Regulator Stress Test Highlights Cyber Insurance Concerns

A leading UK financial regulator has called the cyber insurance sector out for untested policy language, contractual uncertainty and risk modelling gaps.

The Bank of England’s Prudential Regulation Authority (PRA) stress-tested a cross-section of the sector – comprising 17 general insurers and 21 Lloyd’s of London syndicates – by asking them to assess their solvency against a set of cyber losses.

The regulator assessed industry responses to three underwriting “cyber scenarios” – a cloud outage, data exfiltration and systemic ransomware.

It found several shortcomings, indicating the still-nascent nature of the market.

The first related to assessment of the likelihood of those three rare risk events occurring.

“There was a large variation across participants in the perceived likelihood of the prescribed cyber scenarios, with more consensus around systemic ransomware than for cloud outage and data exfiltration,” the report explained.

“Such lack of consensus in the market could impact capital comparability across the sector.”

Although this kind of variation in responses is normal for relatively new products, the PRA urged the market to “develop greater consensus” going forward.

Second, the stress-test revealed a wide variance in the ability of insurers to assess the impact on their business of key exclusions not holding. Several big-name cases have been brought in recent years related to the NotPetya campaign and whether policies excluding acts of war should still pay out.

“We encourage boards to be aware of the implications of the inherent untested policy language and the possibility of contractual uncertainty, ensuring exposures continue to

Read more

Explore the site

More from the blog

Latest News