The PRA has recently produced a supervisory statement outlining its expectations for firms regarding cyber insurance and underwriting risk. The statement is chiefly concerned with the ‘silent cyber risks’.
Cyber risks can be cyber-related losses resulting from malicious cyber attacks, such as infecting an IT system with malicious code, and non-malicious acts like the loss of data, accidents and omissions. These can involve both tangible and intangible assets. These risks are silent if the firm’s insurance neither provides nor excludes cover for such risks. The PRA is concerned that many policies with ‘all risks’ contract wordings may in fact cover cyber risks, notwithstanding that such risks may not have been identified and quantified for the purposes of determining premium.
The PRA argues that many insurers are unaware of or unwilling to accept the extent of this exposure and it is concerned about the lack of progress being made on this issue. It reiterates the outcome of its review from last year which found that most firms did not demonstrate ‘robust methods for quantifying and managing silent cyber risk’.
First of all, insurance firms should be taking steps to identify and quantify their actual underwriting risk. This should include risk from ‘affirmative’ cyber insurance policies covering data breach, but also those silent cyber risks emanating from property and casualty policies covering physical and non-physical damage. In order to manage these risks the PRA suggests that firms take action either by increasing premiums to reflect the additional risk or expressly excluding or limiting cover for cyber risks. Insurers who fail to implement these strategies will need to demonstrate that their exposure to cyber risks falls within their ‘stated risk appetite’. This will require insurers and reinsurers to take active steps to ensure that underwriters of traditional classes of business, such as property and casualty, engage with colleagues involved with ‘affirmative’ cyber underwriting to understand the nature and scope of the risk that they may otherwise assume unintentionally. Separately, it will also require collaboration across different classes of business to assess and quantify the potential for substantial accumulations of losses, whether by geographic region or by industry sector.
Regard should also be had as to whether losses might aggregate and exhaust the limits of any responsive reinsurance assets, for example where multiple assureds are affected by a single rapidly spread incident, such as the WannaCry ransomware.
The recent WannaCry and Ukraine ransomware attacks are consistent with an increasingly rapid trend of growing frequency and severity of cyber attacks. One of the most intractable difficulties for insurers seeking to model this trend, therefore, is the paucity of historic data available to predict the rate of which the frequency and severity of such events may be expected to increase, since the industry may very well be at the beginning of a period of exponential increases. This source of uncertainty unfortunately compounds the challenges to insurers who have exposure in this area (whether intentionally or otherwise). That is, in addition to the risks of accumulation of losses, whether unforeseen aggregation of losses may exhaust reinsurance limits unexpectedly, and of course the risk of ‘silent cyber risks’, where insurers may not even be aware of their exposure.
On any view, the PRA’s action in the area represents increasing pressure on the industry to take cyber risk seriously and to transform ‘cyber’ from a novel class of insurance to a mature one.