The PRA has published a Consultation Paper, which proposes the adoption of a new Supervisory Statement on affirmative and silent cyber underwriting risk. The consultation closes on 14 February 2017.
For these purposes, “cyber underwriting risk” means “the … prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack“. Affirmative policies include, for example, data breach products. Silent policies might include casualty, marine, aviation, transport, motor and home contents policies that either cover all risks, or do not clearly exclude cyber risks.
The PRA has “significant concerns about the loss potential of ‘silent’ cyber risk and has identified material shortcomings in [its] management“. It therefore proposes that (a) “firms have the ability to monitor, manage and mitigate ‘silent’ cyber risk effectively, and aim to provide policyholders with greater contract certainty as to their level and type of coverage“; and (b) “firms have sufficient expertise to monitor and manage the risks emanating from cyber risk” as well.
Silent cyber risk: The PRA expects firms to “robustly assess and actively manage their … products with specific consideration to ‘silent’ cyber risk exposure“. Firms should then make adequate capital provision for these risks; and consider (eg) premium adjustments; clearer and more robust exclusions; specific limits of cover; and/or only offering free cyber cover when the board has confirmed that a particular product doesn’t carry material silent cyber risk, and the risk it does carry is consistent with the board’s stated risk appetite.
Cyber risk strategy & risk appetite: firms offering affirmative cyber risk policies, and firms that are exposed to silent cyber risk, should have clear board-owned strategies for managing these risks. They should also produce MI for the board to review and sign-off, and that MI must be sufficient for the board to be able to understand and measure the firm’s aggregate cyber risk exposure against its stated risk appetite. The MI should also (a) confirm that current premium levels and other risk mitigators are sufficient; and (b) include cyber underwriting risk stress tests that explicitly consider the potential for loss aggregation at extreme return periods.
Cyber expertise: firms with material affirmative and silent exposure are expected to be able to demonstrate an understanding of the continuously evolving cyber landscape, and a commitment to developing their knowledge of cyber insurance risk, in a way that’s (a) fully aligned to the level of risk; and (b) covers all 3 lines of defense.
Comment: There isn’t much that’s new in this proposal, if it’s read in the context of (for example) the IAIS Issues Paper on Cyber Risk to the Insurance Sector, EIOPA’s Guidelines on Systems of Governance, the Commission’s Delegated Regulation, and the Solvency II Directive. It is, however, a useful reminder about the silent risks that sometimes sit in apparently unrelated policies. It could also serve as a prompt to review policy wordings, especially in older product lines.