The UK insurance regulator has repeated its calls for insurers to identify and measure cyber risks, including so-called ‘silent’ exposures in property/casualty coverages.
The regulatory intervention is likely to accelerate insurers’ modelling of cyber risks and potentially encourage some to take appropriate underwriting action.
Last year the Prudential Regulation Authority (PRA) launched a consultation on insurance industry cyber exposures, publishing its Consultation Paper (CP) 39/16 Cyber insurance underwriting risk in November. Having reviewed responses to the consultation, the PRA has now set out its expectations regarding cyber insurance underwriting risk in its Supervisory Statement (SS) 4/17.
The Supervisory Statement, which applies to all UK non-life insurers and Lloyd’s syndicates, calls on insurers to “identify, quantify and manage” cyber insurance underwriting risk. This includes both affirmative cyber risk (policies that explicitly include coverage for cyber risk) and non-affirmative or silent cyber risk (policies that do not explicitly include or exclude coverage for cyber risk).
Identify, measure and act
The PRA wants to see that insurers have “clear cyber risk strategies” that include “quantitative and qualitative elements”. Insurers will also be required to carry out stress tests and articulate their cyber risk appetite.
Once an insurer has identified and measured its cyber exposures, the PRA expects firms to take steps to reduce unintended cyber exposures. It also expects insurers to take steps to keep cyber exposures within their risk appetite.
These measures include:
• adjusting the premium to reflect the additional risk and offer explicit cover
• introducing robust wording exclusions; and/or
• attaching specific limits of cover.
If an insurer decides to offer cyber cover at no extra premium, the PRA says it would expect to see that a comprehensive assessment of the potential resulting losses has been carried out, and that the cyber exposure falls within its stated risk appetite. In this instance, the insurer would need to reword the contract to clarify that cyber cover is offered.
The report is potentially more significant for the wider property/casualty market, as the standalone cyber insurance market already models its exposures and uses wordings and pricing tools to ensure that cyber exposures fall within an accepted risk appetite.
The wider property/casualty market is increasingly showing more interest in being able to identify and quantify its cyber exposures, both affirmative and silent. However, silent cyber exposures buried in traditional policies are much harder to model, given the lack of claims experience, legal and coverage uncertainties and the complex interconnected nature of cyber risk.
A Viewpoint Report published by JLT Re and JLT Specialty in April noted that these uncertainties and unquantified cyber exposures in traditional policies are holding insurers back from providing more comprehensive and innovative insurance solutions. The report concluded that greater resilience to cyber risk in the insurance market could be created by considering cyber as a standalone line of business rather than a peril.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org