On 14 November 2016, the Prudential Regulation Authority (PRA) published a consultation paper on Cyber Insurance Underwriting Risk (CP39/16) proposing a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk. A draft of the supervisory statement is appended to CP39/16.
For the purposes of CP39/16 and the draft supervisory statement, cyber underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.
To assess these risks, the PRA carried out thematic work involving a variety of stakeholders from October 2015 to June 2016. The PRA’s work focused on the underwriting risks emanating from both affirmative cyber insurance policies as well as implicit cyber exposure within ‘all-risks’ and other liability insurance policies that do not explicitly exclude cyber risk, referred to as ‘silent’ cyber risk.
The results of this work are summarised in an accompanying ‘Dear CEO’ letter, which highlights the following:
- Silent cyber risk is material. The PRA found an almost universal acknowledgement of the loss potential of silent cyber; however most firms did not demonstrate robust methods for quantifying and managing silent cyber risk.
- Silent cyber loss potential increases with time. As both silent cyber insurance awareness and the frequency of cyber-attacks grow, so does the loss potential from silent cyber exposures.
- Casualty (direct and facultative) lines potentially significantly exposed to ‘silent’ cyber, either due to the fact that exclusions are not widely used or become some policies, e.g. D&O policies, cannot reasonably exclude cyber losses.
- Potential for silent losses in marine, aviation, transport and property lines. Motor and aviation underwriters are comfortable providing implicit cyber coverage despite a background of continuous technological advances. Property underwriters acknowledged the potential for cyber aggregation; despite that there are currently no widespread exclusions for cyber risk.
- The exposure and response of reinsurance contracts is uncertain. Reinsurers are aware of the potential aggregations resulting from silence cyber and are looking to address this in the future. Currently there is no widespread use of exclusion in either property or casualty reinsurance contracts. Where wordings do exist to address the issue, these are bespoke and introduced only recently and so may later result in disputes should a claim arise.
- Most firms lack clear strategies and risk appetites. Boards do not own the overall strategy around cyber risk and in a number of cases a clear strategy, supported by risk appetite statements, does not exist.
- Firm investment in developing cyber expertise is insufficient. This is due to a combination of firms being at the early stage of their cyber offering and the lack of supply of skilled professionals with cyber underwriting expertise.
- Affirmative cover risks are not well understood. Firms do not sufficiently understand the aggregation and tail potential of affirmative cyber cover. Moreover using past claims data to estimate future cyber losses may not be appropriate due to data being non-stationary.
- Risk management’s ability to challenge is limited. Risk management teams are not adequately equipped in terms of skill and expertise to provide effective challenge to the business. Input is often limited to either developing simple deterministic scenarios or reviewing and adapting widely publicised work on the topic.
- Third-party vendor models at early stages of development. Catastrophe modelling vendors have developed small sets of deterministic cyber scenarios to assist their clients in managing aggregation and data schemas have been developed for categorising cyber exposures. Although these are helpful steps, the PRA considers that the market has much work to do before it can capture and manage cyber exposures effectively.
- EU Data Directive will increase affirmative cyber exposures. The implementation of the Data Protection Directive in 2018 will strengthen the European regulatory framework on personal data.
In light of the above, the PRA considers that action is required across the non-life sector to mitigate the risks identified. In its consultation paper, the PRA sets out its expectations in relation to three main areas:
- The management of silent cyber risk. The PRA proposes that firms have the ability to monitor, manage and mitigate silent cyber risk effectively and aim to provide policyholders with greater contractual certainty as to their level and type of coverage (addressed in Chapter 2 of the draft supervisory statement).
- Setting clear appetites and strategies owned by boards. The PRA proposes that firms exposed to silent and affirmative cyber risk will have clear strategies and articulated risk appetites on the management of the associated risks. These should be owned by the board and reviewed on a regular basis (addressed in Chapter 3 of the draft supervisory statement).
- Investing in cyber expertise. Insufficient investment from firms is due to a combination of being at the early stages of development of their cyber offering and a lack of supply of skilled professionals with cyber underwriting expertise. The PRA proposes that firms have sufficient expertise to monitor and manage the risks emanating from cyber risk (addressed in Chapter 4 of the draft supervisory statement).
The deadline for responses to the consultation paper is 14 February 2017.
View: PRA publishes Dear CEO letter and Consultation Paper on Cyber Insurance Underwriting Risk