Skip to main content
  • This website sets cookies on your device. To find out more about how we use cookies please refer to our Privacy and Cookie Policy. By continuing to use the site, we’ll assume that you are content for us to set these on your device.
  • Close
Home > Prudential Regulation Authority > Cyber insurance underwriting risk – CP39/16

Cyber insurance underwriting risk – CP39/16

14 November 2016


In this consultation paper (CP), the Prudential Regulation Authority (PRA) proposes a new supervisory statement (SS) setting out its expectations for the prudent management of cyber underwriting risk. For the purposes of this CP and draft SS, cyber underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.

The CP is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II including the Society of Lloyd’s and managing agents (‘Solvency II firms’).

Summary of proposals

The proposals in this CP are based on thematic work carried out by the PRA between October 2015 and June 2016 involving a range of stakeholders including insurance and reinsurance firms, (re)insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators.

The CP sets out the PRA’s proposed expectations in relation to the ability of firms to exercise prudent management of cyber insurance underwriting risk. Firms are expected to be able to identify, quantify and manage the risks emanating from cyber underwriting risk both in terms of affirmative and ‘silent’ cover.

The results of the PRA’s thematic work highlighted several risks faced by the insurance industry in relation to cyber underwriting risk. The key findings are summarised in a letter to firms – ‘Cyber underwriting risk’ – published on 14 November 2016 (see Related Links).

The proposals have been grouped based on the PRA’s thematic findings in the following sections:

  • ‘silent’ cyber risk;
  • cyber risk strategy and risk appetite; and
  • cyber expertise.

Responses and next steps
This consultation closed on Tuesday 14 February 2017. The PRA invites feedback on the proposals set out in this consultation. Please address any comments or enquiries to
Consultation paper