Cyber Best Practice Guidance

Tony Ellwood
Senior Executive, Underwriting

Cyber is one of the most dynamic risks facing today’s insurance market. But the rapidly evolving nature of the risk means there is often a perceived lack of data or information available when it comes to underwriting this line of business. 

The relative newness of cyber as a class of business, and its changing nature, means that there is little consistency when it comes to presenting risks to underwriters. Approaches range from third-party risk assessments, to written submissions of varying levels of detail, to presentations delivered over the phone. 

The Prudential Regulation Authority (PRA), the insurance market’s regulator, also requires greater attention to detail when it comes to transferring this risk and, in their Supervisory Statement of July 2017, noted: “The PRA expects firms to be able to identify, quantify and manage cyber insurance underwriting risk. The PRA expects that all Solvency II firms that are materially exposed to these risks understand the continuously evolving cyber landscape and demonstrate a continued commitment to developing their knowledge of cyber insurance underwriting risk.”

The LMA has been finding ways to help brokers and underwriters to navigate this situation, and so we have been working for some months to produce a best practice guide for brokers. The guide is the result of a concerted effort to help share knowledge for everybody involved in underwriting cyber and is intended to help brokers - both in London and overseas - understand underwriters’ views on the most effective and efficient way to present cyber risks to the Lloyd’s market. 

In order to help brokers to produce concise but effective written submissions, the guide suggests the following themes:

  • a basic document identifying the proposer
  • a description of the proposer’s business
  • a description of the nature of the coverage sought
  • relevant exposure data 
  • information of risk controls.

A consideration of the relevant exposures should, the guide outlines, direct the submission, and the information provided should be dictated by the business model of the insured and the coverage requested. 

The guide outlines the types of information relevant here, such as roles and responsibilities, standards accreditation, threat monitoring, antivirus protection and scanning, among many other things.

A submission should include information on the proposer’s relevant loss history, insurance history and areas such as business interruption coverage that the insured may already have in place. 

The guide provides help in areas where specific coverage extensions are required, such as outsourced provider business interruption and system failure business interruption.

The guide aims to provide brokers with a template for the preferred format for a written cyber risk presentation. While in-person meetings are almost always welcome and useful, we do not believe they can replace the need for a fair and professional presentation of the risk.