Consultation on collection of cyber insurance and management liability data in the National Claims and Policies Database (NCPD)
The purpose of this letter is to advise general insurers (GIs) and other interested parties of APRA’s proposal to separately collect cyber insurance and management liability data within the NCPD. APRA seeks responses from the GI industry on the proposed start date for the revised data collection, the inclusion of three new cause of loss codes, treatment of historical data and publication of data in the NCPD data collection.
Background
APRA began collecting public and product liability and professional indemnity premium and claims data through the NCPD in 2003 and has been publishing this information in its current form since 2012. The purpose of this data collection is to provide the industry and other interested parties with better data to assess performance and pricing decisions for these products.
Currently, data on cyber insurance and management liability products is aggregated with data on other product classes1. Given the recent growth in cyber insurance products and the limited availability of data to assess performance and make pricing decisions for these two products, APRA now proposes to include cyber insurance and management liability in the NCPD data collection as standalone categories. APRA’s proposal is supported by the Insurance Council of Australia (ICA) in a submission to APRA in December 2016 and by a number of insurers who have expressed interest in reporting specific cyber insurance data within the NCPD.
APRA has recently facilitated the inclusion of two new product classes and three cause of loss codes within the NCPD data collection. The two new product classes are cyber insurance and management liability, and the proposed cause of loss codes that are being consulted on are based on standalone cyber insurance features: Cyber – 1st party loss, Cyber – 3rd party loss and Cyber - other.
Consultation
APRA is proposing to begin collecting data from insurers on cyber insurance and management liability products, and the three cause of loss codes, for the 31 December 2020 half yearly reporting period on a best endeavours basis, with full implementation from the 30 June 2021 half yearly reporting period within the NCPD reporting forms (Appendix 1).
For clarity, APRA is proposing that the policy data collected under Reporting Standard GRS 800.1 Policy Data: Public and Product Liability and Professional Indemnity Insurance (GRS 800.1) for cyber insurance would relate only to standalone cyber insurance products. The claims data collected under Reporting Standard GRS 800.2 Claim Data: Public and Product Liability and Professional Indemnity Insurance (GRS 800.2) could include cyber losses associated with affirmative and non-affirmative cyber coverage as well as for standalone cyber insurance products. APRA does not intend to ask insurers to reclassify previously reported data. Submissions will be sought specifically on the following items:
1. Timing of cyber insurance and management liability data collection
APRA seeks views on the proposed commencement of the data collection for the half yearly reporting period to 31 December 2020 (on a best endeavours basis), and whether data is available from existing systems including whether appropriate data quality can be achieved.
2. Additional cause of loss codes
APRA is proposing the inclusion of three new cause of loss codes: Cyber - 1st party loss, Cyber - 3rd party loss and Cyber - other. These cause of loss codes can be applied to new cyber insurance products as well as other liability products that experience cyber losses associated with standalone, affirmative and non-affirmative cover. In addition, claims reported under a standalone cyber product can also apply other existing cause of loss codes where relevant. A visual representation of this proposal has been provided in Appendix 2.
APRA seeks views on the appropriateness of the proposed three cause of loss codes and its application to other liability products with affirmative and non-affirmative cyber exposures.
Discussions held with the Insurance Council of Australia at the beginning of 2020 identified the need to have consistent categorisation of cyber insurance and management liability claims. APRA seeks views on any definitional issues for reporting purposes.
3. Treatment of historical data
APRA is proposing to collect data on a go forward basis and not collect historical data (pre December 2020 collection) for cyber insurance and management liability products, and the new cause of loss codes. This is in recognition that collecting historical data may result in data quality issues and create additional insurer burden.
APRA seeks views on this proposed treatment of historical data.
4. Publication of cyber insurance and management liability data
APRA seeks representations on the publication of data in the NCPD data collection, including the appropriate level of aggregation. Given the NCPD contains claims development data, we expect there to be some delay in collecting an appropriately mature set of data. APRA will also explore the possibility of publishing a subset of this data at an earlier time where appropriate, and encourages representations on this matter.
Reporting Standards
The proposed changes to the collection of data for the two new products and the three cause of loss codes will result in changes to four Reporting Standards (refer to Appendix 3). These changes are not expected to be significant.
Publication of data in the NCPD data collection
Data collected by APRA is protected under section 56 of the Australian Prudential Regulation Authority Act 1998 (APRA Act). APRA may disclose protected data in certain circumstances, including where APRA has determined the information to be non-confidential under section 57 of the APRA Act. APRA has an obligation under subsection 57(3) to give interested parties an opportunity to make representations whether information reported under the reporting standards contains confidential information.
APRA’s current level 2 NCPD publication, followed extensive consultation in 2008 and 2009 on the confidentiality of data to be published, and has struck the appropriate balance between protecting commercially sensitive information and the public interest. The current level 2 NCPD publication enables the public to gain further insight into the Australian insurance market.
APRA now seeks further representations from interested parties on the publication of data in the NCPD data collection, in particular whether cyber insurance and management liability data, to be collected as separate standalone categories under the revised data collection, should remain confidential.
Submissions may address APRA’s proposal to apply the same level of aggregation used within the current level 2 NCPD publications in publishing the cyber insurance and management liability data as though ‘Cyber insurance’ and ‘Management liability’ were included as categories under paragraph (5)(G) ‘Products’ of Australian Prudential Regulation Authority (confidentiality) determination No.1 of 2019 (the current confidentiality determination). Please refer to the current confidentiality determination2 for further detail on this level of aggregation.
Invitation
APRA encourages all parties to make submissions on:
- timing for the commencement of the cyber insurance and management liability data collection including the ability to provide quality data. APRA recognises the strain on industry from recent events, including disruption related to COVID-19. As such we have extended the consultation period to six weeks and note some of these factors may require initial collections to be on a best endeavours basis;
- appropriateness of the three additional cause of loss codes;
- definitions for cyber insurance and management liability;
- treatment of historical data;
- APRA’s proposed publication of data in the NCPD data collection, in particular the new data proposed to be collected;
- the benefits or costs associated with the proposed data collection; and
- any other comments regarding APRA’s proposal.
The proposed changes to the collection of data will be subject to a six week public consultation period. Written submissions on the proposed changes should be sent to dataanalytics@apra.gov.au by 17 December 2020 and addressed to Manager, Regulatory Reporting, Data Analytics, or write to:
Manager, Regulatory Reporting, Data Analytics
Australian Prudential Regulation Authority
GPO Box 9836
Sydney NSW 2001
Yours sincerely,
Alison Bliss
General Manager
Data Analytics and Insights
Important disclosure notice – publication of submissions
All information in submissions will be made available to the public on the APRA website unless a respondent expressly requests that all or part of the submission is to remain in confidence. Automatically generated confidentiality statements in emails do not suffice for this purpose. Respondents who would like part of their submission to remain in confidence should provide this information marked as confidential in a separate attachment.
Submissions may be the subject of a request for access made under the Freedom of Information Act 1982 (FOIA). APRA will determine such requests, if any, in accordance with the provisions of the FOIA. Information in the submission about any APRA-regulated entity that is not in the public domain and that is identified as confidential will be protected by section 56 of the APRA Act and will therefore be exempt from production under the FOIA.
See PDF of this letter for appendices
Footnotes:
1 Cyber insurance is currently being reported under the Public Liability – Other product category in the NCPD data collection. Management liability products are currently reported under existing Professional Indemnity product types.
2 https://www.legislation.gov.au/Details/F2019L00991