The Prudential Regulation Authority (PRA) believes Lloyd’s and the wider UK insurance industry can do more to ensure the effective management of affirmative and non-affirmative (silent) cyber risk exposures, ordering firms to develop an action plan in the first half of 2019, with clear milestones and dates by which action will be taken.
The PRA conducted a survey last year with firms of varying size and says the results show that, although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite and strategy.
Firms almost all agreed that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk.
However, there was significant divergence in firms’ views of the potential exposure within Property, Marine, Aviation and Transport (MAT), and Miscellaneous lines. Firms estimated their exposure to non-affirmative cyber risk on these lines to be anywhere between zero and the full limits.
The PRA says some of the variation between firms may be explained by differences in the underlying portfolios and the extent to which firms have felt able to introduce sufficiently robust exclusions and/or limits.
However, much of the divergence is likely to be reflective of differences in firms’ perception of risk. This suggests that some firms should give further thought to the potential for cyber exposure within these specific portfolios.
In relation to affirmative cyber, survey results and further market intelligence point to a material widening of coverage for cyber insurance products.
Three particular examples highlighted include coverage for business interruption (BI), contingent business interruption (CBI), and reputational damage.
Firms’ submissions of cyber stress tests (excluding non-affirmative cyber) suggested that gross losses could run in the multiples of annual cyber premiums.
There was also significant divergence on the resulting losses among firms. This, the PRA says, underlines the large uncertainty in cyber, the lack of reliable claims data and the immaturity of available models with potential links to capital adequacy.
The PRA says it has engaged with several regulatory authorities and international forums to develop a coordinated approach in the cyber field and have been encouraged by the level of interest and engagement shown
Firms reported challenging market conditions, broker pressure, and lack of historic data, models, and expertise as the main impediments for the prudential management of cyber underwriting risk. However, The PRA does not believe they are insurmountable.
Over the rest of the year the PRA plans to provide further, targeted feedback to surveyed firms, arrange meetings with individual surveyed firms by the end of Q1 2019, and coordinate with Lloyd’s to agree any follow-up actions in relation to Lloyd’s managing agents.