Prudential Regulation Authority Rulebook

3.1

Cyber underwriting is a key area of risk and it is important that this is reflected in the firm’s strategy and risk appetite statements.

3.2

The PRA expects that all Solvency II firms that underwrite affirmative cyber insurance policies and/or those that are exposed to non-affirmative cyber risk will have clear strategies on the management of the associated risks, which are owned by the board. The cyber strategy should include clearly articulated risk appetite statements with both quantitative and qualitative elements, for example defining target industries to focus on, strategy for managing non-affirmative cyber risk, specifying rules for line sizes, aggregate limits for industries, splits between direct and reinsurance, etc. (this list is not exhaustive).

3.3

The overall cyber strategy, associated risk appetite statements and relevant management information (MI) should be reviewed on a periodic basis by the board. The strategy and overall exposure levels of non-affirmative cyber risk should be reviewed by the board at least on an annual basis. For affirmative cyber risk the review should be more regular. The MI should include as a minimum:

• clear articulations of the risk appetite statements and measurements against these;
• aggregate cyber underwriting exposure metrics for both affirmative and non-affirmative cyber risk; and
• cyber insurance underwriting risk stress tests that explicitly consider the potential for loss aggregation (eg via the cloud or cross-product exposures) at extreme return periods (up to 1 in 200 years) and are consistent with the general insurance stress tests carried out periodically by the PRA.

3.4

By articulating these issues boards will understand and own the overall strategy for cyber risk and the associated prudential risks.