PRA is consulting on a proposed new supervisory statement that sets out how it expects all Solvency 2 firms to prudently manage cyber underwriting risk. PRA carried out thematic work which highlighted a number of risks the insurance industry faces from underwriting insurance contracts that are exposed to losses resulting from a cyber attack. Its research found many potential risks from what it calls “silent cyber” – that is, implicit cyber exposure within policies that do not explicity exclude cyber risk. It found these silent cyber risks are material and are increasing over time. It says casualty lines are potentially significantly exposed to it and that there is potential for silent losses in marine, aviation, transport and property lines, although underwriters are generally comfortable to provide implicit cyber coverage. Reinsurers are aware of the risks, particularly of aggregation of silent cyber, and are looking to address them. But, overall, most firms do not have clear strategies and have not invested in developing the necessary expertise. PRA also noted firms do not understand well enough the aggregation and tail potential of affirmative cyber cover. Although models are under development to help manage risks, PRA believes it needs to clarify to firms what it expects of them. Its draft statement explains:
- how it expects firms to assess and manage their products giving consideration to silent cyber risk exposures. It suggests measures firms might take to reduce unintended exposure, including exclusions, cover limits and premium adjustment;
- its expectations that firms should have clear strategies on managing the risk associated with both any relevant underwriting of affirmative cyber insurance and with silent cyber risk. It suggests what should be included in MI for the Board to help the board assess the firm’s position; and
- the cyber expertise it expects firms to have, with responsibility and accountability for this sitting within the firm, regardless of the external expertise it may call on.
The consultation closes on 14 February 2017.