The Bank of England’s (BoE) Prudential Regulation Authority (PRA), in a recent consultation paper, has explored the potential underwriting risks derived from cyber attacks, stressing that more needs to be done by re/insurers to manage the increasing threat of ‘silent’ cyber losses.
The PRA’s work focuses on both affirmative and ‘silent’ cyber losses, with the latter referring to other types of liability insurance products that fail to explicitly exclude cyber risks, which could result in an accumulation of cyber losses within other policies, something many re/insurers might not be adequately prepared for, or even aware of.
‘Silent’ cyber risk is material, and the potential for such a loss is on the rise all the time, explains the PRA. “As both ‘silent’ cyber insurance awareness and the frequency of cyber-attacks grow, so does the loss potential from ‘silent’ cyber exposures,” explains the PRA.
The majority of firms that the PRA carried out thematic work on, which included a range of stakeholders from the insurance and reinsurance industry, intermediaries, consultants, cat modelling firms, cyber security and technology entities as well as regulators, failed to demonstrate “robust methods for quantifying and managing ‘silent’ cyber risk,” stressed the PRA.
The inclusion of unmodelled, or risks that simply aren’t properly understood within a broader liability insurance or reinsurance contract, such as cyber, has the potential to be extremely surprising and ultimately very damaging to insurers and reinsurers.
Various policies can include cyber risks as part of a broader solution, and with the understanding of the exposure limited and the potential loss so vast, re/insurers risk serious overexposure that they may not be aware of, and subsequently prepared for.
At a time of reduced pricing and increasing pressure on the investment side of the reinsurance business due to low interest rates, re/insurers are already operating in an environment where profitability is difficulty to come by, with little room to manoeuvre.
With reserves reportedly running thin and any increase in cat losses testing the resolve and discipline of firms, ‘silent’ cyber losses are another factor that companies need to be aware of and mitigate the potential impact of, especially in a softening marketplace.
As an example of business lines that are exposed to ‘silent’ cyber losses, the PRA cites casualty lines, such as D&O, and also stressed that professional indemnity, financial institutions, and general liability products are also likely exposed to some degree of ‘silent’ cyber losses.
“This is either due to the fact that exclusions are not widely used or because some policies cannot reasonably exclude cyber losses,” said the PRA in its report.
Continuing to explain that with D&O policies, for example, “there is wide acceptance in the market that these policies are potentially exposed and should therefore respond to cyber claims.”
The rise of technology and the increased interconnectedness of the world exacerbate the cyber attack problem, as autonomous cars and advanced tech in the aviation industry suggests a greater chance of cyber security failings as more and more data and information becomes digitalised.
While the above-mentioned sectors and the broader property underwriters expressed an awareness of the potential for cyber aggregation as a result of an attack on commercial or industry targets, the PRA warns that “there are currently no widespread exclusions for cyber risk and the thinking around how to price or manage this risk does not appear to the PRA to have developed sufficiently.”
“The PRA’s work showed that reinsurers are aware of the potential aggregations resulting from ‘silent’ cyber and are looking to address this in future contracts,” explained the PRA, continuing to note that with casualty and property reinsurance contracts there is also no widespread use of exclusion.
“The PRA’s discussions with key stakeholders suggest that where wordings exist to address the issue, these are bespoke and were introduced only recently. Given these wordings are not universally accepted and untested in time they may result in disputes should a cyber claim arise,” said the PRA.
Overall, affirmative and ‘silent’ cyber loss potential isn’t fully understood, stressed the PRA, and much work needs to be done by all components of the distribution chain to adequately address the problem, and take advantage of the huge opportunity cyber risk has for the sector.
“The PRA proposes that firms have the ability to monitor, manage and mitigate ‘silent’ cyber risk effectively, and aim to provide policyholders with greater contract certainty as to their level and type of coverage,” says the report.
There is an expectation that cyber threats will continue to increase all the time, and the PRA also underlined the need for the risk transfer industry to invest in cyber expertise, and an urgent need for companies to develop clear strategies and risk appetites for the exposure.
So while cyber brings about an array of challenges, it also creates an opportunity for insurance, reinsurance, and also insurance-linked securities (ILS) players to create innovative solutions that tackle both affirmative and the increasing threat of ‘silent’ cyber losses.