Insurance Bulletin, July 2017 Edition 2
In this issue: Regulation and legislation; HFW publications and events
1. Regulation and Legislation
UK: PRA demands action on silent cyber risk
The PRA has recently produced a supervisory statement outlining its expectations for firms regarding cyber insurance and underwriting risk. The statement is chiefly concerned with the ‘silent cyber risks’.
Cyber risks can be cyber-related losses resulting from malicious cyber attacks, such as infecting an IT system with malicious code, and non-malicious acts like the loss of data, accidents and omissions. These can involve both tangible and intangible assets. These risks are silent if the firm’s insurance neither provides nor excludes cover for such risks. The PRA is concerned that many policies with ‘all risks’ contract wordings may in fact cover cyber risks, notwithstanding that such risks may not have been identified and quantified for the purposes of determining premium.
The PRA argues that many insurers are unaware of or unwilling to accept the extent of this exposure and it is concerned about the lack of progress being made on this issue. It reiterates the outcome of its review from last year which found that most firms did not demonstrate ‘robust methods for quantifying and managing silent cyber risk’.
First of all, insurance firms should be taking steps to identify and quantify their actual underwriting risk. This should include risk from ‘affirmative’ cyber insurance policies covering data breach, but also those silent cyber risks emanating from property and casualty policies covering physical and non-physical damage. In order to manage these risks the PRA suggests that firms take action either by increasing premiums to reflect the additional risk or expressly excluding or limiting cover for cyber risks. Insurers who fail to implement these strategies will need to demonstrate that their exposure to cyber risks falls within their ‘stated risk appetite’. This will require insurers and reinsurers to take active steps to ensure that underwriters of traditional classes of business, such as property and casualty, engage with colleagues involved with ‘affirmative’ cyber underwriting to understand the nature and scope of the risk that they may otherwise assume unintentionally. Separately, it will also require collaboration across different classes of business to assess and quantify the potential for substantial accumulations of losses, whether by geographic region or by industry sector.
Regard should also be had as to whether losses might aggregate and exhaust the limits of any responsive reinsurance assets, for example where multiple assureds are affected by a single rapidly spread incident, such as the WannaCry ransomware.
The recent WannaCry and Ukraine ransomware attacks are consistent with an increasingly rapid trend of growing frequency and severity of cyber attacks. One of the most intractable difficulties for insurers seeking to model this trend, therefore, is the paucity of historic data available to predict the rate of which the frequency and severity of such events may be expected to increase, since the industry may very well be at the beginning of a period of exponential increases. This source of uncertainty unfortunately compounds the challenges to insurers who have exposure in this area (whether intentionally or otherwise). That is, in addition to the risks of accumulation of losses, whether unforeseen aggregation of losses may exhaust reinsurance limits unexpectedly, and of course the risk of ‘silent cyber risks’, where insurers may not even be aware of their exposure.
On any view, the PRA’s action in the area represents increasing pressure on the industry to take cyber risk seriously and to transform ‘cyber’ from a novel class of insurance to a mature one.
Senior Associate, London
T +44 (0)20 7264 8346
England & Wales: Reading the Riot Act: Riot Compensation Act 2016 four months on
The Riot Compensation Act 2016 has now been in force for three months. This new Act has repealed the Riot (Damages) Act 1886, simplifying and modernising the process of victims claiming compensation for damage caused by riots. The reforms will also benefit insurers seeking recoveries for the claims that they have paid out to riot victims, as insurers will now be able to claim compensation from the relevant local police authority.
For centuries, local police authorities have been liable under statute to pay compensation to those suffering loss caused by riot and this principle was codified in the Riot (Damages) Act 1886. Insurers were all too aware of the effects of the 1886 Act. Various court cases throughout the 2000’s confirmed that such compensation would be covered under a liability policy purchased by the police authorities. Many insurers dealt with this problem by excluding claims for damages under the 1886 Act in their liability policies. Insurers who had paid indemnities to those who suffered losses by riots also exercised subrogation rights against the police authority liable to pay the damages. As many police authorities were insured, this led to many cases of insurers suing insurers.
Following the 2011 London riots, it became clear that the 1886 Act was unfit for purpose in the modern world. For example, it contained no provision for cars because the first cars had only just been invented in 1886. Victims of the 2011 riots faced a long and drawn-out claims process. The 1886 Act was so unknown in 2011 that it was very time-consuming for insurance professionals to deal with the number of claims. At one point, there were not enough available loss adjusters in London to advise the police authorities of the adjustment of their claims. An independent review concluded that numerous changes were needed.
The 2016 Act simplifies, clarifies and amends the procedure for claiming compensation from police authorities for property damage caused by riot. It came into force on 6 April 2017. One of its most significant changes is to allow insurers who have paid claims for riot damage to claim compensation from the relevant local police authority. It also imposes a compensation cap of £1 million per claim and excludes any liability upon police authorities for consequential losses. Importantly, it also expands the definition of property to include cars. The Association of British Insurers (ABI) and large London insurers were closely involved with the development of the new law and described the act as “a good outcome for property insurers”. The ABI also commented that the new Act “means insurers will continue to be able to include riot damage cover as standard in property insurance policies”.
Implementation of the 2016 Act is dealt with through the Riot Compensation Regulations 2017, which also came into force on 6 April 2017. These provide that:
- An insurer who has paid any claim due to damaged caused by riots may seek compensation from the local police authority (section 1(2))
- Claimants may not make more than one claim relating to property at the same address, there is an absolute cap of £1 million per property (Regulation 4)
- Claimants must give notice of their claim within 43 days of the end of the riot, with supporting evidence within 91 days of giving such notice (Regulation 6)
- A claim made by someone who took part in the riot may be refused (Regulation 16)
Despite the clarification brought about by the new act, questions remain. The definition of “riot”, for example. English law defines a riot as “where 12 or more persons who are present together use or threaten unlawful violence for a common purpose and the conduct of them (taken together) is such as would cause a person of reasonable firmness present at the scene to fear for his personal safety”.1 But where is the cut-off between 12 people committing an opportunistic or isolated act of damage or theft, and 12 people committing a riot?
The new regime will ultimately only be tested if there is a major riot or civil disturbance. There have been no reported cases involving the new regime since it came into force in April 2017. Some might argue that the current unpredictable political climate post election and recent events has increased the risk of such an outbreak. Furthermore, June 2017 saw the UK’s hottest day for 40 years and all the major riots in recent years in the UK (Brixton/Toxteth in 1981, Oldham in 2001, London in 2011) took place in particularly hot weather. In such circumstances insurers might be prudent to check their policy wordings to ensure these mirror the provisions of the new Act to maximise their chances of recovery.
The Act is available here and the Regulations are available here.
T +44 (0) 20 7264 8289
- Public Order Act 1986, section 1.
2. HFW publications and events
UK: HFW hosts BBQ in London office garden
On Wednesday 12 July the HFW Insurance Group hosted a BBQ in the London office. Around 200 attendees gathered in the leafy garden to enjoy food, drink, and sunshine. It was a great opportunity to relax with clients new and old and we hope our guests enjoyed themselves as much as we did!