Prudential Regulation Authority Rulebook

4.1

Both affirmative and non-affirmative cyber risk elements present significant challenges and are underpinned by technological development. Firms active in this space are faced with the necessity of investment in knowledge and expertise.

4.2

The PRA expects that all Solvency II firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk. This extends to both affirmative and non-affirmative elements of cyber risk. The PRA expects that this knowledge and understanding should be fully aligned to the level of risk and any growth targets in this field, and should cover all three lines of defence (business, risk management, and audit).

4.3

Regardless of any external input or advice obtained in relation to such risks, responsibility and accountability for this risk remains with the firm. The firm will be responsible for the appropriate management of these risks. The PRA expects the board to have oversight of the effectiveness of the firm’s risk management and controls in this area.

4.4

In this way, firms will have sufficient expertise to understand the risks associated with cyber insurance underwriting.