The management of cyber underwriting risk

In July 2017 the Prudential Regulation Authority (PRA) set out its expectations of firms regarding cyber insurance underwriting risk. Major emphasis is given to the management of “non-affirmative” risk under standard liability wordings, something often known as “silent cyber risk”.

Background

In 2015, Lloyd’s published its Cyber-Attack Strategy paper, focusing on the implications of insurance losses arising from malicious electronic acts. The striking growth of cyber as a business opportunity had led Lloyd’s to identify two key challenges:

• Ensuring that cyber-attack insurance was clearly identified and priced, and not given away free as part of standard covers.
• Understanding the potential for large accumulations of cyber-attack risk.

Following this, the UK’s Prudential Regulation Authority (PRA) began to address from a regulatory perspective the implications of cyber for the UK insurance industry. Between October 2015 and June 2016 the PRA consulted widely to look at underwriting risks emanating both from “affirmative” insurance policies that explicitly include coverage for cyber risk and also non-affirmative cyber risk, i.e. insurance policies that do not explicitly include or exclude coverage for cyber risk. The latter is widely referred to as “silent cyber risk” by insurance professionals.

The PRA work found widespread exposure to silent cyber risk, with few firms having clear strategies and risk appetites for managing cyber risk generally or sufficient cyber expertise within the firms. The PRA noted that modelling for cyber exposures was not highly developed, while the changing EU data protection regime was likely to increase the demand for affirmative covers.

In November 2016, the PRA issued Consultation Paper (CP) 39/16, ‘Cyber insurance underwriting risk’ proposing draft Supervisory Statement (SS) 4/17 ‘Cyber insurance underwriting risk’, which set out the PRA’s final expectations regarding the prudent management of cyber underwriting risk. Both were relevant to all firms within the scope of Solvency II. In July 2017 the PRA published feedback on the thirteen responses it had received to the CP and the final version of SS4/17.

A significant point to emerge from responses to the CP was clarification of the definition of ‘cyber insurance underwriting risk’ to include all potential sources of loss – both malicious and non-malicious – to which an insurance contract is potentially exposed. A number of other minor changes were made in the final version of the SS but the key elements of the draft remain substantially unchanged.

The Supervisory Statement

The PRA has affirmed that it assumes that cyber insurance underwriting risk will by default be a material risk for firms that it supervises. This is due to the endemic nature of non-affirmative cyber risk to potentially all property and casualty insurance contracts, the aggressive growth in affirmative cyber insurance and the explosive growth of the number of devices connected to a network. The PRA “expects firms to be able to identify, quantify and manage” that cyber insurance underwriting risk.

In particular, the PRA expects:

• All firms to give “specific consideration” to non-affirmative cyber risk exposures. “This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage”. “Such firms are expected to introduce measures that reduce the unintended exposure to this risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board.”
• The PRA expects that all Solvency II firms that underwrite affirmative cyber insurance policies and/or those that are exposed to non-affirmative cyber risk will have clear strategies on the management of the associated risks, which are owned by the board.
• All Solvency II firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk.

Comment

All firms under the purview of the PRA must address the management of cyber underwriting risk in line with the Supervisory Statement. It is unclear whether casualty and other liability underwriters will be able to assess accurately their exposure to non-affirmative cyber risk or how quickly wordings, limits etc. will change simply in response to the SS. There is, however, growing impetus for all lines of business to familiarise themselves with cyber liabilities and how they may arise and, for those not wishing to take on substantial exposure to cyber risk, to clarify the scope of cover in their wordings in the future.