“The PRA expects that all Solvency II firms robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage.” This was contained in SS4/17 issued by the UK’s Prudential Regulatory Authority (PRA) in July 2017. The PRA’s principal concern here was that insurers could unwittingly expose themselves to significant losses on a systemic basis affecting the whole insurance industry.
In a “Dear CEO” letter issued on 30 January 2019 to chief executives of all specialist general insurance firms regulated by the PRA, their interim conclusion was that “more ground needs to be covered” in addressing this issue. That is important not simply for directors of insurance companies but also for all policyholders. That’s because the PRA’s definition of cyber is broad enough to affect all classes of insurance that “… are exposed to cyber-related losses resulting from malicious acts (e.g. cyberattack, infection of an IT system with malicious code) and non-malicious acts (e.g. loss of data, accidental acts or omissions) involving both tangible and intangible assets.” That’s every class except life insurance!
So what else is in the letter?
What is striking is quite how divergent the responses from insurers to the same set of questions turned out to be. The PRA say that: “Firms within Property, Marine, Aviation and Transport (MAT), and Miscellaneous lines estimated their exposure to non-affirmative cyber risk on these lines to be anywhere between zero and the full limits.” That is unlikely to provide the PRA with much comfort as to a consistent approach being applied by insurers.
The potential impact of a cyber event on insurers covering various lines of insurance at the same time is also considered. According to the Dear CEO letter, stress tests by certain insurers reported that the result of this could be on a par with a major natural catastrophe in the US which is about as bad as it gets. The PRA conclude that this “reinforces our concerns about the large exposure potential and the need for firms to take action to manage the unintended exposure to non-affirmative cyber risk.”
When it comes to claims handling, the PRA, “noted limitations in the ability of (firms’) claims functions to distinguish and escalate non-affirmative cyber claims. This was typically due to a combination of lack of claims expertise and inflexibility of the claims process” leading to the conclusion that: “this suggests that firms should review their claims processes to ensure they are fit for purpose in this area.”
Next Steps and a Veiled Warning
The PRA make it clear that they have engaged both with regulatory authorities and international forums to develop a coordinated international response. While they acknowledge that there are challenging market conditions and pressure from brokers as well as a lack of expertise and historic data, they make it clear that these are not excuses for inaction.
The letter concludes with this statement: “The responsibility is on firms to progress their work and fully align with the expectations set out in SS4/17. In relation to the expectation that firms reduce the unintended exposure to non-affirmative cyber risk, insurers should develop an action plan by mid-year 2019 with clear milestones and dates by which action will be taken.
This section of the letter concludes with the ominous warning that: “Supervisors may ask to review this plan and subsequent progress towards it.” Chief executives of all insurance companies will no doubt have taken note.