The PRA’s letter on cyber underwriting: ignore “silent” cyber exposures at your peril

We summarise the PRA’s key concerns relating to both affirmative and non-affirmative cyber cover.

An increased focus on cyber risk has led to the proliferation of “affirmative” (ie deliberately written) cyber cover. However, in addition to this, the industry has become increasingly aware of the potential exposure from “silent” (or non-affirmative) cyber cover (ie cover for cyber losses that is inadvertently provided) for which the insurer has not priced. Claims involving “silent” cyber exposures have involved significant sums, and coverage disputes can arise. See our article here about a recent dispute in the US arising from an insurer’s declinature of cover under an all-risk property insurance policy in respect of losses resulting from the NotPetya malware attack.

Against that background, the Prudential Regulation Authority (PRA) has written a letter to Chief Executives of general insurance firms, summarising the findings from its 2018 survey of cyber underwriting practices in the insurance industry.

The PRA raises several concerns regarding “affirmative” cyber cover, including that some insurers providing "cyber" cover appear to have failed to make adjustments (including in relation to pricing) to reflect the nature of the risk. The PRA also provides commentary on “non-affirmative” (or silent) cyber exposure; the survey results suggest that many insurers have not ascertained their exposure to “non-affirmative” or ”silent” cyber cover, and the PRA’s letter provides a stark warning of the risks of failing to do so.

We consider the points of interest to insurers in further detail below.

“Affirmative” cyber cover

  • The PRA’s survey results indicate that there has been a material widening of “affirmative” cyber cover, which now extends into providing cover for contingent business interruption and reputational damage. However, this assumption of new risk has often not been accompanied by appropriate adjustments at insurers, including in relation to pricing and risk management.
  • The PRA’s letter is critical of the industry’s inconsistent approach to modelling/stress-testing, and notes that firms have divergent views regarding possible “affirmative” cyber losses. The PRA attributes this divergence to the immaturity of the cyber market and a lack of historical claims data, and intends to publish plans for an exploratory cyber stress test later in 2019.

“Non-affirmative” or “silent” cyber cover

  • The PRA observed considerable exposure to “silent” cyber risk across a variety of areas, including financial lines. The PRA found that certain firms considered the potential losses from cyber events as being comparable with “major natural catastrophes”. The results of the survey reinforced the PRA’s concern regarding the potential scale of “silent” cyber exposure, which firms need to take action to manage.
  • The survey also found that firms’ perceptions of their exposure to “silent” cyber vary significantly. The PRA is concerned that these variations reflect a naivety regarding “silent” cyber exposures amongst certain insurers, who have failed fully to consider the extent to which they inadvertently provide cover for cyber losses.
  • The PRA also identifies the limitations of firms’ operating processes, which were found to be too inflexible to allow insurers to identify and escalate ”silent” cyber claims. The PRA suggests that firms ensure that their claims processes are appropriate for distinguishing “silent” cyber claims from other claims, so that “non-affirmative” cyber risk can be managed appropriately.

Comment

It is clear that the PRA has a range of concerns cyber underwriting practices, relating both to cyber risk that is intentionally written (affirmative) and that which is inadvertently provided (ie non-affirmative or silent). The survey reveals the possible scale of “non-affirmative” or ”silent” cyber exposure across a variety of business lines; the PRA’s concerns about the failure of many firms to ascertain such exposures makes for particularly ominous reading. Although the PRA’s letter does not set out clear steps that it expects firms to take, it is apparent that the PRA expects many underwriters to do more to understand and manage “silent” cyber exposures. Such steps will likely include reviewing policy wordings to assess the robustness of exclusions in non-cyber policies, but may also extend to updating claims-handling processes to ensure that insurers are able to identify incidences of “silent” cyber.

The PRA is continuing to survey firms regarding cyber underwriting practices and may, in due course, update its Supervisory Statement (SS) 4/17 "Cyber insurance underwriting" to provide guidance in this area. Whether insurers write “affirmative” cyber cover or are simply concerned that they may inadvertently be providing “silent” cover for cyber losses under traditional policies, they will no doubt be interested in the further findings of the PRA on this topic.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.