UK Insurers Mostly Withstand Cyber Stress Test

Exclusions and Reinsurance Bolster Resiliency to Extreme Cyber Risk
UK Insurers Mostly Withstand Cyber Stress Test
Image: Shutterstock

British insurers mostly withstood a stress test assessing their ability to weather extreme cyber incidents such as systemic ransomware, although regulators warn that underwriters are sharply divided on the likelihood of those events actually occurring.

See Also: Does Office 365 Deliver The Email Security and Resilience Enterprises Need?

The Bank of England for a periodic solvency stress test of U.K. insurers created three scenarios that included a widespread cloud computing outage, data exfiltration and ransomware. Only a handful of insurers reported emerging from the scenarios with less money on hand than required by national solvency capital requirements.

But those results could be overstated, the central bank's Prudential Regulation Authority concluded, given that each scenario required insurers to select "their most material exposures."

Underwriters' success with the scenarios rested on a number of factors including widespread industry agreement that exclusions for losses arising out of war apply to cyber incidents caused by nation-states. Achieving that exclusion in practice has proved complex since nation-state attacks can spread far beyond their intended targets (see: Oreo Maker Settles With Insurer Over NotPetya Damages Claim).

Some insurers told regulators that they have "a specific governance approach" to invoking their war exclusions and have updated their exclusionary language to take into account recent challenges.

Underwriters also attributed their success to improved precision at excluding cyber losses from other coverage lines such as property insurance.

Reinsurance played a strong role as well, and underwriters said they were able to offload between 52% and 56% of risk through reinsurance.

But the report also suggests underwriters may not be operating from the same set of assumptions when it comes to the likelihood of having to manage an actual extreme cyber event. Consensus was strongest around ransomware and the least cohesive on a cloud outage. "Large variation across participants" on the likelihood of the cyber scenarios "could impact capital comparability across the sector," regulators warned.

The Bank of England also found that underwriters' ability was highly variable when it came to assessing the impact should key exclusions hold.

Underwriters' enthusiasm for covering cyber risks has soured over the years given the unpredictability of cyber events plus the difficult of distributing risk into pools, since cyber risk isn't necessarily bounded by industry or geography. In the United States, the federal government is studying whether it should provide a backstop in the case of a catastrophic cyberattack on critical infrastructure (see: US Government to Study Cyber Insurance Backstop).

About the Author

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.