PRA seeks deeper understanding of insurers' 'cyber resilience'

Out-Law News | 14 Aug 2015 | 10:37 am | 2 min. read

UK insurers have been asked to provide details of their "cyber resilience" to the Prudential Regulation Authority (PRA).

The regulator said answers given to the questionnaire (6-page / 353KB PDF) it has sent out to insurers would help it to "understand firms’ current policies and capabilities in this area".

Insurers have been asked to provide a range of information when answering the questionnaire. They will need to inform the PRA of their governance arrangements on cyber security, including whether or not their cyber security strategy has approval from the board and whether cyber security roles and responsibilities within the organisation are aligned to that strategy.

Insurers will have to self-certify whether they have "effective risk management practices in place to address cyber security risks" and tell the PRA whether they measure the effectiveness of those practices.

Other details about whether insurers have identified the critical functions and processes of their business, how they go about this assessment and whether they know which IT systems supports those functions and processes must also be outlined in response to the questionnaire.

Insurers have also been asked to note the access controls they deploy, whether or not they encrypt and back-up data and how, as well as how often, they "assess third‐party providers' security capabilities".

Other questions the PRA has asked of insurers request details of the measures the companies employ to detect cyber security risks, including how often they "undertake vulnerability scanning and penetration testing".

The PRA has also asked insurers to explain their data breach notification policy and outline what cyber incident response plan, if any, they have in place.

Insurers have also been asked to provide information on whether they have bought any cyber insurance cover as well as details of the extent and nature of the business they have generated from selling cyber insurance products themselves.

The PRA's questionnaire also includes a section written by the Financial Conduct Authority (FCA). The FCA's questions have asked insurers to provide details relevant to the way they underwrite businesses' cyber risk where they provide cyber insurance cover, and the measures they deploy to keep their clients' data secure.

The questionnaire must be "completed by competent parties within the firm who have the appropriate knowledge and experience to be able to answer the questions in the various sections of the questionnaire", and responses must be signed off on by a member of the board and submitted to the PRA by 16 October, the PRA said.

Insurance regulation compliance expert Manoj Vaghela of Pinsent Masons, the law firm behind Out-Law.com, said: "The focus of regulators across Europe is on consumer protection and this questionnaire is another example of regulators making enquiries to assess the risks to consumers. Should an insurer have inadequate cyber resilience guidelines in place then a regulator may ultimately be able take enforcement action. So insurers should prepare their answers to this questionnaire carefully, because it is clear that regulators are very interested in cyber security."

According to a new report by think tank the Centre for the Study of Financial Innovation (CSFI) and PWC, UK insurers rate cyber risk as the number one threat to their business.