The Big Question: “How vulnerable are UK general insurers to a major cyber-attack?”
Stress testing, once the preserve of the banking and life & pensions markets, has in recent years become embedded in the culture of general insurance. And rightly so. The fallout from the 2008 Financial Crisis revealed just how intertwined and complex the modern financial services system really is, with the support of insurance for relatively new products in the capital markets – at the time mainly collateralised debt obligations – a key component of the wider market functioning. So it is only right and just that specialty insurers and reinsurers should form part of any regular reviews of their ability to withstand market-wide shocks.
Thankfully, it would appear that our market is in robust health at present – though there are still areas of concern. The Prudential Regulation Authority (PRA) published its feedback on the Insurance Stress Test exercise on 23 January 2023, and the results revealed that the UK insurance sector is resilient to the PRA-specified stress scenarios, subject to mitigating measures. For life insurers these scenarios were market stresses and an increase in longevity. For general insurers, which includes Lloyd’s syndicates, the stress scenarios were natural catastrophe and cyber losses.
The three cyber scenarios envisaged were cloud outage, mass data exfiltration, and systemic ransomware. The PRA found that all firms were resilient to the scenarios, but between one and two firms saw their SCR fall below 100%. However, it also found that there was significant variance in firms’ assessment of the likelihood of this risk. Also, several firms were unable to assess the potential impact of unusable key exclusions – a fact I can’t help thinking is a significant oversight given the potential impact of cyber-related losses.
With this in mind, in this week’s Big Question, Elisabeth Stheeman, member of the Financial Policy Committee of the Bank of England, stresses both the continuing vulnerability of the market to cyber risks, and the need for enhanced operational resilience in the face of what is clearly now a major threat not only to general insurers, but also to the wider financial services sector.
Ian Summers, Global Business Leader, AdvantageGo
“The Financial Policy Committee (FPC) is responsible for identifying, monitoring, and taking action to remove or reduce systemic risks with a view to protecting and enhancing the resilience of the UK financial system,” says Stheeman. “Often we, as a committee, think about this in terms of financial risks and tests of financial resilience. Happily, the UK financial system has passed a number of tests to its resilience in recent years.”
“We won’t always be able to predict events like these that test the system. But we routinely do our own stress tests of the financial system to make sure it is prepared to withstand the macroeconomic shocks that events [such as COVID 19] might trigger, and which might then disrupt the provision of financial services. In July of this year, we published the results of our 2022/23 annual cyclical scenario—or, ACS—which showed that, faced with a set of severe economic conditions, the major UK banks would be financially resilient, and would be able to continue to lend to households and businesses. In addition to the ACS, we have worked with major banks and insurance companies to explore their exposures to climate-related financial risks. Finally, we recently launched our first system-wide exploratory scenario exercise (SWES) to improve our understanding of the behaviours of banks and non-bank financial institutions in stressed financial market conditions.”
Since the inception of the FPC in 2013, she adds, the risk from cyber-attacks has been high on the committee’s agenda, and indeed “is the most prominent operational risk the FPC has been monitoring”.
“Cyber risks have also been at the forefront of UK businesses’ minds,” she says. “The Bank of England carries out a Systemic Risk Survey to get a sense of what worries UK banks and other financial institutions. Cyber risk is frequently cited as a key source of risk to UK financial stability. The risk of a cyber-attack is the most cited risk in the latest survey for the second half of 2023, with 80% of firms mentioning it. This is the highest proportion of respondents citing cyber risk ever recorded in the survey. Earlier this year, geopolitical risks were at the top of the list, but three-quarters of firms still worried about a cyber-attack.
These issues are not unrelated; the National Cyber Security Centre, or NCSC, has noted Russia’s use of cyber capabilities to maximise its operational impact in Ukraine, calling this the most significant development in the cyber security threat internationally. The NCSC has also said that China’s technical development and evolution is likely to be the single biggest factor affecting the UK’s cyber security in the years to come. Ransomware remains one of the most acute cyber-related threats faced by UK businesses, but less sophisticated cyber-crime also remains a challenge.”
Left unchecked, Stheeman suggests, a cyber-attack could impact financial stability directly if it leads to a material disruption of the provision of vital services by financial institutions, markets and financial market infrastructure.
“I like to call the infrastructure that provides vital services, ‘the plumbing’. It is largely invisible to us until it no longer works, and in the 2008 financial crisis it was only when the pipes of global finance were under threat and financial stability at risk that market participants, policymakers, and the public realised how vital it was, and to never take it for granted.”
And the ramifications of any such attack, she adds, could be wider still: “A cyber-attack could also impact financial stability indirectly if there is financial contagion through liquidity stress, financial losses, and significant price moves that could disrupt market functioning, or through a loss of confidence in financial institutions or payment systems.”