Collection of cyber insurance and management liability data in the National Claims and Policies Database (NCPD)
On 5 November 2020, APRA released a consultation proposing the collection of cyber insurance and management liability data in the National Claims and Policies Database (NCPD1). This letter sets out APRA’s response to the submissions received on the proposed changes in the consultation paper.
APRA received one submission from the Insurance Council of Australia (ICA) on behalf of its members in response to the proposals in the discussion paper1. Based on the feedback received in the submission, APRA will implement the cyber insurance and management liability data collection with some minor modifications.
Proposals and APRA Response
Proposal 1: Timing of cyber insurance and management liability data collection
APRA sought feedback on the timing of the data collection for cyber and management liability insurance. The ICA sought an extended timeframe for reporting on a best-endeavours basis to also include the 30 June 2021 data collection, and requested that the full collection begin for the 31 December 2021 reference period.
APRA concluded that this will facilitate a more effective process without materially impacting APRA’s objectives, and has agreed to the proposed timeframes (outlined in Appendix A).
Proposal 2: Additional cause of loss codes
APRA sought feedback on the proposal to include three new cause of loss codes in the data collection; Cyber – 1st party loss, Cyber – 3rd party loss and Cyber other. The ICA agreed to the proposed Cyber – 1st party loss and Cyber – 3rd party loss cause of loss codes and provided definitions.
APRA consulted further with the ICA on the Cyber – other cause of loss code, and given current industry practice, APRA concluded that this code is not required.
APRA will adopt the ICA’s proposed definitions (outlined in Appendix B) in respect of the two new cause of loss codes.
Proposal 3: Treatment of historical data
The ICA agreed with APRA’s proposal to not request historical data for cyber insurance and management liability.
Proposal 4: Publication of cyber insurance and management liability data
APRA sought feedback on the publication of data in the NCPD data collection, including the appropriate level of aggregation. APRA is continuing engagement with industry on this point.
Additional feedback
Through the consultation process APRA agreed with the ICA that insurers should only report cyber claims data relating to stand-alone cyber insurance and, at this stage, reporting cyber claims relating to affirmative or non-affirmative cyber insurance covers will not be required. This is because insurers are able to report cyber claims data for standalone policies in a consistent manner which will enable consistency in the data APRA collects from them and publishes to industry and other data users.
Revised reporting standards
The revised reporting standards are available on the APRA website at: Collection of cyber insurance and management liability data in the National Claims and Policies Database (NCPD).
The instrument determining the reporting standards will commence on or before 1 April 2021, as such contributors to the NCPD will be able to report this new data from the December 2020 reference period onwards (on a best-endeavours basis).
Yours sincerely,
Alison Bliss
General Manager
Data Analytics and Insights
Footnote:
Appendix A:
Implementation timetable:
| Reporting period | Reporting requirement |
|---|---|
| 31 December 2020 | Best endeavours basis for new product types and cause of loss codes |
| 30 June 2021 | Best endeavours basis for new product types and cause of loss codes |
| 31 December 2021 onward | Full implementation of reporting changes |
Appendix B:
Definitions for the new cause of loss codes:
Cyber – 1st party: Loss or damages incurred directly to an insured as the result of a cyber breach (Cyber-attack, malware, extortion, crime / theft). The loss will generally cover claims for the financial loss incurred and the cost incurred responding to that loss.
Cyber – 3rd party: Liability loss or damage as a result of a cyber breach (Cyber-attack, malware, extortion, crime / theft). This loss will generally cover system security and privacy defence cost claims, regulatory proceeding (data breaches) and electronic media liability.