PRA CEO letter warns action is needed on cyber

close up image of handwriting

Regulator calls on providers to cover more ground on cyber in relation to risk management, risk appetite and strategy, and pledges to continue to keep cyber insurance underwriting risk under review.

Anna Sweeney, director, insurance supervision at the Prudential Regulation Authority (PRA) has warned that more ground needs to be covered by firms in relation to cyber insurance underwriting risks. 

The letter to chief executives of specialist GI firms regulated by the PRA, including insurance companies and Lloyd’s of London, follows a supervisory statement on cyber published by the PRA in July 2017 (SS4/17).

The statement covered the following three areas:

  • Actively managing non-affirmative cyber risks;
  • Setting clearly defined cyber strategies and risk appetites that are agreed by the board, and;
  • Building and continuously developing insurers’ cyber expertise.

It also provides feedback on the key themes that emerged from a follow-up survey involving firms of varying size carried out in May 2018.

Risk management
Sweeney stated: “The survey results suggest that although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite and strategy.

“Having reviewed firm’s responses we also remain of the view that the expectations set out in SS4/17 are relevant and valid.”

According to Sweeney, the PRA has engaged with a number of regulatory authorities and international forums to develop a coordinated approach on cyber insurance risks, following feedback from the insurance industry.

“We have been encouraged by the level of interest and engagement shown from the wider insurance industry and fellow regulators and continue to engage closely as we design and implement next steps,” the letter continued.

The PRA highlighted that the responsibility is on firms to progress their work and fully align with the expectations set out in 2017.

Sweeney further called on insurers to develop an action plan by H1 2019 with clear milestones and dates by which action will be taken.

Sweeney concluded: “We will continue to keep this subject under review in the light of the progress firms make on these outstanding areas.

“Depending on progress, we will consider whether any further steps are appropriate in due course, such as potential revisions or additions to SS4/17.”

The Financial Conduct Authority has recently warned the industry about the rise in tech and cyber incidents hitting UK financial services.

Megan Butler, executive director of supervision – investment, wholesale and specialists at the FCA, said in a speech at Bloomberg on 27 November last year that innovation, from a regulatory perspective, creates new threats which are a “fundamental challenge” for watchdogs.

In addition, last week (25 January) consultancy Mactavish claimed that cyber policies have “major flaws” and suggested that some companies are being “mis-sold” cover.

Cyber experts hit back at the Mactavish report, with UKGlobal Group director Richard Hodson stating that it did not reflect the current cyber market.

For all the latest industry news direct to your inbox, sign up for our daily newsletter.

  • LinkedIn  
  • Save this article
  • Print this page  
blog comments powered by Disqus

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected].

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have an Insurance Age account, please register now.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: