Cyber insurance underwriting risk - understanding what the regulator wants

06 July 2017

With a number of cyber breaches making headlines across the world, cyber security should be a top priority for senior management across all industries.

On the 5 July, the Bank of England’s Prudential Regulation Authority (PRA) released a supervisory statement (“SS”) for the insurance and reinsurance industry on cyber risk which is relevant to all UK non-life firms and groups within the scope of Solvency II, including the Society of Lloyd’s and managing agents (“Solvency II Firms”).

This statement followed the PRA’s consultation paper in November 2016, which set out the regulator’s expectations for prudent management of cyber underwriting risk. 

So what should insurers do to demonstrate compliance and best practice?

There are four key actions insurers should take in response to the announcement, some of which you may already have done or be planning to do:

1. Review your existing insurance products and their underlying contracts, focusing on understanding exposure to non-affirmative cyber risk (“silent cyber”).

Organisations are expected to introduce measures to reduce their unintended exposure to this risk. This follows the PRA’s recommendation that Solvency II firms “robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures”. To achieve this, aside from making adequate capital provisions, the PRA recommends that firms should consider:

  • adjusting the premium to reflect the additional risk and offer explicit cover;
  • introducing robust wording exclusions; and / or
  • attaching specific limits of cover.

Implementing some of these measures may be onerous - the competitiveness of the market makes it challenging to enforce cyber exclusions. We note however that the PRA expects firms to choose from a suite of measures, which we take as a sign that the regulator will be pragmatic when it comes to evaluating the approach taken.

2. Firms offering affirmative cyber cover should set up a clear strategy on how this risk is managed, including quantitative and qualitative risk appetite statements.

The strategy needs to be owned by the Board, reviewed on regular basis with regular Management Information (MI) measuring aggregation against risk appetite. Firms that do not offer affirmative cyber should also review the exposure and strategy on a regular basis.

3. Use cyber scenarios as a way to understand your exposure. We believe scenarios based on "near misses" are a good basis for robust portfolio stress tests.

One key element highlighted by the PRA that firms are required to complete include: “cyber insurance underwriting risk stress tests that explicitly consider the potential for loss aggregation (eg via the cloud or cross-product exposures) at extreme return periods (up to 1 in 200 years) and are consistent with the general insurance stress tests carried out periodically by the PRA.”

The Cloud Hopper event, has served as a sober reminder that cyber criminals can access company networks for extended periods of time, with huge possibilities to exploit them for financial gain.

4. Demonstrate that your firm is investing in cyber knowledge and expertise (both affirmative and non-affirmative cyber) and that boards and NEDs provide sufficient challenge.  

This follows from the PRA’s expectation that “all Solvency II firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk.”

The PRA statement is timely given the threat of cyber risk at the moment, particularly in light of recent attacks like Petya, Wannacry and Cloud Hopper. Although the statement does not include a time frame for the completion of this work, the PRA are already engaging with firms on their cyber practices, and I would advise firms to take action at the earliest opportunity.

If you are interested in discussing PRA supervisory statement and how it can affect your organisation please do get in touch.

Mohammad Khan

Mohammad Khan | General Insurance Leader
Profile | Email | +44 (0)20 7213 1945


More articles by Mohammad Khan



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.