A critical report from the Bank of England’s Prudential Regulation Authority, a lead UK financial regulator, examined a broad sample of the country’s cyber insurance providers and has found that the market lacks the desired level of consistency in a number of elements.The report included 17 general insurers and 21 Lloyd’s of London syndicates, and tested industry responses to three underwriting scenarios involving cyber attacks or accidents: ransomware, data exfiltration and an unexpected cloud outage.
Given that the cyber insurance industry is still very young, some level of inconsistency in market products is expected. However, the report found “large” discrepancies in areas such as loss calculations and anticipated risks of specific events. While the report concludes that it is normal for an emerging market to lack consensus in these areas, UK financial regulators are urging cyber insurance firms to work on developing greater consensus going forward in anticipation of “future supervision.”
UK financial regulator warns insurers about “untested” policy language
The UK financial regulator’s study is not a comprehensive market survey, as it includes only a sampling of insurers and focuses on just three particular (though not infrequent and potentially very damaging) cyber insurance scenarios. But the findings reveal that the developing market, which has only existed for about two decades and has only incorporated ransomware in a broad way in the past decade, is still working on a general consensus on a number of points.
The first scenario invented by the UK financial regulator, “cloud down,” examines the cyber insurance response if a major cloud service provider had an outage lasting at least a week. This scenario eliminates the possibility of “war exclusions,” another contentious ongoing development in the cyber insurance world, by having the respondents assume that it cannot be proven that a nation state hacking team is involved.
The second scenario, “data exfiltration,” imagines something much more common: a cloud database is misconfigured and allows attackers to walk right in and steal client data, which is then published to the dark web. And the third scenario examines ransomware attacks, but a “systemic” campaign that compromises commonly used software to hit a broad range of policyholders and exploits a vulnerability that remains unpatched for three days. In the ransomware scenario about 7.5% of the cyber insurance firm’s customers are compromised and threat actors demands vary from $50,000 to $5 million depending on the size of the victim; 40% opt to pay the ransom, but the attacker ultimately does not delivery any decryption keys.
The UK financial regulator found that respondents “mostly” weathered the stress test, in the sense that only a small number reported concluding the scenario with an amount of funds on hand that would put them beneath national solvency capital requirements. But there were sometimes great differences in their assessments.
One of the points subject to the most variance was each cyber insurance firm’s calculation of how likely each of these scenarios actually is. The firms had the greatest amount of consensus on the ransomware scenario unfolding, even though it included some very specific terms; surprisingly, there was less consensus on the more common scenario of a client misconfiguring a database and leaving sensitive data open to the public internet. There was even less agreement on the cloud outage scenario, though something of the severity described by the UK financial regulator is rare.
Another area of variance was the assessment of impacts should key exclusions other than the nation-state involvement clause hold (such as negligence or intentional acts). The UK financial regulator warns that these variances could negatively impact capital comparability across the sector, and lead to mistakes in estimations of scenario impacts for individual insurers.
The UK financial regulator also highlighted “untested” policy language in some of the samples it reviewed, warning cyber insurance firms that some of its policies were too ambiguous and may not bear up under the weight of contract law challenges.
Cyber insurance firms advised to reach consensus pending future regulation
The UK financial regulator made clear it intends to return to this issue and anticipates future legislation, encouraging cyber insurance firms to hash out agreements in these areas ahead of more direct regulation. In addition to the points raised in the report, one that was largely set off to the side was the war exclusions exemption, something that is far from settled and that may ultimately end up not allowing firms to cut as much in loss as they presently anticipate.
The report additionally found that SCR coverage remains above 120% in all scenarios, and that cyber insurers are most reliant on third-party and related party reinsurance as a loss mitigator. Steven Tabacek, Co-founder, RiskLens, observes: “Cyber risk financial stress-testing includes both cybersecurity and related operational risk factors, and the results are used to ensure adequate capital reserves. It’s important that this be quantified to ensure only enough, and not too much precious capital is reserved for potential losses.”