The Financial Conduct Authority (FCA) has raised concerns over “uncertain” cyber insurance policy wordings that it has said may not be meeting customer needs.
In a letter to wholesale insurance CEOs, which outlined priorities in a variety of areas, FCA director of insurance supervision, policy & competition – consumers & competition Matt Brewis pledged that the regulator will continue to monitor the cyber insurance landscape and would “take action” on any firms it deems as outliers.
Current global cyber insurance direct written premium sat at $16.7 billion (£13.5 billion) in 2022, with this figure expected to boom to $33.4 billion by 2027, according to Globaldata figures cited by the regulator.
“It is a critical risk management and crisis recovery tool for many businesses, big and small,” Brewis said. “With cyberattacks on the rise, we are concerned that uncertain cyber policy wordings may result in firms not meeting their customers’ needs.”
To prevent “misalignment” between customers’ expectations and policy outcomes, it will be critical that firms can prove that products meet the needs of customers and provide value, the regulator said.
“Firms offering cyber insurance must make sure their policy wordings are clear and that customers understand the coverage they are buying,” Brewis said. “We also expect firms to manage cyber claims handling in a fair and timely way.”
The FCA insurance director encouraged market participants to continue to build on their cyber knowledge, including at board and “second/third line of defence” level to better understand the risks and apply appropriate product oversight.
Cyber insurance wordings have come under scrutiny in recent years, with Lloyd’s of London having last year called on its market participants to tighten wordings around cyber warfare and catastrophic nation state attacks.
The mandate led to a flurry of negative headlines last year, in what has been described by CFC CEO Graeme Newman as a “frantic panic”. However, some cyber underwriters have insisted that the change is intended to prevent payouts in the case of a “digital equivalent of a nuclear strike”, rather than to end cover for all attacks with a nation state element.
Lloyd’s syndicates have been required to provide explicit clarity on whether a policy includes cyber cover since 2020, as the insurance industry looked to tackle the risk of ‘silent’ cyber payouts in the wake of 2017’s NotPetya and WannaCry global ransomware incidents.
What are your thoughts on the FCA’s take on cyber insurance wordings? Please feel free to share your comments below.