As technology advances, so too do the risks involved and the potential for loss. This has two main implications. First, with cyber-incidents becoming more commonplace, the market for cyber-specific cover is expanding rapidly. The second more nuanced issue is whether or not the insurance market’s understanding of cyber risks is keeping up with the emerging threat. Are cyber risks actually insured on the policies that they should be? Or is there potential for those risks to emerge elsewhere? This is often referred to as “silent” cyber risk. As a result, cyber insurance and risks are high-up on board-room agendas both as an opportunity and as a threat.
The Prudential Regulation Authority (the “PRA“) has itself picked up on this mantle – in November 2016, the PRA released a consultation paper (“CP39/16“), which includes a draft supervisory statement setting out its expectations as to how firms should manage cyber risks. CP39/16 is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II (“Solvency II firms“). This includes the Society of Lloyd’s and managing agents.
CP39/16 focuses on the underwriting risks from two sources:
- affirmative cyber insurance policies, such as data breach products; and
- silent cyber risk, which refers to the implicit cyber exposure within ‘all risks’ and other liability insurance policies that do not explicitly exclude cyber risk.
The results of the PRA’s work indicated that cyber-related underwriting presents several risks to the insurance industry. In a letter to firms dated 14 November 2016 the PRA set out its key findings, which include:
- Silent cyber risk is material and increases over time: most firms acknowledge the loss potential of silent cyber risk, but few were able to show adequate methods for quantifying and managing this risk. As cyber threats emerge and evolve, a significant cyber insurance loss becomes more likely. The PRA found this threat particularly pronounced in marine, aviation, transport and property lines: underwriters are happy to provide implicit cyber coverage despite the continuous advancement of aviation and motor technology. Further, while property underwriters acknowledge cyber risks around smart-house technology there are no widespread exclusions in use.
- Lack of strategy or risk appetite and insufficient investment: most firms have no clear strategy or risk appetite for managing affirmative and silent cyber risks, nor are they investing enough in developing their internal knowledge on the subject.
- Affirmative cover risks are not well understood: firms do not fully understand affirmative cyber cover, partly due to a lack of experience and knowledge, and also insufficient historical claims data.
CP39/16 discusses the PRA’s proposed expectations for the management of cyber underwriting risk. In general, firms must be able to identify, quantify and manage the risks of underwriting cyber insurance, in terms of both affirmative and silent cover.
The proposals are divided into three categories: (i) setting clear appetites and strategies owned by board; (ii) management of silent cyber risk; and (iii) investing in cyber expertise.
Cyber risk strategy and risk appetite
The PRA is also keen to see firm strategy and risk appetite statements to reflect the fact that cyber underwriting is a significant area of risk. As a result, it expects that all Solvency II firms that underwrite affirmative cyber insurance policies and / or are exposed to silent risk will:
- have clear strategies on the management of cyber risk, owned by the board with both qualitative and quantitative elements, including target industries, strategies for managing silent risk, line sizes, geographic and per industry aggregate limits and direct and reinsurance limits;
- regularly review the overall strategy and risk appetite statements; and
- produce internal management information for review and sign-off by the board (including, as a minimum, clear risk appetite statements, aggregate cyber underwriting exposure metrics (for both affirmative and silent risk), confirmation that current levels of premium charged is sufficient to cover claims arising from these risk exposures and cyber underwriting risk stress tests that specifically address the risk of loss aggregation over extreme return periods consistent with general insurance stress tests periodically carried out by the PRA).
Silent cyber risk
The PRA wants to improve firms’ ability to “monitor, manage and mitigate” silent cyber risks from a prudential perspective and also to ensure that policyholders have certainty regarding the type of coverage they hold.
The PRA expects that all Solvency II firms will:
- actively assess and manage their insurance products, and specifically consider silent cyber risks; and
- introduce measures that reduce exposure to this risk, with the aim of aligning the residual risk with the risk appetite and strategy agreed by their board.
To achieve these aims firms may consider various approaches, such as:
- adjusting the premium to reflect the additional risk and offering explicit cover;
- introducing robust exclusions;
- attaching specific limits of cover; and
- offering cyber cover at no additional premium where the board has confirmed (having assessed the position) that a particular line of business carries no material silent cyber risk, and is in line with the stated risk appetite.
The PRA recognises that the challenges around cyber risk are underpinned by advances in technology. As a result, firms need to invest in knowledge and expertise.
The PRA expects that all Solvency II firms materially exposed to these risks:
- commit to understanding and developing their knowledge of the continuously evolving cyber risk landscape and align this with their risk level and growth targets in the field – this should be applied at the business, risk management and audit stages; and
- be fully responsible and accountable for the risks, regardless of any external advice obtained – boards will be held responsible for the oversight of the firm’s risk management and controls in this area.
The PRA’s thematic work demonstrates its view that many firms may not be in a position adequately to deal with affirmative and silent cyber risk. It is acknowledge that firms will incur cost in implementing the proposals, but the PRA considers that they will lead to significant benefits to them and their policyholders as well as to the reputation of the UK insurance industry.
CP39/16 closes on Tuesday 14 February 2017.