The cyberthreat landscape has become more sophisticated, frequent and widespread, a new report by Bermuda’s financial sector watchdog has revealed.

The Bermuda Cyber Underwriting Report 2022, released by the Bermuda Monetary Authority, said cyber threats leverage both traditional and new techniques such as ransomware, phishing, supply-chain and critical infrastructure attacks, and zero-day exploits to target individuals and organisations of all sizes.

A variety of factors have introduced new security challenges, increasing cyberattack surfaces that disrupt business operations, including critical infrastructures and supply chains.

Factors include the acceleration of digitalisation owing to the Covid-19 pandemic, the rise of emerging and complex business models, and a continuous move towards globalisation and the greater interconnectivity of businesses around the world.

Further, the BMA said, the increase in legislation and regulations regarding data privacy and consumer protection has also increased the demand for cyber insurance.

The BMA report covers key affirmative cyber-risk underwriting data aggregated from 2021 financial year-end statutory filings of groups and commercial and captive insurers.

Based on these returns, the BMA said 17 groups (2020: 15 groups), 54 commercial insurers (2020: 48 commercial insurers) and 26 captive insurers (2020: 24 captive insurers) write affirmative cyber coverage.

At less than 3 per cent of overall GWP for all lines, the cyber line remains a small part of the overall Bermuda insurance market — but is growing.

During 2021, commercial insurers reported a total gross written premium of $4.73 billion, an increase of 55.7 per cent from the previous year’s $3.04 billion.

Net written premiums increased by 70 per cent to $3.33 billion (2020: $1.95 billion).

In the captive market, the BMA said, cyber gross premiums written increased by approximately 48 per cent (2020: 42 per cent).

In addition to market statistics, the report outlines results from the industry’s first attempt to perform the BMA-prescribed cyber stress scenarios, which were only required last year on a best-efforts basis. The report then compared these outcomes against the results of the insurer’s own worst-case scenario testing.

Overall, most companies are still expected to meet their Enhanced Capital Requirements, post-stress for both their own and the BMA’s stress scenarios.

Nevertheless, a few companies were identified as falling below their Target Capital Levels post-stress test, particularly companies whose existing capital levels are already low.

The BMA said these insurers have been notified by their respective supervisory teams and were required to submit a detailed mitigation plan to the BMA as part of its supervisory engagement.

Additionally, the BMA said:

• Groups and commercial insurers should continue their efforts in providing clarity of cyber coverage to their policyholders

• Companies should review, at least annually, the impact of various loss scenarios and work to enhance their modelling capabilities as their business grows

• Companies are required to continuously review their compliance with the applicable Bermuda Insurance Sector Code of Conduct, which has been in place since 2022, to ensure that they abide by best practices

• The market is invited to review the recently issued Bermuda Insurance Sector Operational Cyber Risk Management 2022 Report for further guidance on how their company fares against best practices set out in the code and against their peers, especially in areas where control deficiencies are identified.

• See the full report under “Related Media”.

Download PDF File

Bermuda Cyber Underwriting Report 2022.pdf