PRA: UK insurers need to plan for cyber-attacks

UK insurers have been told by the Prudential Regulation Authority (PRA) that they need to prepare for the impact of possible cyber-attacks as part of a wider demonstration of their operational resilience.

The requirement comes in a new letter to industry CEOs informing them of the PRA’s priorities for 2023.

The letter states: Given the increase in crystallised operational incidents, we continue to maintain our focus on operational risk and resilience. A large part of this will be the continued assessment of firms against the PRA’s operational resilience rules as set out in Supervisory Statement (SS) 1/21 – ‘Operational resilience: Impact tolerances for important business services’.8At this point, we would expect insurers to have identified and mapped their important business services and set impact tolerances.”

Over the next three years, it adds, insurers will need to demonstrate their ability to operate within those impact tolerances under a range of severe but plausible scenarios, including cyber-attacks:

“Applying the principle of proportionality, we will be working closely with firms to review the appropriateness of impact tolerances, the identification of dependencies, as well as robustness of testing plans. Insurers must make sure their important business services can remain within impact tolerances even when relying upon third party providers. To that end, firms should also be able to demonstrate that they meet the expectations relating to outsourcing and third-party risk management set out in SS2/21 – ‘Outsourcing and third-party risk management.’”

More broadly, the PRA outlines its main areas of focus for 2023: “financial resilience; risk management; implementing financial reforms; reinsurance risk; operational resilience; and ease of exit for insurers”. 

The spectre of inflation is also raised as a significant issue for the market -with clear expectations flagged around how this needs to be reflected in business planning and rates.

“For general insurers, 2023 will likely see a continuation of pressures on claims inflation, as we mentioned in our October 2022 insights from our recent thematic review across the general insurance sector. Our review identified a number of observations relating to how claims inflation differs by line of business and geography.”

“There is uncertainty in the severity and duration of claims inflation expected, and there may also be a lag before it materialises. Consequently, this gives rise to additional uncertainty around future claim settlement costs. Therefore, we expect general insurers to factor general and social inflation risk drivers into their underlying pricing, reserving, business planning, and capital modelling.”