UK Insurers Mostly Withstand Cyber Stress TestExclusions and Reinsurance Bolster Resiliency to Extreme Cyber Risk
British insurers mostly withstood a stress test assessing their ability to weather extreme cyber incidents such as systemic ransomware, although regulators warn that underwriters are sharply divided on the likelihood of those events actually occurring.
The Bank of England for a periodic solvency stress test of U.K. insurers created three scenarios that included a widespread cloud computing outage, data exfiltration and ransomware. Only a handful of insurers reported emerging from the scenarios with less money on hand than required by national solvency capital requirements.
But those results could be overstated, the central bank's Prudential Regulation Authority concluded, given that each scenario required insurers to select "their most material exposures."
Underwriters' success with the scenarios rested on a number of factors including widespread industry agreement that exclusions for losses arising out of war apply to cyber incidents caused by nation-states. Achieving that exclusion in practice has proved complex since nation-state attacks can spread far beyond their intended targets (see: Oreo Maker Settles With Insurer Over NotPetya Damages Claim).
Some insurers told regulators that they have "a specific governance approach" to invoking their war exclusions and have updated their exclusionary language to take into account recent challenges.
Underwriters also attributed their success to improved precision at excluding cyber losses from other coverage lines such as property insurance.
Reinsurance played a strong role as well, and underwriters said they were able to offload between 52% and 56% of risk through reinsurance.
But the report also suggests underwriters may not be operating from the same set of assumptions when it comes to the likelihood of having to manage an actual extreme cyber event. Consensus was strongest around ransomware and the least cohesive on a cloud outage. "Large variation across participants" on the likelihood of the cyber scenarios "could impact capital comparability across the sector," regulators warned.
The Bank of England also found that underwriters' ability was highly variable when it came to assessing the impact should key exclusions hold.
Underwriters' enthusiasm for covering cyber risks has soured over the years given the unpredictability of cyber events plus the difficult of distributing risk into pools, since cyber risk isn't necessarily bounded by industry or geography. In the United States, the federal government is studying whether it should provide a backstop in the case of a catastrophic cyberattack on critical infrastructure (see: US Government to Study Cyber Insurance Backstop).