Prudential Regulation Authority Issues Consultation Paper on Cyber Insurance Underwriting Risk
Cyber risks are a real and significant threat to all types of organisation, causing potentially far reaching and devastating consequences for all aspects of business and trade.
Repeatedly, surveys reveal that cyber risk is now among the top three or four concerns for corporate boards and for insurers alike. The increase in the frequency and sophistication of cyber failures/attacks draws into sharp focus the importance of insurance. It is a concern, therefore, that outside specialist circles the scope of insurance coverage for cyber risk is not better understood and managed – there are notable gaps. Moreover, there remains widespread uncertainty as to whether, and if so how, non-specialist insurance policies will respond to a significant cyber event.
For example, a cyber event can lead to catastrophic physical damage and personal injury losses as well as the more readily anticipated data theft and business interruption exposures. It is also the case that coverage (and indeed exclusions too) focus on hostile acts, often by outsiders, rather than the increasingly common inadvertent cyber event or insider action.
In light of the above, the regulators have become increasingly concerned about the management of cyber insurance risk and on 14 November 2016 the Prudential Regulation Authority (PRA) issued a consultation paper on the topic (CP39/16):
In the paper the PRA outlines its proposals for a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk. Cyber underwriting risk is defined as the set of prudential risks emanating from writing insurance contracts that are exposed to losses resulting from a cyber event. Insurers are expected to be able to identify, quantify and manage the risks emanating from cyber underwriting, both in terms of explicit and ‘silent’ cover. ‘Silent’ cover refers to implicit cyber exposures within “all risks” and other liability insurance policies that do not explicitly exclude cyber risk.
Interested parties are invited to comment on the paper and draft supervisory statement, with a closing date of 14 February 2017.
The PRA report is a stark reminder of the uncertainty that continues to surround much cyber insurance and that coverage for cyber events is not a given. In the circumstances, both insured organisations and insurers would be well advised to undertake a careful review of their policy wordings in order to understand precisely what is and is not covered, and to make any necessary changes.
No-one likes nasty surprises – make sure you are not at the receiving end of one.