The UK’s Prudential Regulation Authority (PRA) unit of the Bank of England has issued a supervisory statement outlining its expectations of firms that underwrite cyber risks, with an important recognition of the potential for non-affirmative, or silent cyber risk.
The statement comes after a cross-industry review of which the key findings were published in a letter to companies in November, 2016, and is relevant to all UK non-life insurers and reinsurers that operate under Solvency II regulation, which includes all of the Society of Lloyd’s and managing agents, explained the PRA.
The statement seeks to explain the PRA’s expectations of firms regarding underwriting cyber risk, a growing and highly complex and far-reaching peril that the insurance and reinsurance industry is still trying to get to grips with, although steps are being made in the right direction.
The statement explores both affirmative cyber cover, which concerns insurance policies explicitly linked to cyber risk, and non-affirmative or silent cyber cover, which concerns insurance policies that do not explicitly include or exclude cyber coverage.
“The PRA expects that all Solvency II firms robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage,” explained the PRA.
The PRA stated that firms are expected to implement measures that reduces the exposure to silent cyber, and that this should be done with a view to aligning the residual risk with risk appetite and strategy, which the board has approved.
The PRA outlined three measures that companies should adhere to in order to achieve this; adjusting the premium to reflect the additional risk and offer explicit cover; introducing robust wording exclusions; and/or, attaching specific limits of cover.
Importantly, for companies that…