Cyber Risk Insurance: A View From The Prudential Regulation Authority

Uploaded on 2017-11-10 in BUSINESS-Services-Financial, BUSINESS-Services-Law, FREE TO VIEW, NEWS-News Analysis

Cyber risk is increasingly prevalent in insurers' thinking, both in considering new product lines and in assessing the risks to which they, and their insureds, are already exposed.

In recent years, the Prudential Regulation Authority (PRA) has made efforts to understand and guide the insurance industry in this space.

Its recently published conclusion however is that the exposure to cyber risk is currently being underrated by insurers.

The PRA's review

Between October 2015 and June 2016 the PRA worked with various organisations associated within the cyber risk insurance sector, including insurance and reinsurance firms, cyber security consultancies, technology firms and regulators to assess the potential exposure to cyber risk claims.

This resulted in the publication of its results in November 2016 along with a Consultation Paper. A final Supervisory Statement was published in July 2017.

The PRA's review focused not only on affirmative cyber insurance policies, but also on the exposure to risk which was presented by implicit cyber exposure, a subject which they referred to as the 'silent' cyber risk, or in less catchy terms, "non-affirmative" cyber risk.

Silent risk

The potential cyber risks associated with many policies are not always clear on first consideration. It may at first appear excessive to exclude cyber claims in, say, a casualty policy. Indeed, why would you need to protect an insured against a cyber risk when they are looking to insure themselves against injury claims by their employees or third parties?

However, an increasingly automated world is giving rise to instances where an IT failure could render essential equipment faulty, in turn, causing someone to be injured.

Silent risks also exist in other policies. Director and Officers (D&O) policies, in particular, are open to cyber threats given the impact of technology in effectively steering a business.

Should a business be hit by a cyber-attack, it may find itself vulnerable to a loss in revenue, ultimately leading to shareholders pursuing the directors if the business was not properly prepared, triggering a D&O claim.

Elsewhere, events stemming from a cyber-attack may give rise to complications for various professionals, leading to them being incapable of performing their role sufficiently, in turn leading to a potential professional indemnity claim. This threat extends to financial institutions and general liability claims.

Even where the link between cyber breaches and potential liabilities is clearer, the PRA is concerned that the risk has not been adequately dealt with. The aviation world, despite the continual automation of aviation electronics, appears to be taking the position that the risk of exposure to cyber risk is minimal.

Likewise, property underwriters, whilst accepting that cyber-attacks are becoming increasingly likely to impact upon developments in smart-home technology, are, according to the PRA, not fully accounting for such risks.

Issues in addressing silent risks also extend to reinsurance contracts. Whilst the PRA acknowledges that reinsurers are becoming increasingly aware of the potential exposure brought about by silent cyber risks, they also found that reinsurers have to date been reluctant to utilise methods to limit their exposure.

But the times they are a changing. The PRA's review provided evidence that reinsurers have developed wording to address the issue, albeit the wording in question was both bespoke and had only recently been introduced. Of greater concern is that the wordings remain untested, and have not been adopted universally, leading to uncertainty.

Governance requirements

Knowing which policies to focus on is only the first step. Insurers have been mandated with clearly assessing and monitoring both their affirmative and silent cyber risk policies. The PRA's Supervisory Statement asks insurers to produce clear strategies, along with risk appetite statements for the management of associated risks, to be owned by the boards of those firms.

Clarifying their recommendations, the PRA have recommended that a firm's strategy should make clear, amongst other things, the markets they wish to pursue, their intention for managing silent cyber risk, rules relating to line sizes, aggregate limits and splits between direct insurance and reinsurance.

Once formulated, strategies are to be maintained by the board, and reviewed on a regular basis, ensuring they remain relevant, assisted by an aggregate cyber underwriting exposure metric for both affirmative and silent risk. Such measures are designed with the intention of identifying the potential for loss aggregation, through a variety of exposures, over extreme return periods.

Greater knowledge needed

Where insurers do not invest in data breach resources they may find themselves exposed to challenges not faced in other policy types. The long tail impact of a cyber-attack on an insured may see repercussions lasting months, even years after the event, and bring about a range of losses which are likely to prove difficult to quantify.

The quantification of potential losses is made harder by the lack of past claims data in the UK to measure the losses against.

Internal dissemination of information also plays a part. In the absence of personnel with a cyber breach skillset, the PRA is concerned that firms will struggle to keep other relevant staff, including risk management teams, abreast of developments in this quickly evolving sector.

The consequences are risks being assessed on outdated information or principles, which may lead to a policy being ill-constructed to protect an insured against risks, or an insurer being blind to the level of liability it may be facing. The PRA is clearly encouraging greater investment in staff or external advisors who have experience of assessing and managing cyber risks.

Increasing risk in the future

Cyber risk will be front and centre in the thinking of many businesses in the months ahead, particularly with the implementation of the GDPR in May 2018. GDPR is likely to increase the exposure to cyber risk faced by insurers, primarily through affirmative cyber policies, but also the silent risks detailed above.

In the months ahead, businesses will be faced with a tougher European regulatory framework on personal data, leading to the need for an increasingly rigorous standard of data governance to be maintained.

Another, as yet untested, area is the potential for insurers to meet regulatory fines. These have trended upwards in recent years and are set to rise substantially following the introduction of the GDPR.

Accordingly, the insurance sector needs to be alive to the risks ahead, but also the opportunities presented. The PRA Supervisory Statements calls for underwriters to consider the implications of cyber risks when drafting all form of policies, either affirmatively including, or expressly excluding, any exposure to cyber breaches.

They are also asked to assess the potential for cyber-attacks to lead to aggregated risks in several different areas and with long tails.

The PRA has offered advice regarding steps firms can take to better equip themselves for cyber risk exposure. These include making adequate capital provision, adjusting premiums to reflect additional risks, offering explicit cover, introducing robust wording exclusions, or attaching specific limits of cover.

Implementation of these steps is intended to enhance the ability of insurers to monitor, manage and mitigate silent cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold.

Despite the PRA's concerns, market trends indicate insurers are becoming increasing alive to the potential impact of cyber risk on the insurance landscape. The growing list of insurers and other professional advisors offering cyber breach experience is a sign things are moving in the right direction.

However, this remains a complex and fast moving field, where expertise is in high demand, but those with genuine practical cyber breach experience are short in supply.

The answer is likely to be found in a collaborative effort between insurers, experts and third party consultants to share their experiences and expertise to help better understand the risk landscape.

For free Cyber Insurance consultancy please email:  info@cybersecurityintelligence.com and we will give you advice and suggestions on who to contact for opinion/insurance

Lexology:

You Might Also Read: 

Cyber Insurance Report 2017 - 2018 (£):

Strategies For A Cyber Security Culture (£):

 

« AI Applied To Video Analytics
Artificial Intelligence Needs Regulation »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Malware.lu

Malware.lu

Malware.lu is a repository of malware and technical analysis. The goal of the project is to provide samples and technical analysis to security researchers.

Digital Forensics Inc (DFI)

Digital Forensics Inc (DFI)

Digital Forensics Inc. is a nationally recognized High Technology Forensic Investigations and Information System Security firm

Seculert

Seculert

The Seculert Attack Detection & Analytics Platform combines machine-learning based analytics and threat intelligence to automatically detect cyber attacks inside the network.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

DataDome

DataDome

DataDome offers real-time AI protection against all OWASP automated threats, including credential stuffing, layer 7 DDoS attacks, SQL injection & intensive scraping.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

MassMutual Ventures

MassMutual Ventures

Mass Mutual ventures backs companies building category-defining businesses in markets including enterprise software, digital health, cybersecurity, and fintech.

Cybriant

Cybriant

Cybriant Strategic Security Services provide a framework for architecting, constructing, and maintaining a secure business with policy and performance alignment.

Intrinium

Intrinium

Intrinium is an Information Technology and Security Solutions company, providing comprehensive consulting and managed services to businesses of all sizes.

Appsec Phoenix

Appsec Phoenix

Appsec Phoenix is an end to end vulnerability management platform that focuses on workflows, threat feed, and real time data.

StickmanCyber

StickmanCyber

At StickmanCyber we are on a mission to create a digital world that is safe for everyone - we are your trusted cybersecurity partner.

Hayes Connor Solicitors

Hayes Connor Solicitors

Hayes Connor Solicitors is a specialist data breach and cybercrime law firm. We act for clients on individual data breaches and also where a group has been compromised as part of a targeted attack.

Tech Seven Partners

Tech Seven Partners

At TechSeven Partners, we provide a full suite of cyber security solutions for your business including network monitoring, onsite and cloud backup solutions, HIPAA or PCI compliance.

European Union Agency for Network and Information Security (ENISA)

European Union Agency for Network and Information Security (ENISA)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

Clarity

Clarity

Clarity is an AI cybersecurity startup that protects against deepfakes and new social engineering and phishing attack vectors accelerated by the rapid adoption of Generative AI.