Regulator calls on providers to cover more ground on cyber in relation to risk management, risk appetite and strategy, and pledges to continue to keep cyber insurance underwriting risk under review.
Anna Sweeney, director, insurance supervision at the Prudential Regulation Authority (PRA) has warned that more ground needs to be covered by firms in relation to cyber insurance underwriting risks.
The letter to chief executives of specialist GI firms regulated by the PRA, including insurance companies and Lloyd’s of London, follows a supervisory statement on cyber published by the PRA in July 2017 (SS4/17).
The statement covered the following three areas:
- Actively managing non-affirmative cyber risks;
- Setting clearly defined cyber strategies and risk appetites that are agreed by the board, and;
- Building and continuously developing insurers’ cyber expertise.
It also provides feedback on the key themes that emerged from a follow-up survey involving firms of varying size carried out in May 2018.
Sweeney stated: “The survey results suggest that although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite and strategy.
“Having reviewed firm’s responses we also remain of the view that the expectations set out in SS4/17 are relevant and valid.”
According to Sweeney, the PRA has engaged with a number of regulatory authorities and international forums to develop a coordinated approach on cyber insurance risks, following feedback from the insurance industry.
“We have been encouraged by the level of interest and engagement shown from the wider insurance industry and fellow regulators and continue to engage closely as we design and implement next steps,” the letter continued.
The PRA highlighted that the responsibility is on firms to progress their work and fully align with the expectations set out in 2017.
Sweeney further called on insurers to develop an action plan by H1 2019 with clear milestones and dates by which action will be taken.
Sweeney concluded: “We will continue to keep this subject under review in the light of the progress firms make on these outstanding areas.
“Depending on progress, we will consider whether any further steps are appropriate in due course, such as potential revisions or additions to SS4/17.”
The Financial Conduct Authority has recently warned the industry about the rise in tech and cyber incidents hitting UK financial services.
Megan Butler, executive director of supervision – investment, wholesale and specialists at the FCA, said in a speech at Bloomberg on 27 November last year that innovation, from a regulatory perspective, creates new threats which are a “fundamental challenge” for watchdogs.
In addition, last week (25 January) consultancy Mactavish claimed that cyber policies have “major flaws” and suggested that some companies are being “mis-sold” cover.
Cyber experts hit back at the Mactavish report, with UKGlobal Group director Richard Hodson stating that it did not reflect the current cyber market.
For all the latest industry news direct to your inbox, sign up for our daily newsletter.
The editorial team get their teeth into the top stories.Subscribe to our daily newsletter for all the latest news
- Lloyd’s suspends employee for “inappropriate comments” – report
- Brokers monitoring capacity shortages after TMKI run-off
- Lloyd's launches product innovation facility with £53m capacity
- Tokio Marine Kiln Insurance to go into run-off
- Tokio Marine Kiln: Figures revealed following closure of UK arm
- GRP’s County Group purchases Eric Rawlins & Company
- Profit margins for UK brokers at highest level in eight years