On Tuesday the PRA sent a letter to UK insurance CEOs, in which it explained its supervisory priorities for 2021.
Unsurprisingly, financial resilience remains at the top of the list. Equally it's unsurprising to see operational resilience included as a priority, given the weight which the PRA has attached to the topic in recent years. What is new is that the PRA has expressly stated that it expects insurers to place greater emphasis on managing cyber risk as part of operational continuity planning.
The PRA’s focus on the issue comes at a time when governments, organisations and cybersecurity experts alike are on high alert, following the hack of leading cybersecurity firm FireEye and subsequent theft of its toolkit. The timing of the story will hopefully help the PRA get its point across.
It is incumbent on all financial services firms, but particularly firms such as insurers which hold vast quantities of sensitive data, to keep pace with cyber threats and to take cyber risk management most seriously, as undoubtedly many already do. While the PRA's letter was addressed to the CEOs of insurers, it represents a growing focus of the UK regulators on the risks posed by malicious cyber actors to all financial institutions. That focus is shared at a European level, with the European Commission’s recently published Cybersecurity Strategy specifically stating that financial institutions must strengthen their digital operational resilience and ensure an ability to withstand all types of ICT-related disruptions and threats.
I've written before about the importance of boards understanding and engaging with cyber risk. The issue will only now grow in its significance, particularly given the link to operational resilience now made plain by the PRA (and the EC). The fact that no firm can claim to be immune from the threat of cyber-attack, as brought so starkly into focus by the FireEye hack, can act as a timely reminder that managing this critical operational risk demands consistent focus and attention