A leading UK financial regulator has called the cyber insurance sector out for untested policy language, contractual uncertainty and risk modelling gaps.
The Bank of England’s Prudential Regulation Authority (PRA) stress-tested a cross-section of the sector – comprising 17 general insurers and 21 Lloyd’s of London syndicates – by asking them to assess their solvency against a set of cyber losses.
The regulator assessed industry responses to three underwriting “cyber scenarios” – a cloud outage, data exfiltration and systemic ransomware.
It found several shortcomings, indicating the still-nascent nature of the market.
The first related to assessment of the likelihood of those three rare risk events occurring.
“There was a large variation across participants in the perceived likelihood of the prescribed cyber scenarios, with more consensus around systemic ransomware than for cloud outage and data exfiltration,” the report explained.
“Such lack of consensus in the market could impact capital comparability across the sector.”
Although this kind of variation in responses is normal for relatively new products, the PRA urged the market to “develop greater consensus” going forward.
Second, the stress-test revealed a wide variance in the ability of insurers to assess the impact on their business of key exclusions not holding. Several big-name cases have been brought in recent years related to the NotPetya campaign and whether policies excluding acts of war should still pay out.
“We encourage boards to be aware of the implications of the inherent untested policy language and the possibility of contractual uncertainty, ensuring exposures continue to be managed within their firm’s own risk appetite,” the PRA said.
The report also highlighted that different modelling capabilities used by insurers generated different calculations for total scenario losses.
“In light of the growing adoption of vendor models, we encourage boards to understand the limitations and lack of convergence in existing cyber catastrophe modelling, and to ensure that they are satisfied with any measures taken to mitigate shortcomings in current approaches,” it said.
On a more positive front, the regulator noted that the percentage of potential claims identified as arising from non-affirmative cover – when cyber isn’t explicitly included in policies – has reduced significantly.
“We note that cyber is an evolving peril, and consequently cyber coverage will continue to develop,” the report said. “This exercise has provided us with a wide range of current practices across the market, which will inform future supervision.”