The Bank of England regulator, the Prudential Regulation Authority (PRA), has highlighted a number of concerning gaps and limitations in how major insurers model and respond to cyber risk, after conducting a stress test of the sector.
The stress test exercise saw 17 general insurers and 21 Lloyd’s of London syndicates assess their solvency position against losses arising from cyber incidents. Participants provided an assessment of their ability to prevent, react and respond to cyber attacks.
“We note that cyber is an evolving peril, and consequently cyber coverage will continue to develop,” wrote Charlotte Garden, executive director of insurance supervision at the PRA. “This exercise has provided us with a wide range of current practices across the market, which will inform future supervision.”
It found that insurers struggled to ascertain the likelihood of cyber incidents – defined for the purposes of the test as ransomware attacks, data leaks and cloud computing outages – and tended to word their cyber policies too ambiguously.
It warned that current practices could lead to a “misestimation of scenario impacts for individual insurers”.
Among other things, the exercise found evidence of substantial variance in how insurers assessed risk, which is not necessarily out of the ordinary in a relatively youthful market, but needs to be addressed moving forward.
It also highlighted disparities in the ability of individual insurers and syndicates to identify the implications of contract uncertainty, with a number of parties unable to properly assess the potential impact should key exclusions – such as for nation state attacks – not hold. It warned of untested policy language and contractual uncertainty, and said boards needed to be made better aware of this problem.
The PRA further noted that the percentage of potential claims identified as arising from non-affirmative or silent cover – where policies are triggered following an incident but where cyber risks have not been explicitly included in them, or exclusionary language is ambiguous on the point – was reducing, which is in line with the guidance it previously issued.
Finally, it also noted that in general, insurance companies are still materially dependent on reinsurance to mitigate the impact of cyber incidents on their books.
Garden said that moving forward, the PRA would be on-hand to help insurance firms enhance their practices to manage and mitigate the potential damage arising from cyber incidents.
Achi Lewis, area vice-president for EMEA for Absolute Software, said: “Especially during periods of economic uncertainty, it is vital that organisations are aware of their cyber resilience, the likelihood of threats, and how to both prevent and respond to attacks.
“The PRA’s caution is important to prepare firms in the event of a worst-case outcome, with major cyber attacks the cause of significant downtime, data breaches and financial cost.
“Remediation from major attacks can prove costly, often resulting in weeks, months, or even years for a full investigation, restoration and legal procedures to take place, beyond the initial damage of the attack itself,” he said. “It is therefore essential that all organisations have cyber security as a top priority.”