PRA consultation—insurance and cyber risk

PRA consultation—insurance and cyber risk

The Bank of England’s Prudential Regulation Authority (PRA) has issued a consultation on its proposals for insurers and reinsurers to manage their risk of underwriting cyber-attack exposures faced by policyholders. Hans Allnutt, partner at DAC Beachcroft LLP and leader of its cyber and data risk practice, looks at the PRA’s proposals.

Original news

Cyber insurance underwriting risk—PRA consultation paper 39/16

In its consultation paper, the PRA proposes a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk, defined as the set of prudential risks arising from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.

The consultation paper is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of the Solvency II Directive 2009/138/EC, including the Society of Lloyd’s and managing agents.

The proposals in the consultation paper follow the PRA’s thematic review of the insurance and reinsurance industry’s underwriting risks emanating from affirmative cyber insurance policies, such as data-breach products, and also from implicit insurance cover for cyber risk within ‘all-risks’ and other liability insurance policies that do not explicitly exclude cyber risk (‘silent’ cyber risk).

What are the PRA’s proposals in the consultation?

The proposals are grouped in three sections:

‘Silent’ cyber risk

Solvency II firms should introduce measures that reduce the unintended exposure to this risk by, for instance, adjusting the premium to reflect the additional risk and offering explicit cover, introducing robust wording exclusions, attaching specific limits of cover, and offering cyber cover at no extra premium when the board has confirmed that a particular line of business does not carry material ‘silent’ cyber risk and is in line with the stated risk appetite.

Cyber risk strategy and risk appetite

  • Firms should regularly review their overall strategy and associated risk appetite statements and produce internal management information which should include:
  • clear articulations of the risk appetite statements and measurements against these
  • aggregate cyber underwriting exposure metrics for both affirmative and ‘silent’ cyber risk
  • a confirmation that current levels of premium charged or other mitigation in place is sufficient to cover claims arising from these risk exposures, and
  • cyber underwriting risk stress tests that explicitly consider the potential for loss aggregation at extreme return periods and are consistent with the general insurance stress tests carried out periodically by the PRA

Cyber expertise

All Solvency II firms exposed to these risks should understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance risk.

What is the purpose of the proposals?

The purpose is to mitigate the exposures identified by the PRA.

The PRA believes it will potentially limit the risk to the insurance industry, in respect of both capital stress and the protection of the reputation of the insurance industry. The PRA also considers the implementation of the proposals will lead to increased contract certainty for policyholders of traditional property and casualty policies who may currently find it challenging to understand whether they are, or are not, insured for cyber-attack losses.

How do the proposals fit with the PRA’s objectives?

The PRA states that the proposals will:

  • advance the general objective of promoting the safety and soundness of PRA-authorised persons and its insurance objective of securing an appropriate degree of protection for policyholders
  • give policyholders greater confidence in insurers’ coverage of cyber risk
  • contribute to the greater market discipline around the management of cyber risk which should promote effective competition

What action has been taken to date?

The proposals in the consultation paper are based on thematic work carried out by the PRA between October 2015 and June 2016 involving a range of stakeholders including insurance and reinsurance firms, intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators.

What are the next steps?

The PRA is inviting feedback on its proposals. The consultation ends on 14 February 2017.

How should lawyers and their clients prepare for the proposed changes?

Losses may be assumed under insurance policies that expressly cover losses arising from cyber-attacks or policies that might implicitly cover such losses due to the absence of an express exclusion. Insurers and reinsurers should review their insurance programmes to identify where cover is granted, either expressly of silently.

Where such cover is granted, the board of such firms should have clearly articulated strategies for mitigating the exposures to the associated risks. These strategies should be reviewed on a regular basis. In order to do so, insurers and reinsurers should have sufficient expertise to monitor and manage the associated risks.

Interviewed by Robert Matthews.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

Related Articles:
Latest Articles: