Insurers falling short in modelling cyber and natural catastrophe risks, Bank of England warns
The UK’s insurance regulator has called on insurers to bolster their cyber and natural catastrophe risk modelling capabilities in preparation for a period of “high volatility and uncertainty”.
In a letter sent to UK insurance companies today, the Prudential Regulation Authority (PRA), which sits within the Bank of England, warned insurers models are continuing to fall short following a stress test of the sector’s resilience.
The regulator warned of “gaps” and “limitations” in insurers modelling of cyber and natural catastrophe risks.
In relation to natural catastrophes, the watchdog warned that insurers had failed to properly account for the rise in the value of claims, and said that while the sector was good at predicting the likelihood of natural disasters it was not as strong at predicting the cost of the damage they may cause.
Inflation has meant the costs insurers face in fulfilling claims has surged over the previous year, particularly in relation to fixing cars and rebuilding houses.
The regulator also warned insurers are underplaying the cost of “secondary perils” – mid-sized natural disasters such as storms and bushfires – that cause billions worth of damage each year, and account for more than 70 per cent of insurers’ natural catastrophe losses, according to a 2021 paper from Swiss Re.
The PRA called on the sector to better test its models against real world events.
The regulator also noted significant variation in insurers modelling of cyber risks, as it warned of uncertainty in the wording of policies.
In examining the sector’s modelling of risks around cloud computing outages, data leaks, and systemic ransomware attacks the watchdog warned of a lack of consensus in the market around the likelihood of such events occurring.
Looking forwards, the PRA called on the market to develop “greater consensus” between themselves as it warned of risks around the untested nature of cyber policies.
Ambiguities in insurance policies add complexity to risk modelling and expose insurers to greater potential for unexpected hits to their balance sheets if courts rule against them in untested disputes.
The letter follows Lloyd’s of London’s decision to block its members from providing insurance coverage for state-backed cyberattacks due to the systemic risks such hacks pose the marketplace.