Insurers’ cyber resilience under PRA spotlight in 2025

The news was contained in a ‘Dear CEO’ letter issued by the PRA last week in which it listed insurers’ cybersecurity as a priority area for its supervisory focus in 2025. It described firms’ ability to detect, respond to and recover from cyber attacks as “a cornerstone” of the financial system’s overall resilience.

“To further enhance the sector’s cyber resilience capabilities, the PRA intends to start consulting with the FCA (Financial Conduct Authority) in the second half of 2025 on policy relating to the management of Information and Communication Technology (ICT) and cyber risks,” the PRA said in its letter.

The way in which insurers manage technology and cyber risk is subject to increasing regulation, with the PRA, FCA and Bank of England having set operational resilience requirements across UK financial services in 2021. The rules began to take effect on 31 March 2022, but the regulators gave firms a hard deadline of 31 March 2025 to achieve full compliance. The PRA’s latest letter set out what it expects of insurers by this deadline.

“By March 2025 firms must be able to show they can remain within impact tolerances for all their important business services throughout severe but plausible disruptions,” the PRA said. “We expect firms to have made significant progress already to strengthen their response and recovery capabilities to address cyber threats, remediate vulnerabilities exposed by legacy infrastructure and develop contingency procedures when material third party services are disrupted. Operational resilience should be a key point of consideration for boards and executives when planning major change programmes, making strategic business decisions, or engaging in new third, or in some case fourth-party relationships.”

“New investments in IT infrastructure, software applications and third-party arrangements should be resilient by design. Learning from the operational incidents faced by firms and their third parties, we expect firms to maintain robust oversight of their major outsourcing and third-party risk management providers, including intra-group operational arrangements where relevant. Firms should also be mindful of the financial health of their suppliers and their data security,” it added.

Last autumn, the FCA outlined lessons financial services firms can learn on operational resilience from the CrowdStrike outage, a major cyber incident that grounded flights and impacted other important services – including NHS services in the UK – globally, in July 2024.

Cyber risk expert Ellie Ludlam of Pinsent Masons said: “In March 2021, the PRA gave firms four years to fully implement its supervisory statement on operational resilience, which requires them to have a prioritised plan setting out how they will comply with the requirement to remain within their impact tolerances. With March 2025 fast approaching, it remains critical for firms to understand that cyber threats are a major source of vulnerability for important business services.”

“The FCA has already published commentary on lessons which can be learned from the CrowdStrike incident from an operational resilience perspective and firms should familiarise themselves with the FCA’s expectations, as well as the results of the PRA’s cyber stress test which are going to be published later this year,” she said.

Other insurance supervision priority areas for 2025 were outlined in the PRA’s letter. They include funded reinsurance, with both the PRA and the Bank of England’s Financial Policy Committee having expressed concern about how the growth in funded reinsurance transactions could pose systemic risks if it is not “properly controlled”.

“For example, firms’ current internal investment limits for aggregate exposures appear insufficient to prevent a build-up of systemic risk in view of current activity trends,” the PRA said. “Firms’ single name exposure limits also do not currently appear to align with our expectation that single counterparty exposures should not threaten firms’ ability to meet their solvency risk appetite upon recapture.”

“We expect relevant firms to make rapid progress in addressing gaps identified against our expectations, and this will be a priority for our supervisory engagement this year. A funded reinsurance recapture scenario will also be included in the 2025 life insurance stress test,” it said.

Insurance regulation expert Chris Riach of Pinsent Masons said: “The PRA has targeted funded reinsurance as an area of concern in view of the increasing size of the bulk purchase annuity (BPA) market. Its inclusion in its 2025 priorities list should be a wake-up call for firms which identified gaps in their self-assessments last year. There is the threat of further use of PRA powers if firms are not seen to be implementing appropriate risk management practices.”

On the BPA market specifically, the PRA said it will look to ensure firms do not drop risk management standards and lose pricing discipline because of the high levels of competition for BPA business.

Another PRA priority is ensuring the Solvency II review reforms are embedded and implemented. In this respect, it has set up a new ‘matching adjustment’ (MA) permissions team to “assess MA applications more quickly”. In 2025, the PRA also intends to explore other steps that might help support insurers to take full advantage of the reforms, including working with the National Wealth Fund and developing a new MA Investment Accelerator, it said.

“The Solvency UK regime is a key part of the PRA’s strategy to promote growth, by presenting a more competitive landscape when compared with the EU,” Riach said. “There is a natural tension between the PRA’s objective of promoting safety and soundness of firms and the pursuit of growth – 2025 will be an important and clarifying year in terms of demonstrating how the PRA manages this in its activities.”

In relation to the general insurance market, the PRA has warned insurers to “remain vigilant to potential changes in pricing conditions”. It has cited natural catastrophe and cyber underwriting risks as among its continuing priority areas for supervision..

“Insurers should remain focused on the adequacy of reserving standards and maintaining underwriting discipline in 2025 given these and other ongoing uncertainties,” the regulator said, adding that it believes some insurers are being too optimistic in the assumptions they make over future profitability.

“We will continue to focus on this issue and firms should be able to provide justification for their assumptions, particularly where future assumptions differ from prior experience,” the PRA said.

The regulator has decided to postpone its previously announced dynamic general insurance stress test to reduce the burden on general insurers in 2025 as they prepare to report on the new Solvency UK regulatory returns and allow more efficient use of PRA resources.

“The PRA’s decision to postpone the general insurance stress test is welcome news for insurers with both life and general insurance businesses,” insurance regulation expert Daniela Ivanova of Pinsent Masons said. “It also gives general insurers additional time to align with the PRA’s expectations around reserving standards. The PRA will expect firms to show that they have learnt from the impact of inflation on the cost of claims over the past couple of years and factored this into business forecasts and capital models.”

In 2025, the PRA also intends to consult on an update to its 2019 supervisory statement regarding the management of climate-related financial risks.