Insurers have been told to rethink the way they price policies that offer insurance cover for companies in the event of a cyber attack.
In a nine-page paper published today (5 July), the Prudential Regulation Authority ordered insurers to check again that they are making adequate capital provisions that will ensure they stay afloat if they receive massive claims from companies they insure in the event they are hit by a cyber attack.
The PRA ordered insurers to check on the terms of their policies, adjust the premium to reflect the additional risk and offer explicit cover; introduce robust wording exclusions; and/or attach specific limits of cover.
As a result advisers, who back in May were told by the FCA to make sure they were able to defend themselves effectively and respond proportionately to cyber events, could face increased premiums for this type of cover.
Should an insurer decide to offer cyber cover at no extra premium for a specific product or line of business, the PRA stated it would expect to see that the board has confirmed that a comprehensive assessment of the potential resulting losses has been carried out, and that the overall cyber exposure falls within the stated risk appetite.
Cyber insurance underwriting offers cover for cyber-related losses resulting from malicious acts (for example, cyber attack or infection of an IT system with malicious code) and non-malicious acts, such as loss of data, accidental acts or omissions.
Marta Abramska, associate director in PWC’s cyber insurance practice, said: "The PRA expects insurers to get a better handle on their cyber risk management and should be seen as a clear sign that action needs to be taken by insurers and reinsurers to fully understand their cyber exposure.
“The difficulty of dealing with cyber threats is no longer an acceptable excuse for inaction and the regulator has today (5 July) set out the steps insurers need to take to provide security and stability.
“Although we have not yet seen large insurance losses, recent near misses such as Cloud Hopper highlight the large systemic potential of malware in a connected world and should form the basis of robust portfolio stress tests that the PRA has asked firms to complete.
"One of the key issues the PRA wants insurers to manage is that, even if they do not underwrite specific cyber insurance policies, they may be at risk of having to pay out for cyber damage falling under existing policies such as general liability or property.”
Operation Cloud Hopper used a combination of unique hacking tools and open source software in an attempt to gather information about diplomatic and political organisations, as well as intellectual property.
The Financial Conduct Authority’s chief operating officer Nausicaa Delfas cited research which showed that 10 vulnerabilities accounted for 85 per cent of successful breaches.