UK insurers ordered to lay out plans to reduce silent cyber exposures

UK insurers, including Lloyd’s, have been ordered to provide their regulator with plans to reduce exposure to silent cyber risk, in a move that will likely bring big changes to how the peril is covered. The news follows a survey by the Prudential Regulation Authority (PRA) that found several insurers fear the risk from cyber is comparable to US nat cats. The survey also revealed that some carriers have a misplaced belief that reinsurance would respond to a large non-affirmative cyber catastrophe, and that claims teams struggle to deal with silent cyber losses. In a letter to CEOs of specialist general insurance firms, the PRA’s director of insurance supervision, Anna Sweeney, said insurers must develop an action plan by the middle of this year with “clear milestones and dates by which action will be taken” to reduce unintended exposure to silent, or non-affirmative, cyber risk. “Supervisors may ask to review this plan and subsequent progress towards it,” the PRA added. This follows a move in July 2017 that saw the PRA tell insurers it wants to see “prudent” behaviour to manage silent cyber risk, a clear cyber strategy and risk appetite agreed by the board, and signs firms are developing cyber expertise. This was laid out in the Supervisory Statement (SS) 4/17 – Cyber Insurance Underwriting Risk. This work aims to address fears that insurers are not properly managing silent cyber exposures. For example, last year’s global malware attacks generated several large, unexpected cyber losses for property insurers. According to Property Claim Services, insurers face more than $3bn in NotPetya claims, of which 90% are from silent cyber cover. The PRA followed up on SS4/17 in May 2018 with a survey of insurers to find out where they need to improve on cyber. In her letter this week, Ms Sweeney welcomed recent announcements from individual insurers about efforts to manage non-affirmative cyber risk in their books of business. But she added the survey results suggest that “although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite and strategy”. She said insurers cite challenging market conditions, broker pressure and lack of historic data, models and expertise, as the main obstacles to prudentially managing cyber exposures. The PRA said it appreciates these challenges but does not believe they are “insurmountable”. The survey found that most insurers agree that a number of traditional lines of business have considerable exposure to non-affirmative cyber risk. Casualty, financial, motor and A&H lines were deemed to have the largest non-affirmative exposure, with energy lines the least. The PRA found “significant divergence” in firms’ views on the potential exposure within property and marine, aviation and transport cover. In these lines, insurers estimate their exposure to non-affirmative cyber to be anywhere between zero and full limits. The PRA said much of the divergence is likely to be a result of different perceptions of risk. “This suggests that some firms should give further thought to the potential for cyber exposure within these specific portfolios,” it advised. The survey also found that insurers’ quantitative assessment of non-affirmative cyber risk is not well developed and mostly relies on stress scenarios and expert opinion. Firms with the most developed approaches had conducted detailed analyses and established processes for capturing cyber exposures for all products, by bringing together different parts of the organisation such as underwriting, risk, claims, IT and actuarial. The PRA concluded that the range of practices observed suggests that “some firms should do more to carry out detailed assessments of their books of business and to develop means of more accurately assessing non-affirmative exposure”. The regulator goes on to explain that insurers’ stress tests suggest a cyber event could have widespread impact on a number of different lines of business. It added that some firms believe the potential risk from cyber is comparable to major natural catastrophes in the US. The PRA said this “reinforces” its concerns about the “large exposure potential and the need for firms to take action to manage the unintended exposure to non- affirmative cyber risk”. Its survey also revealed that most insurers are confident reinsurance would respond, should a large non-affirmative cyber catastrophe hit. However, the PRA said this optimism was “not always corroborated by sufficient evidence”. “Some firms in our sample had examined the issue more closely and raised some concerns in relation to the potential coverage provided by reinsurers in comparison to firms’ potential exposures. This was especially true in the case of excess of loss and other non-proportional reinsurance arrangements,” said Ms Sweeney in her letter. Insurers also concede that there are limitations in their ability to distinguish and escalate non-affirmative cyber claims. The PRA found this was typically due to a combination of a lack of claims expertise and inflexibility in the claims process. “This suggests that firms should review their claims processes to ensure they are fit for purpose in this area,” it said. When it comes to affirmative cyber risk, the PRA said its survey and further market intelligence point to a “material widening of coverage for cyber insurance products”. Three particular examples highlighted include cover for business interruption, contingent business interruption, and reputational damage. “While broader coverage has clear benefits for policyholders and the wider economy, it also comes with obvious prudential risks for insurers if it is not accompanied by appropriate pricing adjustments and adequate risk management. This is particularly relevant given the relative lack of available data and immaturity of the cyber market compared to more established risk areas,” said the PRA. When it comes to risk appetite and strategy, insurers said they were utilising Lloyd’s and other available cyber scenarios along with catastrophe cyber risk models to inform their risk appetites. But there was also an appreciation that the models are in their infancy and that their outputs should be reviewed against internally developed metrics. Firms with the most developed approaches had created bespoke scenarios which, they believe, better reflect their own underlying exposure, said the PRA. The survey also found that most insurers have made some progress on developing cyber management information for the board. However, this mainly focuses on affirmative cyber risk by comparing exposure against scenarios and risk appetites. The PRA said it has seen “limited evidence for board management information on non-affirmative cyber risk”. It believes there is “scope for firms to make greater progress against this expectation”. The PRA said the survey also shows that insurers recognise the need to develop cyber expertise and knowledge further, due to the unique and evolving nature of cyber risk. Chief information security officers and other existing technology expertise were seen as sources to build that knowledge. The PRA found that UK insurers are making use of external expertise – such as catastrophe modelling vendors, consultants and legal advisers for wording assessments – alongside developing bespoke training programmes for board members and underwriters. A small number of firms have created internal ‘centres of excellence’ that enhance dissemination of cyber knowledge and risk management, it said. “Since the publication of SS4/17 we have engaged with several regulatory authorities and international forums to develop a coordinated approach in this field. This was in response to feedback we received from the insurance industry. We have been encouraged by the level of interest and engagement shown [by] the wider insurance industry and fellow regulators, and continue to engage closely as we design and implement next steps,” the PRA concluded.

UK insurers ordered to lay out plans to reduce silent cyber exposures

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Want to read this article?

Read Next

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Related Articles