Response from the IFoA’s Cyber Risk Working Party to the PRA Stress Test Feedback
The PRA recently published some feedback on the 2019 Insurance Stress test. One of the areas highlighted for further investigation was the cyber models currently in use in the industry - "With gross losses running in multiples of annual stand-alone cyber premiums, this underlines the immaturity of available models, with potential links to capital adequacy."
The cyber risk working party have put together this reply to signpost the work that has been undertaken in recent years to develop the models, and share a few thoughts on the areas of focus for future development.
Re: Insurance Stress Test 2019 and Covid-19 stress testing: feedback for general and life insurers
Thank you for publishing feedback on the 2019 Insurance Stress Test. The IFoA Cyber Risk working party welcomes the inclusion of the exploratory cyber scenario in the recent stress testing and the insights that it provides for future development in modelling this growing risk source.
Stress Test Observations
The stress test revealed that a range of models and assumptions are in use for assessment of cyber risks, raising questions as to whether all firms had the necessary expertise and modelling capability to assess cyber risk.
The working party believes that much of this variation is likely to be due to the evolving risk environment and constantly changing threat landscape. In just a few years the major concern for Cyber insurers has shifted from data breach, to cloud outages and today the primary focus sits on ransomware events. The wide range of potential sources of cyber loss makes modelling this risk challenging, as it takes time to gather data and build models for new emerging threats. This challenge permeates to all areas of the insurance chain, from selecting the best risks at the underwriting stage, through to managing accumulations and effectively allocating capital.
Although there is much work yet to do, considerable progress has been made over the last 2-4 years in firm’s understanding of exposures and development of accumulation monitoring processes. These areas were important to address before questions of consistency between scenarios, assumptions, losses and capital impacts could be properly considered.
Another key area of concern highlighted in the stress test was the lack of robust understanding and quantification of the non-affirmative or ‘silent’ Cyber risk contained within other traditional lines of business such as Property and D&O. This was evidenced by a number of firms identifying Property as the largest exposed LOB to Cyber risk; likely driven by the 2017 event NotPetya and concerns over costly business interruption claims emanating from malware events. It would be interesting to see how firms would respond a year later, as Lloyd’s have mandated an explicit exclusion or affirmative offering of Cyber cover on all D&F property policies since 1/1/20 which could materially change reported numbers for the same scenario.
It should come as no surprise that the PRA and Lloyd’s are putting such a strong focus and spotlight on effective understanding and management Cyber risk, as firms reported net claims figures that are of the same magnitude with losses from their Nat Cat scenarios. For general insurers Nat Cat risk has historically been the ‘peak’ or largest risk that has caused insurers to go insolvent, and the responses indicate that extreme Cyber events could cause similar issues.
Working Party Involvement
In a rapidly evolving market and risk environment, companies will inevitably be at different stages in the development of their models and expertise. Although some variation is unavoidable, the working party agrees that more work is needed across the industry to develop modelling capability and expertise in assessing cyber risk. The working party has looked to improve capability in the industry's ability to assess non-affirmative cyber risk through the introduction of the 'Silent Cyber Assessment Framework' in Q4 2019. If a similar stress test were to be repeated for 2020/21, some improvement in consistency between firms might be expected.
Other areas the working party has been looking at to improve capability in the industry include considering what actuaries wanted accumulation model vendors to consider to assist them with their cyber risk modelling.
Areas for Future Development
The scenario currently only covers cyber risks facing GI firms. Although likely to be relatively small (against market and demographic risk exposure), Life companies are also exposed to cyber risk through operational risk events, examples of tail risk events might be data loss or ransomware scenarios.
The working party would be keen to engage with the PRA on future development of the cyber-stress test for 2022. As noted in the original specification, future development might include development of more specific scenarios, with prescribed assumptions to remove inconsistencies in assessments between firms.
We welcome the continued transparency and sharing of feedback as firms continue to enhance their understanding of Cyber risk and encourage the PRA to continue to assist in guiding and educating firms in this area.