The UK’s leading financial regulator has accused the cyber insurance sector of untested policy language, contractual uncertainty and gaps in risk modeling.
The Bank of England’s Prudential Regulation Authority (PRA) has asked a cross-section of the sector, comprising 17 property and casualty insurers and 21 Lloyd’s of London syndicates, to assess their solvency for a range of cyber losses to help reduce stress. I ran a test.
Regulators assessed the industry’s response to three underwriting “cyber scenarios”: cloud outages, data exfiltration, and orchestrated ransomware.
I found some shortcomings. This shows the still nascent nature of the market.
The first concerns the assessment of the likelihood that these three rare risk events will occur.
“Participants varied widely on the likelihood of a given cyber scenario occurring, with more consensus on systemic ransomware than cloud outages or data exfiltration,” the report states. I’m explaining.
“The lack of consensus in the market can affect the comparability of capital across sectors.”
While this kind of response variability is normal for relatively new products, the PRA urged the market to “build a greater consensus” going forward.
Second, the stress tests revealed wide variability in the ability of insurers to assess the business impact of key exclusions that they do not hold. Several high-profile lawsuits have been filed in connection with the NotPetya campaign in recent years, questioning whether policies excluding acts of war should still be paid.
The PRA said, “We urge boards to recognize the impact of inherent unvalidated policy language and the potential for contractual uncertainty to ensure that exposures continue to be managed within their own risk appetite. recommended,” said PRA.
The report also highlights that different modeling functions used by insurers produce different calculations of losses across scenarios.
“Considering the increasing adoption of vendor models, we understand the limitations and lack of convergence of existing cyber disaster modeling and are satisfied with the steps taken to mitigate the shortcomings of current approaches.” We recommend that you check with the Board of Directors.”
On the more positive side, regulators noted a significant reduction in the proportion of potential claims identified as arising from non-positive coverage when cyber insurance is not explicitly included in the policy. Did.
“Cyber is an evolving danger and as a result, cyber reporting will continue to evolve,” the report said. “This exercise will give us a wide range of current practices across the market and will be useful for future supervision.”
