Cyber Risk Insurance: The Prudential Regulation Authority opinion
You only need to read the papers to know that the threat from cyber attack and breaches feature as an increasing risk. It stands to reason, therefore, that cyber risk features heavily in terms of new insurance products and services, as well as the ways in which insurers advise.
The Prudential Regulation Authority (PRA) - responsible for the prudential regulation and supervision of around 1,500 banks, building societies, credit unions, insurers and major investment firms - has been studying the issues related to cyber risk, culminating in the publication of its guidance. Whilst this guidance primarily articulates its expectations for firms underwriting this type of insurance, there are some important points for policy holders as well.
The PRA garnered views and data from a wide range of organisations operating in this field, including insurance and reinsurance firms, technology and cyber security firms, as well as regulators and wider industry stakeholders.
The guidelines look at two areas: specific cyber insurance policies; and the ‘silent’ cyber risk, implicit in many insurance policies. An example of this is a policy to insure an employer against injury to employees or visitors to their premises. ‘Silent’ cyber risk, in this instance, would be specifically insuring against a situation where a cyber attack resulted in faulty equipment that, in turn, caused an injury. Other examples include professional liability claims against those employed to do a job but rendered incapable of doing so, because of cyber risk.
The PRA feels that the risk of ‘silent’ cyber claims is not being adequately articulated or dealt with in policies or contracts, whether in relation to insurance or reinsurance.
The PRA has suggested that insurers need to work hard to assess and monitor both the obvious cyber security risk insurance policies, and those involving a ‘silent’ risk.
The PRA recommends clear strategies, along with risk appetite statements for the management of associated risks. It states that these need to be agreed and ‘owned’ by the boards at these firms. It also states that these need to set out the markets they wish to pursue, the intention for managing ‘silent’ cyber risk, rules relating to line sizes, aggregate limits and the split between direct insurance and reinsurance.
It also recommends that these are reviewed on a regular basis.
The PRA sets out concerns that insurers need to be prepared. The implications of an attack on one of their insureds could, without these plans, last for a considerable time and incur a range of losses that are hard to determine and prove.
The PRA also set out views in relation to knowledge management and internal communication. Few firms have personnel with a dedicated cyber breach expertise. Without this firms, it feels, will struggle to keep other teams up to date, within this rapidly evolving sector. This has a worrying knock-on for those assessing risk (potentially on out-of-date information), as well as the understanding of liability. Greater investment in staff and external advisors, with this specialist understanding, is advocated.
The PRA Supervisory Statements calls for underwriters to consider the implications of cyber risks when drafting all form of policies.
The PRA has also offered advice regarding steps firms can take to better equip themselves for cyber risk exposure. These include making adequate capital provision, adjusting premiums to reflect additional risks, offering explicit cover, introducing robust wording exclusions, or attaching specific limits of cover.
In conclusion, these guidelines for risk underwriters seem to show that the regulator views many of the current cyber risk policies as being perhaps inadequate. It shows that cyber risk products still have some way to go before reaching maturity and for those looking to take out a cyber policy, it may be a good idea to enquire of the broker to what extent the underwriter has followed the PRA’s guidelines.