Insurance supervision - cyber risk highlighted

Published 30 January 2023

Cyber risk has featured in the PRA’s Dear CEO letters for a number of years now.  It is, of course, not the only risk to be highlighted but repeat mention of cyber does single it out in certain respects. 

In the PRA’s 10 January 2023 letter, reference is made to “Non-natural catastrophe risk”.  This includes a range of non-property risks but only cyber is specifically identified.  The PRA regards exposure management capability in this area to be “immature”.  It wants to see insurers mitigate the risk of “outsize losses” and not to “underestimate capital requirements”. 

In a previous Dear CRO letter, dated 13 November 2020, the PRA had noted that “exposure management frameworks for non-property classes of business are less mature than for property classes”. 

Prior letters have identified concerns regarding reserve adequacy, underwriting discipline, expertise and training (including at board level).  This builds on work in the market to eliminate “silent cyber,” to ensure that risks are properly defined, rated, limited and reinsured.

Returning to this year’s letter, the PRA has identified as an area of focus working with general insurers to enhance risk management capabilities in relation to non-natural catastrophe business.  Given the ambitious growth plans for cyber of many insurers subject to supervision by the PRA (including regulation delegated to Lloyd’s), we can safely assume that cyber will continue to attract particular attention from regulators.