The Bank of England recently sent questionnaires to insurers under the regulatory agency’s authority, requesting information on the companies’ specific plans to mitigate cyber risk, as well as the cyber insurance they write.
The Bank asked such questions as “How is consumer Personally Identifiable Information (PII) classified, how long is this data retained, how is it secured, if encrypted once stored then to what standard is it encrypted?” and what type of vulnerability testing insurers do.
Insurers were also asked to explain which lines of business they write have cyber exclusions on their policies, and premiums derived from cyber insurance. The Bank also asked for totals on first-party and third-party losses paid.
The questionnaire follows a financial stability report last month issued by Bank of England that found that cyber risk presents a major concern for the British economy.
“The financial system continues to face operational risk from frequent cyber attacks and awareness of this risk continues to grow,” stated the BoE. “A UK Government survey in 2015 found that 90% of large businesses across all sectors had experienced a malicious IT security breach in the previous year. These breaches can disrupt the financial sector’s operational capacity to provide critical services to the economy.”
The financial sector has made some progress, but the report details the need to do more at the company level, including adopting individual cyber resilience plans and performing regulatory assessment of preparation.