;
• both policyholders and insurers understand the contractual terms governing cyber insurance products; and
• there is sufficient information available to enable the development of better quantitative models and therefore better pricing.

A number of strategic proposals are set out to achieve these aims, which include updating EIOPA's stress testing framework to include cyber risk/loss and, predictably but usefully, engaging more closely with the industry. The proposal which is likely to raise the most eyebrows is for a central database containing anonymised details of cyber incidents, to be compiled via reports made through a harmonised cyber incident reporting taxonomy - some may be concerned that anonymisation alone may not be sufficient to prevent embarrassing or damaging private incidents from becoming public.

In the abstract this seems like an idea with some merit. However, it is one which could have significant unforeseen consequences and needs careful handling. EIOPA recognises that there are many questions which need to be addressed before this proposal becomes a reality, not least what unforeseen consequences of this data democratisation there might be. But in a world where cyberattacks are increasing in number and sophistication and companies need to report cyber breaches in any case, EIOPA's plans are logical and probably at some level inevitable.