Out-Law / Your Daily Need-To-Know

PRA concerned about ‘silent’ cyber risk underwriting

Out-Law News | 17 Nov 2016 | 10:33 am | 2 min. read

Major UK insurance providers may not be fully accounting for 'silent' cyber risk when assessing potential liabilities from insurance cover they provide, the UK Prudential Regulation Authority (PRA) has said.

The PRA said it considers 'silent' cyber risk to be insurers' potential exposure to cyber risks implicit within broad insurance cover they provide beyond that explicitly accounted for in cyber insurance policies, such as data breach cover.

The regulator is planning to issue a new regulatory statement setting out its expectations for the "prudent management of cyber underwriting risk" by Solvency II firms and has opened a consultation on draft proposals (15-page / 518KB PDF).

In its consultation paper, the PRA said it has "significant concerns about the loss potential of ‘silent’ cyber risk and has identified material shortcomings in the management of this risk". It said insurers must "robustly assess and actively manage their insurance products with specific consideration to ‘silent’ cyber risk exposures".

To address the risk, beyond making adequate capital provisions linked to the risk, insurers could "adjust the premium to reflect the additional risk and offer explicit cover; introduce robust wording exclusions; attach specific limits of cover; and; offer cyber cover at no extra premium when the board has confirmed that a particular line of business does not carry material ‘silent’ cyber risk and is in line with the stated risk appetite", the PRA said.

The PRA also raised concern about insurers' "internal knowledge and expertise on both the affirmative and ‘silent’ cyber risk elements" of cyber risk underwriting and said it expects firms to have the necessary skills at its disposal to manage those risks.

The PRA also said insurers "do not currently have clear strategies and risk appetites for managing cyber risk" and said it expects insurers to "have clear strategies on the management of the associated risks, which are owned by the board".

"The cyber strategy should include clearly articulated risk appetite statements with both quantitative and qualitative elements, for example defining target industries to focus on, strategy for managing ‘silent’ cyber risk, specifying rules for line sizes, aggregate limits for geographies and industries and splits between direct and reinsurance," the PRA said. "The overall strategy and associated risk appetite statements should be reviewed on a regular basis."

"Firms are expected to produce internal management information (MI) for review and sign-off by the board. The MI should include as a minimum: clear articulations of the risk appetite statements and measurements against these; aggregate cyber underwriting exposure metrics for both affirmative and ‘silent’ cyber risk; a confirmation that current levels of premium charged or other mitigation in place is sufficient to cover claims arising from these risk exposures; and cyber underwriting risk stress tests that explicitly consider the potential for loss aggregation (eg via the cloud or cross-product exposures) at extreme return periods (up to 1 in 200 years) and are consistent with the general insurance stress tests carried out periodically by the PRA," it said.