PRA sets out plans for regulating ‘silent cyber’ in 2019
Insurance firms have been urged to take more action on ‘silent cyber’ - or non-affirmative cyber risk - in a letter from the Bank of England’s Prudential Regulation Authority (PRA).
The letter praised insurers for their efforts so far but highlighted the ongoing need to do more inline with the Supervisory Statement (SS) 4/17 ‘Cyber insurance underwriting risk’ published in 2017.
A PRA survey conducted in 2018 found that “although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite and strategy”.
The PRA acknowledged insurers’ survey responses highlighting “challenging market conditions, broker pressure, and lack of historic data, models, and expertise as the main impediments for the prudential management of cyber underwriting risk”.
But it added: “We appreciate these challenges but do not believe they are insurmountable.
“The responsibility is on firms to progress their work and fully align with the expectations set out in SS4/17.”
PRA said insurers “should develop an action plan by H1 2019 with clear milestones and dates by which action will be taken” to reduce the unintended exposure to non-affirmative cyber risk.
The PRA said that its supervisors may ask to review these plans and subsequent progress.
In the second half of 2019, the regulator said it plans to provide further, targeted feedback to surveyed firms, arrange meetings with individual firms by the end of Q1 2019, and co-ordinate with Lloyd’s to agree any follow-up actions in relation to Lloyd’s managing agents.
The PRA intends to carry out sample deep-dive reviews at other firms (not necessarily those in our initial sample) in H2 2019 to assess how these firms are meeting the expectations set out in SS4/17.
“We will continue to keep this subject under review in the light of the progress firms make on these outstanding areas. Depending on progress, we will consider whether any further steps are appropriate in due course, such as potential revisions or additions to SS4/17,” the letter concluded.
