Based on a thematic review, the Prudential Regulation Authority has proposed a new Supervisory Statement (SS) setting out its expectations for the management of cyber underwriting risk. Its purpose in issuing the SS is to seek to ensure that insurers – including at Board level - fully understand the cyber risks that they underwrite and are able to assess their potential exposure with a sufficient degree of accuracy. Responses to the proposed SS are invited by 14 February 2017. We set out below the key findings of the review and the subsequent proposals.
Major security breaches make the headlines with increasing regularity, with cyber security a growing and evolving issue for businesses of all sizes. Risks are also set to increase with the implementation of the General Data Protection Regulation in the EU from May 2018. This significantly strengthens data protection and privacy rights and includes a sanctions regime which reflects the seriousness with which the EU Institutions now treat personal data. It also includes, for the first time, wide-scale breach reporting to Regulators and affected individuals.
It is no surprise then that cyber insurance is increasingly being seen by organisations as one means to lay off these risks and is accordingly a key growth area for insurers and reinsurers.
The PRA uses the term “cyber underwriting risk” to define the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber attack. It identifies two types of policies: specific (or “affirmative”) cyber insurance policies, covering issues such as loss arising from business interruption, breach costs, privacy breach liability, media liability, damage to digital assets and extortion; and implicit (or “silent”) cyber exposure to be found in all risks and other policies than do not expressly exclude cyber risk.
The PRA carried out its thematic review meetings between October 2015 and June 2016, with stakeholders ranging from insurance and reinsurance firms and intermediaries to specialist catastrophe modellers.
As a result, the PRA has identified several “challenges”. These include:
- Silent cyber risk is both material and increasing with time;
- In particular, casualty (direct and facultative) lines are potentially significantly exposed to silent cyber risk. There is also potential for silent losses in Marine, Aviation and Transport (MAT) and Property lines;
- Affirmative cover risks have aggregation and tail potential that is not well understood, and this problem is likely to be compounded by the continuously evolving nature of the cyber landscape;
- The exposure and response of reinsurance contracts is uncertain;
- Many firms are not investing enough in specialist cyber underwriting knowledge and expertise, even where they aspire to grow their offerings. Where firms do have growth aspirations, the PRA has found firms often do not have a clearly articulated strategy supported by risk appetite statements.
The PRA has outlined its findings in a “Dear CEO” letter published on 14 November 2016.
The draft SS seeks to address the identified challenges by focussing on the following:
- Silent cyber risk – firms must introduce measures that reduce the unintended exposure to this risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the Board. The draft SS provides some examples of the means by which this could be achieved, e.g. adjusting premiums and using robust exclusions and limits to the cover;
- Risk strategy and risk appetite – firms must adopt a cyber strategy that is owned by the Board and includes clearly articulated risk appetite statements. These should be reviewed on a regular basis to reflect the fast changing nature of the risks. The PRA has set out minimum expectations for the management information that should be made available to the Board for review and sign off.
- Cyber expertise – firms must invest in a level of knowledge and expertise that aligns with the level or risk and any growth targets.