Insurers' management of cyber risk, including silent cyber cover, has attracted the interest of the UK Prudential Regulatory Authority (the PRA). The PRA has called on insurers to reduce their unintended exposure to silent cyber cover, and to improve their handling of silent cyber claims.
The PRA has written to insurers following its review of the steps taken by insurers to manage their cyber underwriting risk, including in respect of non-affirmative (silent) cyber cover.
The PRA's review found only limited progress had been made in insurers' assessment and management of silent cyber cover.
Whilst almost all insurers are aware of the classes of business that could be impacted by silent cyber risks, such as financial lines, some saw little to no exposure with others estimating losses comparable to major natural catastrophes in the US. This was partly attributable to insurers’ different portfolios and policy wordings. However, the most significant factor was differences in insurers’ perception of the risk.
Confidence in the ability of reinsurance programmes to respond to such losses was not always borne out by the terms of the reinsurance cover taken out. There were, as insurers acknowledged, limitations in the ability of their claims teams to identify and escalate silent cyber claims.
The PRA's review was more positive in respect of affirmative cyber cover. However, the PRA expressed concern that the amount of cyber cover being underwritten was not necessarily adequately reflected in premium income or supported by substantial claims experience.
Silent cyber under the spotlight
The PRA's letter has come at a time when silent cyber cover is generally in the spotlight.
There is a widely reported coverage dispute in the US involving Mondelez, the owner of Cadbury, which concerns losses arising from the NotPetya 2017 ransomware attack for which indemnity has been sought under a property rather than a cyber insurance policy. There are also reports of other similar disputes involving losses claimed under non-cyber insurance policies.
Lloyd's of London has modelled the insurance impact of a coordinated malware attack that infects the devices of hundreds of thousands of companies and causes catastrophic losses. Its report estimates the potential global damage as between $85bn to $193bn, and suggests silent cyber losses could range from $2bn to $5bn, with most such losses payable under property damage policies.
The European Insurance and Occupational Pension Authority has, like the PRA, also recently referred to silent cyber exposure as a key concern. Its Chairman has highlighted the potential for systemic losses. It has pledged to develop new guidelines and supervisory practices to assist in monitoring this.
Next steps for insurers
The PRA has called on insurers to make more progress in improving their ability to identify, quantify and manage cyber risk. Specific action plans from insurers to reduce their unintended exposure to silent cyber cover have been requested by the end of June 2019.
The PRA’s review highlights certain actions that insurers may want to implement. It suggests some should carry out more detailed assessments of their books of business’ exposure to silent cyber losses. Bespoke scenarios should be developed to better capture their potential exposure rather than solely relying on generic scenarios made available by Lloyd’s and others. Specific steps that insurers can take to address these exposures include:
- Claims teams should stress test wordings against actual as well as hypothetical claims. The views of senior IT personnel and risk managers should be sought on cyber risks and potential losses in the event of cyber-attacks.
- Consideration should be given to providing more training to claims teams to ensure claims handlers are well placed to identify and to adjust silent cyber claims. Existing reporting lines should be changed (if necessary), to ensure such claims can be swiftly escalated, where appropriate. Management information should be collated on silent cyber losses.
- Outside legal expertise should be tapped in reviewing the effectiveness of policy wordings and the robustness of exclusions intended to reduce the risk of silent cyber claims. Where the appetite is only to offer limited silent cyber cover for certain types of claims, sub-limits should be considered.
- Expert guidance should also be sought on reinsurance programmes that are intended to respond to large silent cyber losses, particularly as to any material differences in cover at a reinsurance level.
- At a board level, the appetite for providing silent cyber cover should be discussed and agreed. Internal policies should be drawn up and disseminated that provide clear guidance provided as to the silent cyber cover that can be offered, and those silent cyber risks that should either not be underwritten or be specifically excluded from cover.
If insurers are not seen as having adequately addressed the concerns raised by the PRA, it is possible regulatory action may follow. This could directly impact the directors and officers of insurers given the PRA considers responsibility for the management and control of cyber risk sits at board level.
Addressing silent cyber risks provides an opportunity for insurers to enhance their wordings so as to clearly highlight the cyber risks that are affirmatively covered under non-cyber policies. This may provide some insurers with a helpful selling point in a competitive market.