The UK’s Prudential Regulation Authority (PRA) has, this month, written to insurance companies in the UK to find out more about how they deal with the threat posed by cyber attacks and what mechanisms they have in place to protect client data. The PRA is (since 1 April 2013) responsible for the prudential regulation and supervision of around 1,700 banks, building societies, credit unions, insurers and major investment firms.
The PRA has sent a questionnaire to insurance companies (available here) in an “effort to help the PRA understand firms’ current policies and capabilities” in relation to the prevention of and response to cyber incidents. This follows on from the PRA’s Annual Report and Accounts for 2015 (which were released on 15 June 2015) where cyber risk is clearly noted as an area of focus for the PRA. In the Annual Accounts, the PRA stated that “[a] key part of the supervisory approach for the largest insurers, as with deposit-takers, is the use of stress tests to inform FPC and PRA decision-making about the capital resilience of general insurers and the wider financial system overall. Over the coming year, the PRA will build on the 2014 insurance stress test conducted by EIOPA, and undertake a general insurance stress test exercise. This will cover a range of stresses including natural catastrophes, terrorism and cyber attack.” The questionnaire is likely to be regarded as the first step in this exercise.
The questionnaire requires insurance companies to self-certify their responses, and is a clear indication of the increasing risk – and the awareness of that risk – which cyber threats are posing to industry as a whole.