PRA says firms don’t fully understand cyber exposure

PRA sets out cyber guidelines

The Prudential Regualtion Authority has set out new guidelines for insurance firms assessing cyber underwriting risk.

In a consultation paper on the propsals, the PRA said that insurance firms don’t understand the extent of their exposure, don’t have coherent policies to manage their potential cyber exposure, and need to bring in cyber expertise to plug those gaps.

The PRA has invited firms to respond to the consultation document by 14 Feb 2017.

In an accompanying letter to the chief executives of insurance firms, PRA director of general insurance Chris Mulder warned that cyber risks “are potentially significant to the viability of the firms involved and the reputation of the UK insurance industry as a centre of excellence and innovation”.

In thematic reviews, the PRA found that insurers do not have robust methods for quantifying “silent” cyber risk, where cover for cyber risk is implied but not specified in policies, and the loss potential of silent cyber risk increases with time.

“There was some recognition that insurance firms may find it increasingly challenging to argue that all risks or other liability policies did not intend to cover this type of risk given the publicity and awareness of the issue,” Mulder said.

He also pointed out that casualty lines, especially D&O policies, are potentially significantly exposed to cyber risks.

Cyber Insight 2016