PRA published a letter that presents the key themes that emerged from its survey on cyber insurance underwriting risk. This letter from Anna Sweeney, Director of Insurance Supervision, is addressed to the Chief Executives of specialist general insurance firms.
In July 2017, PRA had published the supervisory statement SS4/17 on cyber insurance underwriting risk. SS4/17 set out the PRA expectations for insurers on the prudent management of cyber underwriting risk in the areas of actively managing non-affirmative cyber risk; setting clearly defined cyber strategies and risk appetites that are agreed by the board; building and continuously developing insurer cyber expertise. In May 2018, and after discussing with industry associations and Lloyd’s, PRA conducted a follow-up survey involving firms of varying size. This letter provides feedback on the key themes that emerged from firms’ responses and describes areas inn which the PRA thinks that firms can do more to ensure the prudent management of cyber risk exposures.
The survey results suggest that although some work has been done, more ground needs to be covered by firms especially in relation to non-affirmative cyber risk management, risk appetite, and strategy. Having reviewed the responses of firms, PRA also believes that the expectations set out in SS4/17 are relevant and valid. SS4/17 set out the PRA expectations that firms should:
- Robustly assess and effectively manage their insurance products with specific consideration to non-affirmative cyber risk exposure
- Monitor their aggregate cyber underwriting exposure and conduct underwriting risk stress tests that explicitly consider the potential for loss aggregation (in case of firms writing affirmative cyber products)
- Consider cyber underwriting risk stress tests with consideration given to loss aggregation at extreme return periods (up to 1 in 200 years)
In the letter, PRA states that the responsibility is on firms to progress their work and fully align with the expectations set out in SS4/17. In relation to the expectation that firms reduce the unintended exposure to non-affirmative cyber risk, insurers should develop an action plan by the first half of 2019, with clear milestones and dates by which action will be taken. Supervisors may ask to review this plan and subsequent progress toward it. Over the rest of the year, PRA plans to undertake the following steps:
- Provide further, targeted feedback to surveyed firms by arranging meetings with individual surveyed firms by the end of the first quarter of 2019
- Coordinate with Lloyd’s to agree any follow-up actions in relation to Lloyd’s managing agents
- Carry out sample deep-dive reviews to other firms (not necessarily those in the initial sample) in second half of 2019 to assess how these firms are meeting the expectations set out in SS4/17
Keywords: Europe, UK, Insurance, Cyber Risk, Underwriting Risk, SS4/17, PRA
PRA, via the consultation paper CP12/20, proposed changes to its rules, supervisory statements, and statements of policy to implement certain elements of the Capital Requirements Directive (CRD5).
EIOPA published the financial stability report that provides detailed quantitative and qualitative assessment of the key risks identified for the insurance and occupational pensions sectors in the European Economic Area.
EBA published its risk dashboard for the first quarter of 2020 together with the results of the risk assessment questionnaire.
EBA announced that the next stress testing exercise is expected to be launched at the end of January 2021 and its results are to be published at the end of July 2021.
PRA published the consultation paper CP11/20 that sets out its expectations and guidance related to auditors’ work on the matching adjustment under Solvency II.
MAS published a statement guidance on dividend distribution by banks.
APRA updated its capital management guidance for banks, particularly easing restrictions around paying dividends as institutions continue to manage the disruption caused by COVID-19 pandemic.
FSB published a report that reviews the progress on data collection for macro-prudential analysis and the availability and use of macro-prudential tools in Germany.
EBA issued a statement reminding financial institutions that the transition period between EU and UK will expire on December 31, 2020; this will end the possibility for the UK-based financial institutions to offer financial services to EU customers on a cross-border basis via passporting.
SRB published guidance on operational continuity in resolution and financial market infrastructure (FMI) contingency plans.