The Australian Prudential Regulation Authority (APRA) has drafted guidelines governing insurers’ collection of cyber insurance and management liability data in the National Claims and Policies Database (NCPD).
On its website, the regulator also released its response to industry feedback gathered through a consultation period launched in November, 2020. It received one response from the Insurance Council of Australia (ICA), on behalf of its members.
In its submission, ICA sought an extended timeframe for reporting on a best-endeavours basis to also include the June 30, 2021 data collection, and requested that the full collection begin for the December 31, 2021 reference period.
APRA agreed with ICA, saying the insurers’ proposal would facilitate a more effective process without materially impacting its regulatory objectives.
APRA also proposed including three new cause of loss codes in the data collection: ‘cyber – first party loss’, ‘cyber – third party loss’ and ‘cyber - other’.
Following its consultation with ICA on the ‘cyber – other’ cause of loss code, and, given current industry practice, APRA concluded that this code was not required. As a result, APRA accepted ICA’s proposed definitions of the two new cause of loss codes.
The industry body and the regulator also agreed to not request historical data for cyber insurance and management liability. However, the two parties have yet to agree on the publication of data in the NCPD data collection, including the appropriate level of aggregation, and are still working out a consensus.
APRA and the ICA also agreed that insurers will be required to report only cyber claims data relating to stand-alone cyber policies, while claims relating to affirmative or non-affirmative cyber insurance covers will not be required.
According to the APRA, the instrument determining the reporting standards will begin on or before April 01, 2021. This means contributors to the NCPD will be able to report this new data from the December 2020 reference period onwards.