20 February 2017
Justin Clarke, Director of Underwriting and Pricing at NIG, explores the PRA’s warnings about ‘silent’ cyber loss and what insurers and government can do to reduce risk.
With cyber crime on the rise, there’s a growing need for insurers to provide explicit cover. Last July, we reported in Cyber Insights that 90% of large UK businesses had suffered an online security breach; but the question remains, are insurers keeping up with cyber threats, and how can businesses manage ‘silent’ cyber risk – where cover for cyber risk is implied in policies, but not specifically included or excluded?
The UK’s Prudential Regulation Authority (PRA) tackled these issues in their CP39/16 consultation paper (SC1). Released in November 2016, the paper addresses affirmative cyber insurance policies (policies that explicitly cover cyber risk, such as data breach products) and ‘silent’ cyber risks.
In it, the PRA notes that insurers don’t fully understand their exposure nor have clear strategies to manage cyber risks. It concludes that to close the gap, they must invest in cyber expertise.
Risky business
In an accompanying letter (SC2) to insurance company CEOs, PRA director of general insurance, Chris Moulder, warns underwriters are committing “material shortcomings” when managing ‘silent’ cyber risk. Like failing to have a clear strategy for managing threats: “The PRA’s work found an almost universal acknowledgement of the loss potential of cyber exposures endemic in ‘silent’ cyber,” Moulder writes, “however, most insurers did not demonstrate robust methods for quantifying and managing ‘silent’ cyber risk.”
The industry watchdog highlighted several cyber underwriting challenges:
How to reduce ‘silent’ cyber risk
The PRA sets out steps insurers should take to reduce their risk. This includes investing in cyber expertise, and effectively monitoring, managing and mitigating ‘silent’ cyber risk effectively. Insurers should also develop a risk strategy and appetite statements, which the board should own and regularly review.
To do this, the PRA suggests adjusting premiums to reflect the extra risk and offer explicit cover, or introducing “robust wording exclusions”, or by offering cyber cover at no extra premium, in instances when the board agrees a line of business doesn’t carry material ‘silent’ cyber risk.
Why has ‘silent’ cyber risk become so important?
“In the past few years, cyber insurance has been a key growth area for insurance and reinsurance businesses, even against a background of softening rates and challenging market conditions,” Moulder writes.
Ignoring these challenges could impact insurers’ viability – and damage the industry’s reputation.
The changes will also give policyholders peace of mind, and a better understanding of their type and level of cover. Since cyber insurance is still relatively new, many customers (and insurers, according to the PRA) often don’t know if they’re adequately covered for cyber incidents.
Given the average cost of a cyber attack has more than doubled since 2014, to between £1.5m and £3m for large business and up to £300,000 for small businesses, now is the time to act (SC3).
Do we need a government guarantee?
That being said, insuring against cyber risk is incredibly (and increasingly) difficult.
As Mark Field, MP for Cities of London and Westminster, writes, “The lack of data when it comes to insuring against such an onslaught makes the modelling of loss scenarios extremely hard. As a result, significant solvency requirements are likely to be imposed on any insurer offering cover for cyber-related losses and it is hard to secure losses over £100m” (SC3).
There has been talk that reinsurance scheme Pool Re’s cyber exclusion could be softened to cover cyber-enabled property damage. Think cyber terrorists overriding a chemical plant’s safety systems and triggering an explosion.
In case you’re not aware, Pool Re is a joint partnership between the government and insurers, backed by a government guarantee which pools premiums to cover losses from terrorist incidents. Like Flood Re, introduced after devastating floods hit in 2013, it plugs the insurance gap.
The Pool Re team has been working with the Centre for Risk Studies, Cambridge Judge Business School to explore cyber risk and how the scheme might respond to cyber-terrorism incidents. Extending the scheme’s protection could bolster industry, the community and the economy against large-scale cyber attacks.
As Mark Field points out, it makes sense since terrorism and cyber risk are now intertwined. So “rather than create a standalone Cyber Re which, like Flood Re, could take years to establish, we might look instead at a broader catastrophe pool that could be expanded in response to emerging threats.”
Such a scheme would boost our security and cyber-terrorism resilience, ignite best practice, and help us collect data to better guide cyber policies and pricing thereby making the UK a global leader in cyber security and expertise (SC3).
Insurers would still have to play their part, insuring losses under a certain amount – with government footing the bill for lofty losses.
Insurance requirements
With the issue of ‘silent’ cyber risk in mind, now would be a good time to explore NIG’s Cyber Cover policy which was given a 4/5* rating by an independent broker reviewer in Insurance Times during 2016.
The comprehensive cover that our product offers, including our 24/7 support, can go a long way to helping safeguard the future of your business should you ever be the victim of a cyber-attack. Here’s what our Cyber policy also covers:
You can find more information about NIG’s Cyber Cover product, including Key Facts, Sales Aid, Proposal Form and Policy Wording, on our website here.
NIG. Here’s Why…
As well as having a great Cyber Cover product, here are some key benefits of choosing NIG:
Sources.
SC1: http://www.bankofengland.co.uk/pra/Documents/publications/cp/2016/cp3916.pdf
SC2: http://www.bankofengland.co.uk/pra/Documents/about/letter141116.pdf
SC3: http://www.cityam.com/238785/how-london-can-turn-the-cyber-attack-onslaught-into-an-opportunity