The PRA has written to all insurers requesting information on each insurer's cyber resilience capabilities. The questionnaire has been split into three main sections:
- Cyber security and resilience capabilities – this is intended to provide an overview of the firm's own policies and capabilities in respect of cyber risk including, for example, whether the firm has a cyber-strategy and if so how does the firm 'identify', 'protect' against, 'detect', and 'respond' to and 'recover' from cyber-attacks;
- Cyber insurance – this is intended to provide an overview of the cyber risks underwritten by the firm whether under a specific cyber product or otherwise. This section requires information on premiums earned and claims made under cyber specific policies as well as premium information on lines of business that have consistently applied standard cyber exclusion since 1 January 2012;
- Conduct – this is intended to provide an overview of how confidential customer information is handled and stored whether in relation to a specific cyber product or otherwise. This section has been drafted by the FCA however a separate submission to the FCA is not required.
Questionnaires must be returned to firms' usual PRA supervisory contacts no later than close of business on 16 October 2015. Board level sign off of the questionnaire is required to verify that the questionnaire is a "true and accurate reflection of the current status of cyber resilience". Supporting documentation is not required by the deadline but may be requested by the PRA at a later date.
A copy of the letter and questionnaire is available here
What action could be taken to manage risks that may arise from this development?
Companies should ensure the questionnaire is completed and necessary board level sign off has been secured by close of business on 16 October 2015.