Insurance regulators around the world are increasingly concerned by the problem of ‘silent cyber risk’. This is the cover against losses caused by cyber events which is provided, often unintentionally and unknowingly, by many P&C policies. Unless an assessment is made of the extent of this silent cover, it may be difficult to make a proper assessment of an insurer’s total exposure. The causes of this problem are many and varied but include commercial pressure, lack of awareness and outdated policy wordings.
The regulators’ concern about these issues was underlined by the Prudential Regulation Authority’s recent publication of Supervisory Statement SS 4/17 on ‘Cyber insurance underwriting risk’.
The Statement sets out the PRA’s expectations of insurers regarding cyber insurance risk and follows an industry-wide review conducted between October 2015 and June 2016.
It expresses particular concern about silent cyber exposure (which it refers to as “non-affirmative” cyber risk). In particular, the PRA expects insurers to make a robust assessment of their insurance products with specific consideration to silent risk exposure and to manage the risk actively. They suggest that this assessment should include all property and casualty covers which could give rise to cyber loss in the form of either physical or non-physical damage.
Among the tools which insurers will be expected to use to manage the risk, the PRA refers to adjustments to premium, the introduction of robust wording exclusions and the attachment of specific limits to cover.
The PRA make clear that they expect a rigorous review of these risks by the board and by non-executive directors. Further, the PRA expects boards clearly to articulate a risk appetite for cyber, assess aggregate cyber underwriting exposures for silent and direct cyber insurances and carry out an underwriting stress test that considers the potential for loss aggregation to a one in 200 year cyber event.
It remains to be seen whether in today’s highly competitive market the PRA intervention leads to a significant tightening of contract wordings and, in particular, the refinement of definitions, insuring clauses and policy exclusions.