1

Introduction

1.1

This supervisory statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of firms regarding cyber insurance underwriting risk. For the purposes of this SS cyber insurance underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to cyber-related losses resulting from malicious acts (eg cyber attack, infection of an IT system with malicious code) and non-malicious acts (eg loss of data, accidental acts or omissions) involving both tangible and intangible assets.

1.2

This statement follows a cross-industry review conducted between October 2015 and June 2016. The key findings were published in a letter to firms on 14 November 2016[1].

Footnotes

1.3

This SS is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II including the Society of Lloyd’s and managing agents (‘Solvency II firms’).

1.4

This SS should be read in conjunction with:

  • the PRA’s rules in the Solvency II sector of the PRA Rulebook, in particular rule 3.1 of the Conditions Governing Business Part, and the Insurance Senior Management Functions and Technical Provisions Parts;
  • the PRA’s approach to insurance supervision[2];
  • the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines, particularly Guidelines 3, 17, 19, 20, 46, 47, 50, 56 and 61 on Systems of Governance and Valuation of Technical Provisions[3]; and
  • Articles 9, 11, 17 and 18 of the Commission Delegated Regulation[4] of Solvency II.

Footnotes

1.5

This SS expands on the PRA’s general approach as set out in its insurance approach document. By clearly and consistently explaining its expectations of firms in relation to the particular areas addressed, the PRA seeks to advance its statutory objectives of ensuring the safety and soundness of the firms it regulates, and contributing to securing an appropriate degree of protection for policyholders.

1.6

The PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk. This includes both of the following sources of cyber insurance underwriting risk:

  1. (a) affirmative cyber risk, ie insurance policies that explicitly include coverage for cyber risk; and
  2. (b) non-affirmative cyber risk, ie insurance policies that do not explicitly include or exclude coverage for cyber risk . This latter type of cyber risk is sometimes referred to as ‘silent’ cyber risk by insurance professionals.

1.7

The PRA’s expectations are split into three broad areas:

  • non-affirmative cyber risk (Chapter 2);
  • cyber risk strategy and risk appetite (Chapter 3); and
  • cyber expertise (Chapter 4).