Prudential Regulation Authority Rulebook

2.1

The PRA expects that all Solvency II firms robustly assess and actively manage their insurance products with specific consideration to non-affirmative cyber risk exposures. This includes all property and casualty (P&C) covers which could give rise to cyber risk exposure from physical and non-physical damage. Such firms are expected to introduce measures that reduce the unintended exposure to this risk with a view to aligning the residual risk with the risk appetite and strategy that has been agreed by the board. To achieve this, besides making adequate capital provisions that clearly link with this risk, as they would for any other risk type, firms could consider any of the following (the list is not exhaustive):

• adjusting the premium to reflect the additional risk and offer explicit cover;
• introducing robust wording exclusions; and/or
• attaching specific limits of cover.

2.2

Should a firm decide to offer cyber cover at no extra premium for a specific product or line of business, the PRA would expect to see that the board has confirmed that a comprehensive assessment of the potential resulting losses has been carried out, and that the overall non-affirmative cyber exposure falls within the stated risk appetite. In this case the contract may be reworded to clarify that cyber cover is offered as part of this product or line of business.

2.3

The PRA is not a pricing regulator and does not look to design products. The short-to-medium term aim is to enhance the ability of firms to monitor, manage and mitigate non-affirmative cyber risk and to increase contract certainty for policyholders as to the level and type of coverage they hold. The PRA expects firms to adopt a proportionate approach when assessing their non-affirmative exposures. The firm’s underwriting and risk management functions should play a key role in leading this effort.