Cyber Stress Tests Loom For U.K. Insurers

The Prudential Regulation Authority (PRA), the financial regulator overseeing the United Kingdom, has directed insurers to conduct “stress tests” tied to cyber attacks, the Financial Times reports.

In the wake of ransomware attacks as far reaching and well-publicized as WannaCry, the need for cyber attack coverage has grown. According to the Financial Times, the industry is more concerned than ever about possible fallout resulting from large-scale cyber attacks.

Against that backdrop, a dearth of data shows just what the impact might be. As such, the PRA has rolled out rules for insurers to follow when assessing risks.

According to the PRA, insurers should have “board level oversight” of cyber risk exposure, and stress tests must be conducted on a regular basis. The stress tests should simulate the impact of what would happen should enterprises submit a host of claims simultaneously. Those stress tests seek to illuminate what is known as “non-affirmative” risk, where cyber risks are covered not by specialist policies but by general ones. In those cases, premiums should be adjusted to reflect the nature of the policy.

The Financial Times quoted audit and assurance, tax and consulting services provider PwC, which found that only 14 percent of insurers had data that could help them calculate exposure to those types of cyber risks.

“The difficulty of dealing with cyber threats is no longer an acceptable excuse for inaction, and the regulator has today set out the steps insurers need to take to provide security and stability,” said Marta Abramska, PwC associate director in the firm’s insurance practice. “Although we have not yet seen large insurance losses, recent near misses . . . highlight the large systemic potential of malware in a connected world.”