"The announcement focuses on the exposure of insurers to the accumulation of cyber risk through the insurance policies they write for their clients. The PRA expects insurers to get a better handle on their cyber risk management and should be seen as a clear sign that action needs to be taken by insurers and reinsurers to fully understand their cyber exposure. The difficulty of dealing with cyber threats is no longer an acceptable excuse for inaction and the regulator has today set out the steps insurers need to take to provide security and stability.
“Although we have not yet seen large insurance losses, recent near misses such as Cloud Hopper highlight the large systemic potential of malware in a connected world and should form the basis of robust portfolio stress tests that the PRA has asked firms to complete.
"One of the key issues the PRA wants insurers to manage is that, even if they do not underwrite specific cyber insurance policies, they may be at risk of having to pay out for cyber damage falling under existing policies such as General Liability or Property. The regulator expects insurers to fully understand their exposure. Non-executive directors (NEDs) in particular are expected to be held accountable for any failures to properly challenge management as they deal with this risk.
"A lot of work is still required by insurers in order to measure and mitigate this risk. In a recent pulse survey we carried out among 14 (re)insurance companies in the UK and the London Market, only 14% of respondents said they have the data readily available to be able to assess their exposure to ‘non-affirmative cyber’. The other 86% rely on manual or proxy methods. Over 70% of respondents believe that the losses from a cyber event could be comparable to the losses from extreme natural catastrophes."
|