Insurers have been told to rethink the way they price policies that offer insurance cover for companies in the event of a cyber attack.
In a nine-page paper published today (5 July), the Prudential Regulation Authority ordered insurers to check again that they are making adequate capital provisions that will ensure they stay afloat if they receive massive claims from companies they insure in the event they are hit by a cyber attack.
The PRA ordered insurers to check on the terms of their policies, adjust the premium to reflect the additional risk and offer explicit cover; introduce robust wording exclusions; and/or attach specific limits of cover.
As a result advisers, who back in May were told by the FCA to make sure they were able to defend themselves effectively and respond proportionately to cyber events, could face increased premiums for this type of cover.
Should an insurer decide to offer cyber cover at no extra premium for a specific product or line of business, the PRA stated it would expect to see that the board has confirmed that a comprehensive assessment of the potential resulting losses has been carried out, and that the overall cyber exposure falls within the stated risk appetite.
Cyber insurance underwriting offers cover for cyber-related losses resulting from malicious acts (for example, cyber attack or infection of an IT system with malicious code) and non-malicious acts, such as loss of data, accidental acts or omissions.
Marta Abramska, associate director in PWC’s cyber insurance practice, said: "The PRA expects insurers to get a better handle on their cyber risk management and should be seen as a clear sign that action needs to be taken by insurers and reinsurers to fully understand their cyber exposure.
“The difficulty of dealing with cyber threats is no longer an acceptable excuse for inaction and the regulator has today (5 July) set out the steps insurers need to take to provide security and stability.
“Although we have not yet seen large insurance losses, recent near misses such as Cloud Hopper highlight the large systemic potential of malware in a connected world and should form the basis of robust portfolio stress tests that the PRA has asked firms to complete.
"One of the key issues the PRA wants insurers to manage is that, even if they do not underwrite specific cyber insurance policies, they may be at risk of having to pay out for cyber damage falling under existing policies such as general liability or property.”
Operation Cloud Hopper used a combination of unique hacking tools and open source software in an attempt to gather information about diplomatic and political organisations, as well as intellectual property.
Back in April the FCA warned financial services firms are often not getting the basics right on cyber security, leaving them vulnerable to attacks.
The Financial Conduct Authority’s chief operating officer Nausicaa Delfas cited research which showed that 10 vulnerabilities accounted for 85 per cent of successful breaches.
The “vast majority” of these vulnerabilities were well known and had fixes available at the time of the attack, Ms Delfas said.
She said: “Some of these attacks used vulnerabilities for which a fix had been available for over a decade.
“Being rigorous about patch management is key. Tools to enable effective management of vulnerabilities are well established, and yet organisations either don’t use them, or don’t use them effectively.
“If we cannot get the basics right, then what chance is there that we can repel the sophisticated attacker?”
The regulator has established a number of Cyber Coordination Groups.
Ms Delfas said: “We are collecting, anonymising and aggregating actual risk data across around 175 firms in each area of the financial sector.
“This will provide us – and firms - with a much better picture about how cyber risk crystallises.
“Are we seeing unique threats in specific parts, such as retail banking, compared to other parts, such as insurance? Or are we seeing the same generic cyber threats threaten all firms?
“We will be seeking to carry this work out over the coming year and will look to share our findings.”
A government report at the start of April revealed just under half of all British businesses were victim to at least one cyber security breach last year.
The Department for Culture Media and Sport found 46 per cent of all businesses discovered at least one cyber security breach in 2016, with the average cost to firms ranging between £1,570 and £19,600.
emma.hughes@ft.com
