Firms should also carry out regular ‘stress tests’ to ensure that they are properly resourced to respond to a large number of claims at one time in the event of a major global cyber attack, according to the regulator.
The PRA has set out its expectations of insurers that underwrite cyber-related losses, whether as a result of cyber attacks or of accidental or non-malicious acts, such as loss of data. It has published a supervisory statement on the topic, which it has now finalised following a consultation exercise last year.
Dedicated cyber insurance is currently offered by only a limited number of UK insurers. However, a recent report by PwC estimated that the global cyber market would double to $5 billion in annual premiums by 2018 and treble to at least $7.5 billion by 2020. In March, the UK’s Institute of Directors warned that a “worrying” number of UK businesses had no plan in place to respond to a cyber attack, with just 56% of respondents to a survey confirming that they had a formal cybersecurity strategy in place.
In its supervisory statement, the PRA said that it expected insurers to be able to “identify, quantify and manage” their exposure to cyber security risk. This should include their explicit, ‘affirmative’ exposure through dedicated cyber insurance policies; and their implicit, ‘non-affirmative’ or ‘silent’ exposure, through property and casualty policies that do not explicitly include or exclude coverage for cyber risk.
Insurers should take particular care in relation to this ‘silent’ exposure, and “introduce measures that reduce the unintended exposure to this risk”, the PRA said. These measures could include adjusting the premium to reflect cyber risks and offering explicit cover; introducing “robust” exclusions; or attaching specific limits of cover, it said. Insurers should also make “adequate capital provisions that clearly link with this risk”, in the same way as they would for any other risk type, the PRA said.
Insurers could choose to extend specific products or lines of business to include cyber cover at no extra premium, the PRA said. However, before making this decision, the insurer’s board would be expected to carry out a “comprehensive assessment of the potential resulting losses” to ensure that the insurer’s exposure to cyber risk fell within its stated risk appetite, the PRA said.
“The short-to-medium term aim is to enhance the ability of firms to monitor, manage and mitigate non-affirmative cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold,” the PRA said in the statement.
“The PRA expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort,” it said.
Elsewhere in the statement, the PRA said that it expected firms underwriting cyber risk to have “clear strategies” on the management of these risks, owned and reviewed on a periodic basis by the board. Firms should also ensure that their knowledge and understanding of cyber insurance and associated risk was “fully aligned to the level of risk and any growth targets in this field”, it said.