Key risk areas for firms identified by the PRA include:
- 'silent' cyber risk losses;
- cyber risk strategy and risk appetite; and
- cyber expertise.
Given current soft market conditions and the rate of growth seen in the cyber insurance market over the past few years, it is important for all firms to be aware and manage exposures in this field effectively.
The PRA expects firms to be able to identify, quantify and manage cyber underwriting risk. This includes risks emanating not only from cyber insurance policies but also 'silent' cyber risk; implicit cyber exposure within ‘all-risks' and other liability insurance policies that do not explicitly exclude cyber risk.
The PRA noted that casualty lines especially D&O policies are potentially significantly exposed to 'silent' cyber risks. In addition, due to recent technological advancements in driverless cars and the use of smart home technology, property and motor may too be at risk.
The PRA recommends boards assess the risk appetite of their firms and own clear strategies to manage their exposure to cyber underwriting risk as well as ensuring firms keep a breadth of the evolving cyber and technological landscape.
PRA Consultation Paper
The PRA is planning to issue a new regulatory statement setting out is expectations for the "prudent management of cyber underwriting risk" by Solvency II firms and has opened a consultation on draft proposals. The PRA is inviting feedback on the proposals set out in this consultation until Tuesday 14 February 2017.
In the regulator's recent consultation paper published in November 2016, the PRA set out its proposals based on thematic work carried out between October 2015 and June 2016 involving a range of stakeholders in the insurance and cyber security sectors. The results of the PRA’s work highlighted several risks faced by the insurance industry in relation to cyber underwriting risk.
Challenges faced by firms
The PRA set out in its consultation paper that it "has significant concerns about the loss potential of 'silent' cyber risk and has identified material shortcomings in the management of this risk".
The PRA's findings suggest casualty (direct and facultative), marine, aviation and transport (MAT) lines of business are potentially significantly exposed to ‘silent’ cyber losses however professional indemnity (PI), financial institution (FI) and general liability (GL) products are also likely to be exposed in various degrees due to a lack of effective exclusions in insurance policies.
With the current rate of technological change; the development in the 'driver-less' car and increasing use of smart-home technology the potential for a significant 'silent' cyber insurance loss is increasing with time.
The PRA states insurers must "robustly assess and actively manage their insurance products with specific consideration to ‘silent’ cyber risk exposures".
To address the risk, beyond making adequate capital provisions linked to the risk, the PRA suggested firms consider doing the following:
- adjust the premium to reflect the additional risk and offer explicit cover;
- introduce robust wording exclusions;
- attach specific limits of cover; and
- offer cyber cover at no extra premium when the board has confirmed that a particular line of business does not carry material ‘silent’ cyber risk and is in line with the stated risk appetite".
The PRA also expects all firms who are exposed to cyber underwriting risk to have clear strategies on the management of associated risks. The PRA states that this strategy should 'include clearly articulated risk appetite statements with both quantitative and qualitative elements, for example defining target industries to focus on, strategy for managing ‘silent’ cyber risk, specifying rules for line sizes, aggregate limits for geographies and industries and splits between direct and reinsurance'.
The PRA expects firms to review the overall strategy and associated risk appetite statements on a regular basis and produce internal management information (MI) for review and sign-off by the board.
It is suggested the MI includes the following as a minimum:
- clear articulations of the risk appetite statements and measurements against these;
- aggregate cyber underwriting exposure metrics for both affirmative and ‘silent’ cyber risk;
- a confirmation that current levels of premium charged or other mitigation in place is sufficient to cover claims arising from these risk exposures; and
- cyber underwriting risk stress tests that explicitly consider the potential for loss aggregation at extreme return periods (up to 1 in 200 years) and are consistent with the general insurance stress tests carried out periodically by the PRA.
The PRA also touched on the fact that firms need to understand the continuously evolving cyber and technological landscape and be able to demonstrate their commitment to developing their expertise of cyber insurance risk.
There could be serious ramifications on both firms and the UK insurance industry if firms do not manage their exposure to cyber underwriting risk effectively. As Chris Moulder set out in the PRA's accompanying letter to the consultation paper on 14 November 2016:
"The prudential risks emanating from this fast-evolving field, if not managed well, are potentially significant to the viability of the firms involved and the reputation of the UK insurance industry as a centre of excellence and innovation."
Laura Allen is a Solicitor in the Corporate Insurance department at DWF, her work includes product wording development, in particular tech and cyber. https://uk.linkedin.com/in/lauraeallen1987This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.