You hear a lot about cyberinsurance these days and the need for it, and judging by how busy my cyber colleagues are, there’s no sign of an end to demand any time soon.
Less is heard though about the so-called silent cyber risk, i.e. insurance policies that don’t explicitly include or exclude coverage for cyber risk. And there are many such policies. For example, any provider of professional or other services, or any manufacturer or distributor of products that carries insurance, could be exposed to cyber risk.
This silent risk is the main focus of Supervisory Statement SS4/17 issued in July 2017 by the U.K.’s Prudential Regulation Authority (PRA). It strikes me that the implications for senior executives of insurance companies of SS4/17, in the context of silent cyber risk, are very significant as indeed are the longer-term implications for the rest of us if insurance companies do what they’re being exhorted to do by the PRA.
So what’s all the fuss about?
Well let’s start with the PRA’s definition of cyber risk since that term is so often variously defined. SS4/17 states:
For the purposes of this SS, cyber insurance underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to cyber-related losses resulting from malicious acts (e.g. cyberattack, infection of an IT system with malicious code) and non-malicious acts (e.g. loss of data, accidental acts or omissions) involving both tangible and intangible assets.
That’s a pretty all-encompassing definition but to drive the point home, SS4 goes on:
The PRA expects that all Solvency II firms robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage.
In other words, SS4/17 applies to all cyberinsurance risk for all classes of insurance with the exception of life insurance.
What does the PRA expect insurance companies to do?
Given the clarity and succinctness of the SS4/17, I quote directly from it:
…Firms are expected to introduce measures that reduce the unintended exposure to (silent cyber) risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board. To achieve this, besides making adequate capital provisions that clearly link with this risk, as they would for any other risk type, firms could consider any of the following (the list is not exhaustive):
- adjusting the premium to reflect the additional risk and offer explicit cover;
- introducing robust wording exclusions; and/or
- attaching specific limits of cover.
There a few things that are striking about this. Firstly, the SS4/17 underlines the requirement placed on board members to set the strategy and risk appetite of the firm. It’s difficult in light of SS4/17 to see how an adequate such strategy and/or statement of risk appetite could now ignore the issue of silent cyber risk. Secondly, where silent cyber risk is identified, firms are encouraged to “adjust” (for which I read increase) premiums and to add in exclusions and other limitations of cover where silent cyber risk is identified.
SS4/17 goes on to address what should happen if, having identified a silent cyber risk, the firm decides to provide cover as before:
Should a firm decide to offer cyber cover at no extra premium for a specific product or line of business, the PRA would expect to see that the board has confirmed that a comprehensive assessment of the potential resulting losses has been carried out, and that the overall non-affirmative cyber exposure falls within the stated risk appetite. In this case the contract may be reworded to clarify that cyber insurance is offered as part of this product or line of business.
It should be noted that the responsibility to carry out “a comprehensive assessment of the potential resulting losses” in the event that cyber cover is offered “at no extra premium” rests with the board. The PRA is saying clearly, when it comes to silent cyber risk, that more is required of the board than simply setting strategy and stating risk appetite. Were an insurer to suffer serious but unpredicted losses as a result of non-affirmative cyber exposure in respect of which no pre-assessment of the potential for such losses had been carried out, then based on SS4/17, it’s a fair bet that the PRA would be asking pointed questions of board members especially given the Senior Managers Regime; the impact of which I’ve blogged about recently.
What does this mean for the rest of us?
The task which SS4/17 requires insurers to undertake is a formidable one seeming to necessitate a review (under board supervision) of all classes of insurance offered with a view (a) to identifying silent cyber risk and (b) pricing and adjusting exposures to align them with stated risk appetite.
Assuming (as we should) that insurers are in the process of implementing SS4/17, the longer-term implications for policyholders may prove significant. Will we see cyber risk excluded from or restricted in all general liability policies? If so, how and on what basis? Does the fact that a loss or liability has been caused by computer use or misuse qualify it as a silent cyber exposure in respect of which insurance cover will be excluded, curtailed or referred to a separate cyberinsurance policy? Would that make many of the residual coverage in classes of traditional insurance either not commercially viable or not worth the cost for policyholders?
We’ll have to wait and see.