PRA consultation on cyber risk
The PRA recently published a document setting out its concerns and expectations of firms in relation to cyber risk (see CP39/16 "Cyber Insurance Underwriting Risk"). Attached to the consultation is a draft supervisory statement which is split up into three main areas.
Silent cyber risk
The PRA has significant concerns about the loss potential of 'silent' cyber risk – the cyber risk inherent in policies insurers underwrite, aside from cover expressly provided for such in cyber insurance policies – and the management of this risk. In particular, the PRA notes that casualty (direct and facultative), marine, aviation and transport (MAT) lines of business are potentially significantly exposed to 'silent' cyber losses.
The PRA proposes that firms review how they underwrite risks in order to mitigate the 'silent' cyber risk effectively. Various suggestions are made as to how to achieve this, such as: making adequate capital provisions linked with the risk; adjusting the premium to reflect the additional risk and offer explicit cover; introducing robust wording exclusions; attaching specific limits of cover; and offering cyber cover at no extra premium when the board has confirmed that a particular line of business does not carry material 'silent' cyber risk and is in line with the stated risk appetite.
Cyber risk strategy and risk appetite
The PRA further proposes that firms establish, and regularly review, strategies from the top down as to how to manage the risk and that firms clearly demonstrate risk appetites. This should all include producing internal management information approved by the board.
Cyber Expertise
The PRA also expects firms to demonstrate that they are committed to understanding and developing their knowledge of cyber insurance risk and to invest in developing cyber risk talent.
Comments on the draft supervisory statement were invited and the PRA will publish their responses soon.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
