T:0203 436 2350
PRA and cyber insurance underwriting risk: The results are in…
In 2017 the Prudential Regulation Authority (PRA) required insurers to identify and measure their cyber exposure through both affirmative cyber insurance and non-affirmative or ‘silent cyber’ insurance (Supervisory Statement 4/17 ‘Cyber insurance underwriting risk’).
Last year, the PRA sent information requests to a selected sub-set of insurers and consulted with the FCA, Lloyd’s, the LMA, the IUA and the ABI to capture feedback.
The results of the survey are now in and the PRA has written to Chief Executives of general insurance firms summarising its findings. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2019/cyber-underwriting-risk-follow-up-survey-results
The PRA found that:
- The insurance industry’s approach to measuring risk and stress-testing has been inconsistent and there is a wide range of views about the scale of potential losses from cyber perils;
- There has been a material widening of affirmative cyber cover, but many insurers have failed to make appropriate adjustments in terms of pricing etc. to reflect the nature of the risk;
- Casualty, financial, motor and A&H lines were noted to have the largest ‘silent cyber’ exposure;
- Firms’ perceptions of their exposure to ‘silent cyber’ claims varies significantly – especially in Property; Marine, Aviation and Transport; and so-called ‘Miscellanous’ e.g. pet, travel breakdown, fine art etc – and many insurers have not properly ascertained their exposure; and
- Many firms’ operating processes are too inflexible and do not allow insurers to identify and escalate ‘silent cyber’ claims.
Although insurers reported challenging market conditions, broker pressure and lack of historic data and expertise as the main obstacles in measuring and managing cyber underwriting risk, the PRA does not consider these difficulties to be insurmountable.
Action needed by insurers
The PRA has clearly indicated that the UK insurance industry needs to do more to ensure the effective management of both affirmative and non-affirmative cyber risk exposures and it has ordered insurers to develop action plans by the end of H1 2019. Responsibility for demonstrating compliance rests with individual board members.
Throughout 2019 the PRA has indicated that it will:
- Provide further, targeted feedback to surveyed firms and arrange meetings with them.
- Co-ordinate with Lloyd’s to agree any follow-up actions in relation to Lloyd’s managing agents.
- Carry out sample deep-dive reviews to other firms to assess how these firms are meeting the PRA’s expectations.
Keoghs provides insurers with market leading advisory services in this area and have worked with Lloyd’s to help underwriters identify where they may have ‘silent cyber’ exposures. We can assist with the following:
- Review existing products for ‘silent cyber’ exposure.
- Draft cyber exclusions to ensure that ‘silent cyber’ is not being written inadvertently.
- Review reinsurance protections to see if cyber perils are covered.
- Demonstrate compliance with the PRA requirements.