Cyber insurance underwriting risk

Supervisory Statement 4/17 
Published on 05 July 2017

This supervisory statement (SS) sets out the Prudential Regulation Authority’s (PRA) expectations of firms regarding cyber insurance underwriting risk. For the purposes of this SS cyber insurance underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to cyber-related losses resulting from malicious acts (eg cyber attack, infection of an IT system with malicious code) and non-malicious acts (eg loss of data, accidental acts or omissions) involving both tangible and intangible assets.

This statement follows a cross-industry review conducted between October 2015 and June 2016. The key findings were published in a letter to firms on 14 November 2016

This SS is relevant to all UK non-life insurance and reinsurance firms and groups within the scope of Solvency II including the Society of Lloyd’s and managing agents (‘Solvency II firms’).

This SS should be read in conjunction with:

  • the PRA’s rules in the Solvency II sector of the PRA Rulebook, in particular rule 3.1 of the Conditions Governing Business Part, and the Insurance Senior Management Functions and Technical Provisions Parts;
  • the PRA’s approach to insurance supervision; 
  • the European Insurance and Occupational Pensions Authority (EIOPA) Guidelines, particularly Guidelines 3, 17, 19, 20, 46, 47, 50, 56 and 61 on Systems of Governance and Valuation of Technical Provisions;  and
  • Articles 9, 11, 17 and 18 of the Commission Delegated Regulation of Solvency II.

This SS expands on the PRA’s general approach as set out in its insurance approach document. By clearly and consistently explaining its expectations of firms in relation to the particular areas addressed, the PRA seeks to advance its statutory objectives of ensuring the safety and soundness of the firms it regulates, and contributing to securing an appropriate degree of protection for policyholders.

The PRA’s expectations are split into three broad areas:

  • non-affirmative cyber risk (Chapter 2);
  • cyber risk strategy and risk appetite (Chapter 3); and
  • cyber expertise (Chapter 4).

Supervisory Statement 4/17

Future version

Published on 15 November 2024. Effective from 31 December 2024.