The UK’s Prudential Regulation Authority (PRA) unit of the Bank of England has issued a supervisory statement outlining its expectations of firms that underwrite cyber risks, with an important recognition of the potential for non-affirmative, or silent cyber risk.
The statement comes after a cross-industry review of which the key findings were published in a letter to companies in November, 2016, and is relevant to all UK non-life insurers and reinsurers that operate under Solvency II regulation, which includes all of the Society of Lloyd’s and managing agents, explained the PRA.
The statement seeks to explain the PRA’s expectations of firms regarding underwriting cyber risk, a growing and highly complex and far-reaching peril that the insurance and reinsurance industry is still trying to get to grips with, although steps are being made in the right direction.
The statement explores both affirmative cyber cover, which concerns insurance policies explicitly linked to cyber risk, and non-affirmative or silent cyber cover, which concerns insurance policies that do not explicitly include or exclude cyber coverage.
“The PRA expects that all Solvency II firms robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage,” explained the PRA.
The PRA stated that firms are expected to implement measures that reduces the exposure to silent cyber, and that this should be done with a view to aligning the residual risk with risk appetite and strategy, which the board has approved.
The PRA outlined three measures that companies should adhere to in order to achieve this; adjusting the premium to reflect the additional risk and offer explicit cover; introducing robust wording exclusions; and/or, attaching specific limits of cover.
Importantly, for companies that opt to include cyber coverage at no extra premium, the PRA expects to see that the board has approved a detailed assessment of potential losses, and that the overall silent cyber exposure falls within that stated risk appetite.
“The short-to-medium term aim is to enhance the ability of firms to monitor, manage and mitigate non-affirmative cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold. The PRA expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort,” said the PRA.
Cyber is expected to be on of the P&C sector’s leading growth areas, but a lack of historical data, despite recent attacks such as the WannaCry breach providing some insight, combined with the risk being inherently complex and far-reaching has made the peril difficult to adequately assess and price.
And silent cyber risks only complicate the issue further, as attacks can have damaging yet unintended consequences for numerous other business lines, resulting in potentially huge unexpected losses.
