UK financial regulator has been studying the nation’s cyber insurance providers, and while the industry as a whole gets a passing grade there are some serious concerns about standards and consistency. The regulator is calling for the industry to convene on terms that are more predictable to insurance purchasers.
After surveying about 40 cyber insurance providers, the Bank of England’s Prudential Regulation Authority found that there is not a great deal of consensus on how risk and loss are calculated in certain common scenarios. There is some tolerance granted for this due to the cyber insurance market still being very young, but UK financial regulators warn that the industry as a whole needs to apply some course correction going forward if it wants to avoid heavier government involvement.
UK cyber insurance market seeks greater stability
Cyber insurance firms are still in something of a grace period given that the product did not even exist at the beginning of some underwriter’s careers, but UK financial regulators are signaling that intervention is on the way if things do not shape up. Terms have shifted rapidly in the past two years as cyber crime has gone through the roof during the Covid-19 pandemic, particularly in the realm of ransomware coverage.
Another potential issue is that losses are being mitigated in ways that may not be sustainable in the long term: via the “war exclusions” rules that are under legal debate, and due to a great reliance on related party and third-party reinsurance. Some existing policy language was also called into question by UK financial regulators, with the implication that it might not survive court challenges.
However, it is important to note that the study also only includes a relatively small amount of UK insurers and that it only asks about cyber insurance terms in three specific situations: a ransomware attack, data exfiltration, and a prolonged cloud outage.
UK financial regulator warns of more attention coming if changes are not made
The UK financial regulator asked cyber insurance firms to respond to risk assessment and coverage questions about three hypothetical scenarios: a cloud outage of at least a week, an attack in which customer data is exfiltrated via a database security oversight, and a ransomware attack in which the attacker does not decrypt the files even if the ransom is paid.
Overall, the cyber insurance firms appear to have done well enough to pass these imaginary scenarios, with only a few reporting that they would not be able to maintain the requisite level of solvency after making all required payments. But there was greater variance in their tabulations of risk likelihood and coverage amounts than financial regulators would like to see, particularly in the extended cloud outage scenario.
Policy language that has yet to be tested in courts could also be an issue going forward. The report indicated that some policies were too ambiguous and could be in trouble should they be challenged under contract law.