Bulletins

Insurance Bulletin, 7 April 2015

In this issue: Regulation and legislation; Market developments

1. Regulation and legislation

EU: Solvency II and cross-border trading

The intention of the Solvency II directive is to introduce harmonised risk-based rules for insurers operating within the EU. One of the major changes which is expected concerns the way in which distribution of insurance will be regulated across the EU. Firms trade cross-border by way of the “passporting” regime, which allows firms authorised to provide certain financial services in one EEA Member State to deliver similar services in other EEA Member States. It is expected that the Solvency II regime will make it easier for firms to do this.

The proposal is that under the new regime, host state regulators will be able to claim jurisdiction over enforcement matters in certain circumstances. Insurance distributors which operate in more than one Member State may therefore have to engage with both their home and host state regulators.

It is likely that the directive will be implemented in different ways throughout the EU Member States, and there will therefore be differences in the way that firms operate through the EEA. As a result, firms will need to be clear not only on the laws and regulations which apply to them in their home state, but also on the laws and regulations of the host state which will apply to them when they operate in the host state under a passport.

For more information, please contact Ciara Jackson, Associate, on +44 (0)20 7264 8423, or ciara.jackson@hfw.com, or your usual contact at HFW.

England and Wales: The Prudential Regulation Authority publishes its rules and supervisory statements on Solvency II

On 20 March 2015, the Prudential Regulation Authority (PRA) published a policy statement of its final rules and supervisory statements (together, the Rules). The Rules set out how Solvency II Directive (Solvency II) will be implemented in the UK.

At the same time, the PRA published a consultation paper which seeks feedback on the draft process for applications for a volatility adjustment (VA). The VA allows insurers to avoid market volatility and avoid having to compensate for that volatility.

The Rules incorporate the proposals by the PRA, but also some new changes introduced following feedback from the prior consultation on the Rules. The Rules apply to UK Solvency II firms and Lloyd’s, and do not address everything in Solvency II. It is worthwhile noting, where issues are not addressed, the PRA maintains the approach set out in the prior consultation.

Some of the new changes to the proposals since the consultation on the Rules concern:

The VA: The PRA published a draft supervisory statement to provide clarity on the application process for a VA. Although the consultation on the VA will close on 20 April 2015, a firm wishing to apply can make a formal application from 1 April 2015. Their aim is to decide on applications in a shorter time period, rather than six months (the statutory requirement), but ultimately it seems this will depend on the volume of the applications made.

Transitional measures: The PRA amended its Rules to reflect the HM Treasury inserting a specific reference to INSPRU 7 in the current PRU handbook that simplified the approach to the transitional measure.

Third-country branches: The PRA responded to concerns that there would be extensive requirements resulting from Solvency II on branches carrying on only reinsurance business, by proposing to consider applications to waive these requirements. Firms are requested to raise the matter with their supervisory contact. There will also be further consultations by the PRA on adoption of the European Insurance and Occupational Pensions Authority Guidelines for branch supervision in the summer of 2015.

With profits insurance business: The PRA has amended the definitions “with-profits fund” and “with-profits policy liabilities”, and also the supervisory statement, to clarify the material regarding affordable and sustainable distribution strategies. This clarification does not indicate a change in policy intent.

Appointment of actuaries: Amendments have been made to make clarifications, and allow the Chief Actuary, which is required to be appointed under the Rules, to be an individual in another group company, provided they meet certain requirements.

There will need to be amendments to Statutory Legislation, and minor amendments to the FCA Handbook in addition to the Rules. The statutory instrument including the Rules, established by PRA with its powers under the Financial Services and Markets Act 2000 (see Sections 137G and 137T) comes into force on 1 January 2016.

A copy of the PRA policy statement of the final rules and supervisory statements to implement Solvency II can be found here: http://www.bankofengland.co.uk/pra/Documents/publications/ps/2015/ps215.pdf

A copy of the PRA consultation paper on application process for the VA can be found here: http://www.bankofengland.co.uk/pra/Documents/publications/cp/2015/cp1115.pdf

For more information, please contact Thomas Coombs, Associate, on +44 (0)20 7264 8336, or thomas.coombs@hfw.com, or your usual contact at HFW.

2. Market developments

England and Wales: Computer says no: new cyber risks report published by the UK Government

On 20 March 2015, the UK Government published a report on the role of insurance in managing and mitigating cyber security risk. It is a collaboration between the Government, insurers, brokers and insurance associations and it defines cyber risk, comments on cyber exposures, types of losses, and identifies gaps in traditional insurance cover.

It seems the main focus of the report is to heighten awareness of cyber risks to ensure businesses in the UK are obtaining adequate insurance, as recent statistics shows that 81% of large businesses and 60% of small businesses suffered a security breach in 2014.

What losses are UK businesses facing now?

The report shows losses range from the insurable e.g. damage to IT systems from a breach of privacy, to the uninsurable e.g. theft of intellectual property.

The report acknowledges there is a lack of data on losses, due to incidents going unreported, which is forcing insurers to use over-conservative assumptions. Due to the lack of data, the Government plans to collaborate with insurers to make data more accessible, with a view to reducing premiums. Perhaps more likely to have a substantial effect is the new EU legislation (General Data Protection Regulation) currently being lobbied, which in its current form includes mandatory notice requirements, which once implemented could increase data available.

Where is traditional insurance falling short?

The report identifies traditional insurance that can cover cyber risks, but frequently does not. Cyber insurance should be a “wrap”, and fill the gaps other traditional policies do not cover. The report provides a warning to all UK businesses that are buying cyber products “off the shelf”, or even worse, buying no cover at all.

The following gaps are identified:

Property: these policies can exclude first party property losses resulting from a cyber trigger, and damage to intangible property e.g. damage to software and data is also generally excluded.
Business interruption: cyber attacks usually do not cause physical damage (a trigger for BI cover to operate), although it is not unheard of (it was recently reported an attack on a German steel mill resulted in an unscheduled shutdown of a blast furnace causing “massive damage”).
General liability: these policies can exclude unauthorised disclosure of personal information (for example, resulting from an accidental breach of privacy e.g. loss of a USB with personal information on it).
Errors and omissions/professional indemnity: cover in these policies may be restricted to liability claims from customers only, and certain exclusions might apply e.g. computer virus transmission.

The report predicts that there might be an increased use of exclusions in traditional policies, with cyber exposures insured explicitly as add-ons to traditional policies, or combined in stand-alone policies.

Aggregation: future fears

The report covers the difficulty posed by cyber risks to insurers due to the ability of losses to aggregate across different insureds and different jurisdictions, due to their global nature.

A similar challenge to insurers from an aggregation perspective, is the effect on reinsurance recoveries, as interpretation of reinsuring clauses which aggregate losses present a common area for dispute between reinsureds and reinsurers. Whether cyber claims aggregate would depend on the type of aggregating language in the clause i.e. is it “cause” or “event” based? Wordings that are “cause” based will have a broader effect and allow multiple events to aggregate where there is one originating cause. As an example, in the context of cyber risks, claims resulting from a breach of privacy or software damage resulting from a virus that has infected systems in multiple locations, at multiple times, are unlikely to be aggregated under an “event” based wording by failing to establish unities of both locality and time.

Due to fears over exposure, a government backed reinsurer of cyber risks similar to Flood Re was a possibility, however the report has confirmed there is no conclusive evidence of the need for such a solution at present. However, as more loss data becomes available, this position may change, so watch this cyber-space.

A copy of the report can be found here: https://www.gov.uk/government/news/cyber-security-insurance-new-steps-to-make-uk-world-centre