Cyber insurance underwriting risk

Policy Statement 15/17 | Consultation Paper 39/16

Published on 5 July 2017

Cyber insurance underwriting risk – PS15/17

This Prudential Regulation Authority (PRA) policy statement (PS) provides feedback to responses to Consultation Paper (CP) 39/16 ‘Cyber insurance underwriting risk’. The PS also includes Supervisory Statement (SS) 4/17 ‘Cyber insurance underwriting risk’, which sets out the PRA’s final expectations regarding the prudent management of cyber underwriting risk (see Appendix).

This PS is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II including the Society of Lloyd’s and managing agents (‘Solvency II firms’).

Feedback on consultation responses

The PRA received thirteen responses to the CP. Respondents were largely supportive of the proposals. Following consultation, there have been no material changes to the proposals. However, the PRA has made some amendments to the SS following various responses, in order to clarify.  These are set out in Chapter 2. 

PDFPolicy Statement 15/17

Appendix

Supervisory Statement 4/17


Published on 14 November 2016

Cyber insurance underwriting risk – CP39/16

In this consultation paper (CP), the Prudential Regulation Authority (PRA) proposes a new supervisory statement (SS) setting out its expectations for the prudent management of cyber underwriting risk. For the purposes of this CP and draft SS, cyber underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.

The CP is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II including the Society of Lloyd’s and managing agents (‘Solvency II firms’).

Summary of proposals

The proposals in this CP are based on thematic work carried out by the PRA between October 2015 and June 2016 involving a range of stakeholders including insurance and reinsurance firms, (re)insurance intermediaries, consultancies, catastrophe modelling vendors, cyber security and technology firms, and regulators.

The CP sets out the PRA’s proposed expectations in relation to the ability of firms to exercise prudent management of cyber insurance underwriting risk. Firms are expected to be able to identify, quantify and manage the risks emanating from cyber underwriting risk both in terms of affirmative and ‘silent’ cover.

The results of the PRA’s thematic work highlighted several risks faced by the insurance industry in relation to cyber underwriting risk. The key findings are summarised in a letter to firms – ‘Cyber underwriting risk’ – published on 14 November 2016.

The proposals have been grouped based on the PRA’s thematic findings in the following sections:

  • ‘silent’ cyber risk;
  • cyber risk strategy and risk appetite; and
  • cyber expertise. 

Responses and next steps

This consultation closed on Tuesday 14 February 2017. 

PDFConsultation Paper 39/16

Other prudential regulation releases