PRA calls on insurers to cyber stress test

Regulator says carriers need to check they can handle a global assault

PRA calls on insurers to cyber stress test

Insurance News

By Terry Gangcuangco

The Prudential Regulation Authority (PRA) has called on insurance companies to look into their cyber strategies following global attacks like WannaCry and Petya. 

The regulator has published a supervisory statement setting out its expectations of firms regarding cyber insurance underwriting risk. The PRA said it expects all Solvency II firms to robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures.

“This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage. Such firms are expected to introduce measures that reduce the unintended exposure to this risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board,” said the regulator.

Aside from making adequate capital provisions that clearly link with this risk, firms could consider:
 
  • adjusting the premium to reflect the additional risk and offer explicit cover
  • introducing robust wording exclusions
  • attaching specific limits of cover

The PRA also wants the overall cyber strategy, associated risk appetite statements, and relevant management information (MI) to be reviewed periodically by the board. It said the strategy and overall exposure levels of non-affirmative cyber risk should be reviewed by the board at least on an annual basis, while the review for affirmative cyber risk should be more regular.

“The MI should include as a minimum: clear articulations of the risk appetite statements and measurements against these; aggregate cyber underwriting exposure metrics for both affirmative and non-affirmative cyber risk; and cyber insurance underwriting risk stress tests that explicitly consider the potential for loss aggregation (e.g. via the cloud or cross-product exposures) at extreme return periods (up to 1 in 200 years) and are consistent with the general insurance stress tests carried out periodically by the PRA,” read the statement.

A recent Lloyd’s report produced in association with KPMG, law firm DAC Beachcroft, and Lloyd’s insurers said cyber-attacks are constantly evolving. The costs involved and the ways companies can be targets are increasing.

“Insurers are used to helping clients protect themselves against risks that stay relatively constant, year on year. Cyber risk isn’t like that: it morphs and evolves at a rapid pace,” said Paul Bantick, senior cyber underwriter at Beazley.


Related stories:

Keep up with the latest news and events

Join our mailing list, it’s free!