Cyber: better to cry wolf than do nothing and get eaten

The trouble with regulation is that its three main pillars – conduct, prudence and competition – are in a rock, paper, scissors relationship with each other.

Let me explain.

Good conduct means being competitive and vice versa, but being too competitive or too kind to your customers is not prudent because you may lose money and become unable to pay them in their hour of need.

However, being ultra-competitive can make insurers scrimp on the quality of their product. Bad product that doesn’t cover much may be the prudent thing to do if it is cheap, but it is not good conduct as it will mislead and disappoint your customers.

Meanwhile, being prudent means not being too generous to your customers, but that is clearly neither the most competitive nor the best conduct.

After the global financial crisis the UK formalised this inherent conflict by splitting prudential and conduct regulation into two entities. Competition joined with conduct.

Happily for global consumers of insurance, we have a very healthy market and competition is incredibly strong.

Take the fast-maturing cyber class. Recent competition has been so intense that premium growth has begun to tail off. At the same time, underwriters are giving wider and wider terms and conditions.

This behaviour is clearly less prudent than it was.

At the same time, prudential regulation has woken up to the threat of cyber aggregation having the potential to cause a vast clash loss across the industry and rocking it to its core.

Since everything is connected via the worldwide web, all insurance classes could be affected by a single event with a cyber proximate cause.

As cyber is so rarely excluded from classes of insurance it may, by implication, be judged to be included. The case will be particularly strong in classes that use “all-risks of physical loss or damage”-style terminology.

The problem is that, given a heightened state of competition, individual market actors are unable to take a stand. Underwriters know that if they insist on excluding cyber where it is not intentionally being covered they could lose all their business flows.

This is the silent or non-affirmative cyber conundrum and precisely why the UK Prudential Regulation Authority’s (PRA) lead on silent cyber is to be lauded.

Only a strong prudential regulator can stand up and force insurers to do something anti-competitive for the long-term good of the market.

Its actions are now filtering through and surfaced last week in Lloyd’s where, over time, cyber will either become a named exclusion or a specifically named covered peril.

Make no mistake, this is a very bold piece of action that will affect the UK market’s competitive position in global insurance, perhaps seriously in the short term.

Business that is intent on maintaining its silence on the cyber issue will move elsewhere.

But that is the point.

The PRA has made a call – it is saying good riddance to muddled and messy business that has the potential to bankrupt an entire sector. Not on its watch will insurers compete themselves into another near-death experience.

In our business we usually wait for things to go badly wrong before doing anything about them.

The PRA is embarking on a bold experiment in genuinely prudential regulation. It is doing what it was designed to do and trying to prevent a disaster.

The problem is that a mega cyber disaster, while probable, may take decades to materialise.

However, it is better to run indoors, bolt the door and look like you are crying wolf than to wait around in the forest and eventually get eaten.

We know enough about cyber to understand that it is a wolf and it has deadly teeth.

It is not a theoretical emerging threat like Y2K, electromagnetic fields, nanotechnology or plastic contamination – it has already emerged and has already caused billions in tangible and insurable losses. It can cause both physical and non-physical damage, as well as pure financial loss. It is as P&C as any peril can be.

In time, other global regulators may follow the PRA’s lead. Until they do, the UK’s move is brave because of the risk of flight of significant premium volumes to other jurisdictions.

However, it is absolutely the right thing to do and deserves all our support.