National Resilience Committee
Uncorrected oral evidence
Thursday 18 June 2026
10.55 am
Members present: Baroness Coussins (The Chair); Lord Farmer; Baroness Helic; Baroness Hunter of Auchenreoch; Lord Marland; Baroness Mobarik; Baroness Northover; Lord Oates; Lord Peach; Lord Spellar; Baroness Winterton of Doncaster.
Evidence Session No. 13 Heard in Public Questions 125 - 138
Witnesses
Professor Nicola Ranger, Professor in Practice of Natural Capital, London School of Economics; Jonathan Gray, Chief Underwriting Officer, Pool Re.
USE OF THE TRANSCRIPT
15
Professor Nicola Ranger and Jonathan Gray.
Q125 The Chair: Good morning. Thank you both very much for coming. I should remind you that this is a public session being broadcast live. In a couple of days you will receive a transcript of the session, so if there are any minor corrections you need to make, please free to do so at that point. Also, if you forget something that you should have said, we would be very happy to receive supplementary evidence in writing if that is important. We have a number of questions between us to give to you both. At the beginning of your first answer, if you could briefly introduce yourselves for the record, that would be very helpful too.
I will kick off and ask both of you to set the scene generally and tell us how the private sector has been affected by the risk environment and the impact that this has had on, for example, increased prices and financial instability. Could you comment on some of the evidence that we have heard that, because resilience is now being taken more seriously across the private sector, it is no longer being seen as a nice to have as a business model, but is increasingly seen as an operational necessity? To what extent do you agree that that is happening and is it happening quickly enough and in the right way? I will start with Professor Ranger.
Professor Nicola Ranger: Thank you very much and good morning, everyone. I am professor in practice at the London School of Economics and I specialise in issues around resilience, particularly for climate, extreme weather and environmental degradation. I work extensively with financial institutions and central banks and others around the world. I will answer your question specifically from a climate and environmental perspective, which is my area of expertise.
The environment is changing much more rapidly than anyone expected. I started my career as a scientist working in Treasury on the Stern review on the economics of climate change. When I look back to what we were predicting then, 20 years ago, versus now, things have changed much more rapidly. We have already seen, for example, some of the worst harvests on record in previous years in the UK. We have seen very significant changes in our environment, soil quality, water quality and water availability. The recent climate change risk assessment, the fourth version that was issued last month, shows that within the next few decades water demand will exceed water supplies. It was not something that we really worried about so much in the UK in the past, but increasing flood risk and increasing risks of drought are very clear in the CCRA.
There are many, many changes and we are seeing a compounding of different risks that the private sector is facing. We are not just seeing changes in extreme weather and in the environment but that is then compounding with other shocks that around the world—for example, the Strait of Hormuz crisis impacting on global supply chains and energy costs. All these things are coming together and we see that firms are struggling with this. Many firms can deal with a single hazard, but they are not used to seeing them all happening at the same time.
I agree with your statement that resilience is no longer seen as a nice to have. I think that resilience was always seen as essential but there is certainly a recognition that just relying on the past is no longer a good guide to your current level of risks, and you need to think much more about using the science and data to understand those risks and not just at an operational resilience perspective. It is not just about business continuity but particularly looking at supply chains, how insurance prices will change, for example, and prices of inputs. Even in the last two years, there has been a very significant uptick in firms’ awareness of these issues.
I have been part of the Bank of England’s Climate Financial Risk Forum for about four years now. It is a forum that the Bank of England established to support firms to prepare for climate risks. In the last couple of years, an adaptation working group has been established and it is one of the most well-attended working groups. There are 40 financial institutions that are part of that group, actively engaging every couple of weeks in looking at these issues, so there is a really significant uptick.
While there is an increase in awareness, we are hearing from firms that they are struggling with understanding the risks and how to respond to those. They are struggling with knowing what is coming and having the regulatory guidance on how to respond to that. They are also struggling with turning the understanding of risks into changes in business practices—for example, increased investment in adaptation.
Jonathan Gray: Thank you very much. I will just introduce myself: I am an insurance underwriter by background. I have done that for more than 35 years, for the past 27 of which I have been a reinsurer—an insurer of insurance companies. My background is mainly in catastrophic risks, natural perils like earthquakes, windstorms, hurricanes, but in addition to that manmade risks like terrorism and conflagration that come through. Mostly insurance companies, but also a mixture of state and private and public partnerships, exist around the world to address these issues. My focus has generally been on property, but I have overseen teams that write aviation business, marine, energy, agriculture, trade, credit and also mortgage. I joined Pool Re, which we may get on to at some point during the course of this morning, three and a half years ago.
Being an insurer by nature, risk is something that I have spent a lot of time thinking about and my colleagues in the industry certainly do too. It is what we deal in, what we are used to and what we are trained to assess, price and try to handle. Forgive me if this sounds rather obvious but riskier times lead to an increased volatility in the price of that risk and the level of appetite that insurance and reinsurance companies have to engage in that risk. This has implications for affordability, and I suspect we will come on to SMEs during the course of this session.
It is ultimately in the interests of the UK economy that we have a stable insurance sector that is well regulated, well protected and does not take on undue risk. That is where the intersection between what the private sector can deliver and what it can do in association with government becomes extremely interesting.
Turning to your specific question about what our customers need, I agree there is a heightened interest in protection, a need to be protected against the ever-increasing and complex risks out there and the aggregation of those risks as they come together. We clearly have excellent new legislation coming through with Martyn’s law, which is not yet delivered but will help on the terrorism side of things and the protection of it.
A final point on SMEs—I think they understand all about the risks that are out there. I think the challenge that they face is that they have so much to do and not very much time to dedicate to addressing some of it. From a financial point of view, do they have the bandwidth to process what they need to do to make themselves safe?
Q126 Lord Peach: You both talked about risks beyond the climate emergency and, to both of you but particularly Mr Gray, how do you specifically fit hybrid attacks into your risk thinking? I do not think we have to have a long debate as to whether they are happening. The evidence has been presented; whether it is cutting through to the public is a question, but the evidence of hybrid attacks, whether to the UK or more widely, is there. How do we therefore widen the aperture even more around risk and what we do about it?
Jonathan Gray: I agree that we are certainly in a landscape of seeing more hybrid attacks. We are a terrorism pool and, by nature, terrorists generally do not go for unattribution. They are very keen on either claiming responsibility or having a finger pointed at them, so that they can claim that and the publicity that they crave, but there is no doubt that we are starting to see a definite blurring. We have spent some time at Pool Re working with our colleagues at Treasury to try to define where terrorism ends and where state involvement begins. I think we have done a good job at reaching a landing on that.
But we look at the evidence in front of us—in the other place, yesterday, there were some conversations about security and the security Bill that is going through there—and the number of incidents that have taken place that very clearly belong in this murky and grey world. We are here as insurers to try to provide as comprehensive cover as we possibly can. One of the challenges that we have is where terrorism ends, where malicious damage ends and where state involvement begins.
Q127 Lord Oates: My question is principally addressed to Professor Ranger. I was interested in what you said about how the financial sector reflects climate risk. Do you think that the capital adequacy requirements at the moment accurately assess climate risk and price risk accordingly? Secondly, do you think that some of the principles of the capital requirement regulation could be applied more generally to resilience—for example, in terms of a supply adequacy requirement, in which businesses would be required to hold supplies against particular risks at particular levels?
The Chair: Let us hear from Lady Winterton first in case it all ties in together.
Q128 Baroness Winterton of Doncaster: My question is for Jonathan Gray. As I understand it, Pool Re was set up in response to IRA terrorism, so you are about bombs and buildings, but you are saying that, as we know, the threat has widened and therefore there is a need because of cyber attacks, hostile state activity and so on. Yet, at the moment, you have a quite tight definition of what you are covering. You said you had had discussions with the Treasury about widening this definition and you feel that you are making some progress, or is there still some resistance in the Treasury approach?
The Chair: Perhaps you could deal with one or both of those questions. Who wants to go first?
Professor Nicola Ranger: There are a number of views on capital adequacy requirements. My own view is that the framework is sound, but how it is being applied could be looked at. We hear from firms that, while they are at the early stages of beginning to assess physical climate risks, for example, they are not necessarily feeding directly into the way that they are calculating capital at the moment, because it is too early and there are a lot of uncertainties around physical climate risk. There are risks inherent in that: if the capital requirements on firms do not reflect the risks that they are exposed to, there is an exposure in the financial system that is not being properly addressed. There is a gap there between the regulatory framework and how it is being applied.
We hear from firms that the guidance being provided by supervisors at the moment is not adequate to do that. The guidance is written in a way that allows them to have scope in how they interpret it. There is merit to that, because different firms are very different so there needs to be some scope. However, what we hear and have seen—for example, in CBES, the climate stress test that the Bank of England ran a couple of years ago—is that there is so much openness that there is not enough guidance on what they should be doing. What we hear from some is that they would like to see more specifics, so exactly what types of physical risk they should be thinking about, because there is no guidance now on whether they should just be looking at floods or supply chain risks and that lack of guidance prevents them from acting. That is one thing that we hear from firms. From my own view, it is not the framework; it is the guidance that is being provided on how to implement it in practice.
On your point about supply adequacy, one thing that we have heard from firms is that, under current capital adequacy requirements, they cannot be rewarded for investments they are making in resilience in general, whether on the supplier side or, for example, if they are investing in more resilient infrastructure. An investment in a more resilient road or bridge would not be treated differently than if it is not resilient to climate, because of the way that it is worded. One of the things that we hear from some financial institutions is an ask to regulators to allow them to reflect the resilience of their investments in how they are looking at calculating capital.
The Chair: Are you going to deal with the Treasury point?
Jonathan Gray: Yes, and I wondered if I might just say a few words about Pool Re, for those who have heard of Pool Re but are not that familiar with it.
We are a public/private partnership. We are an industry-owned mutual. We have 114 UK-domiciled insurance companies that effectively own Pool Re, but we are also backed by an unlimited loan facility from HMT. As was pointed out, we were set up in the aftermath of a shift in tactics by the IRA in 1992. Some of you will remember where you were on that particular day, because it was the day after the general election in 1992 when a very large bomb went off in the City of London. Ultimately, that led to a failure in the reinsurance market because never before had we seen losses come together at that level. Reinsurers withdrew their support for terrorism as a peril within the property policies. Insurers in turn said, “We are not prepared to offer terrorism to people who own buildings” and quite quickly, as you can see, that became a very big political issue. Banks got involved as well, because they were loaning literally millions of pounds to people who were at risk of ruin.
Pool Re was set up in late 1992. Before we were even incorporated the IRA returned in April of 1993, and the £100 million that the members were going to share among themselves as their excess point was completely exhausted and the Treasury were already £140 million down the drain. The point of developing a pool was obviously needed, and the way that the system worked for the next 33 years, or has worked thereafter, is essentially that members pay premiums for risks.
The whole premise of the scheme was that affordable, available terrorism cover would be there for anyone who had a UK commercial property policy. It has been a tremendous success. The Government or taxpayers have gone from being minus £140 million to £13.2 billion away from loss today. Since 2015 when our financial arrangements with the Treasury changed, we have paid more than £2.4 billion into HMG and, in the last year alone, £250 million. Essentially the Government worked with the industry and have done a tremendous job of monetising the risk that was out there and the risk you could always argue was going to end up on their plate at the end of the day. Understandably, we are keen to get that on the record, Chair.
To answer the question, yes, of course the risk has changed. That does not mean that we expect spectacular bombs and events not to happen. I am sure there are many terrorist groups out there who would love to be able to do that. The security services work extremely hard to make that very difficult to happen, hence the low-sophistication nature of terrorism that we see. Pool Re recently declared for the first time, or Treasury certified for the first time, a loss under the Pool Re scheme—only a month ago, with the firebombing of the synagogue in north London. So it is still happening, but that gives you an indication that it is very much low level.
We have adapted over time and changed our product. In particular, we have created something called non-damage business interruption, in light of the London Bridge attacks, where a number of traders in Borough Market did not suffer any physical damage but could not get on to their site and could not trade. Consequently, lots of SMEs were involved and there were significant problems there.
The Treasury has been very helpful. The point I made previously was that it was extremely helpful in the conversations that we have had around the definition of terrorism. At this point in time, the Treasury position as I understand is fairly clear: it is not looking to expand the risk and remit of Pool Re. Cyber Re, which has been mooted a lot in various circles, is not, for example, on the list of things that it is looking to add to what we are doing. At the end of the day, we are also a member mutual, so any changes to our business model would have to be discussed with our members as well.
The Chair: Thank you. I think we need to make some progress down our list of questions. I turn to Lady Hunter for the next one.
Q129 Baroness Hunter of Auchenreoch: Thank you very much for coming. I am going to ask about SMEs. We have heard evidence from the CBI, Business in the Community and various others regarding the lack of preparedness among SMEs and the lack of guidance for them. We heard that there are 69 acute risks on the national risk register and, while larger organisations can deal with those risks, obviously smaller ones cannot. How can SMEs meet the same standards of preparedness and resilience as the larger businesses, particularly ones that are involved in the critical supply chain?
Professor Nicola Ranger: It is an extremely important point. As I said in my first comments, even the larger firms are struggling and smaller firms are really struggling, and for good reason. These are very complex risks and must be managed against other concerns and limited capacity of small firms. I think it is worth noting that, from a criticality perspective, a small firm can be as critical for UK resilience as a large firm, depending on where it is in the system. The analysis that has been done on this has particularly identified smaller firms being very important.
Baroness Hunter of Auchenreoch: What sort of firms are they?
Professor Nicola Ranger: Let us take food supply chains or mineral supply chains. We find that, often, we do not see these shocks coming until they appear. A few years ago, you might recall when we could not get salads in supermarkets because we found that the helium to pack them was not available—it was not something that was even realised—as it was all coming from a small firm in Europe. We do not have a system at the moment to identify where the critical firms are. That is now coming in the cyber risk side and digital. In the financial sector, there is a requirement around this in particular but, in areas such as food and other types of critical materials going into our manufacturing base, it does not exist.
My expertise is on more physical risks to them but I recall, a decade ago, there was a lot of effort in government to support firms to address these risks. That does not exist anymore. There have been significant funding cuts to providing information to firms on, for example, weather-related shocks and others. There is potentially even a reduction in awareness and resilience over time and we hope to see it increasing.
Jonathan Gray: Our own experience of dealing with SMEs is relatively instructive. We have found that awareness campaigns and modest price reductions really do not make much of a difference, if I am honest. At the moment, we are in a situation where about 5% of SMEs that currently buy commercial property insurance have terrorism cover, so 19 out of 20 are not protected at this point in time. Even the best advertising campaign is still not going to be material.
We have tried to approach it from the other end of the telescope, in a sense. Instead of trying to drum up demand from SMEs, we are thinking about how we can get the large companies that supply them to do the right thing. In my case, it is about making sure that terrorism is a standard peril within an SME policy, so that SMEs are not wondering whether they have cover or not. I wonder whether there are lessons there that could be taken more widely into other sectors and industries, about the larger companies that are either supplying or using the goods and supplies of smaller companies, and whether they could be used if approached from that point of view. The leverage that an SME has over them is very small, but is there something that we could do centrally to encourage that behaviour?
Q130 Lord Spellar: How do the Government and/or the insurance industry get the primes or even the tier 1 and tier 2 suppliers to understand how dependent they are? Over a decade ago one plant that produced a small auto component in Thailand—a sole supplier—was flooded and the world’s car industry steadily ground to a halt. The question is how you price that in. Is it the case of the primes plus Government, but particularly the primes, looking much more closely at their supply chain? Covid showed the defence industry that they had very little visibility of their supply chain and indeed their vulnerability. How do we overcome that and how do you as an insurance company price that in?
Jonathan Gray: Yes, contingent liabilities such as that become very difficult to price. I go back to my earlier comment on people’s level of attraction for offering much cover, if any. Often they will offer a sub-limited amount of money, which is challenging. I well remember the Thailand example that you talk about. I am thinking about the SMEs that are located here in the UK, and 99% of our businesses fall into that category. I believe that there is more that the insurance industry can do, but other industries could also be encouraged to think more carefully about how they can support small businesses and how they can construct insurance policies, in our case, that help not only the company that is buying it but the supply chain that sits behind it. Obviously Jaguar Land Rover is a good example of that.
Lord Spellar: Is that not also about encouraging those companies to diversify their supply, so that they do not have single points of failure within the system? Ultimately, you would then have an argument with them about who is responsible.
Jonathan Gray: Yes, and if they were able to demonstrate that I am sure my fellow insurers and underwriters would respond accordingly with price.
Professor Nicola Ranger: May I add a small example that arose in meetings that we had over the last days? Locally, there is a lot of innovation happening. For example, there is an initiative called LENs which is about supporting small-scale suppliers in the food sector in the UK. It is operating in several parts of the UK at the moment and bringing together more at a water-basin level and looking at what the resilience is at that level—so a city or a water basin—and bringing together small firms with big agri food companies and big water utilities. Structures have been set up that create incentives and transactions—payments—to smaller firms to support them to build their resilience as a way of supporting the resilience of the whole area. Top-down government action is needed but how can we support bottom-up action as well, support these great innovations that are happening, learn from those and look at how we can scale those?
The Chair: Before we move on from SMEs, there are a couple more brief follow-up questions. Let us hear both first and, again, you can answer both together—Lady Mobarik and Lord Farmer.
Q131 Baroness Mobarik: I think you have already touched on this, but what practical steps should the Government and industry take to reduce the barriers preventing SMEs from investing in resilience? There are issues around cost and expertise, insurance coverage and all of that, but what regulatory requirements could be put in place in terms of data protection and all of that? You mentioned Marks & Spencer and Jaguar Land Rover; maybe that kind of disruption applies to SMEs as well. So what more could the Government and industry do?
Q132 Lord Farmer: This builds on that, but from a completely different angle, having been in the City working with a risk-reward ratio. Particularly for SMEs and companies like that, part of being a capitalist is working out how much risk you want to take on yourself, rather than it being loaded—if you like—by the Government. It is a market; you are a market. Insurance, Lloyd’s, is a big market making a lot of money. I think of medical insurance whereby sometimes the cost of the insurance is far greater than the cost if I did it privately, so I have been advised by doctors, “Don’t do the insurance. Just do that” so it is a market.
Is it right for Government and the state almost to make laws to have companies protecting themselves against terrorism? “Is my factory in Maidenhead about to be bombed? No, I don’t think I will pay insurance for that and, if it does, I will have to build it myself”. I am chucking that at you from the other angle as to why should people do it.
The Chair: It is a bit of a tall order to ask you to be brief in your reply to both of those questions, but do your best, please.
Jonathan Gray: I will start on that one. Broadly speaking, I agree with you and Pool Re has never been set up to mandate that people buy terrorism cover. We are not, and I am certainly not, suggesting here that we need to make people and the Government ought to intervene in the marketplace. One thing, and you will probably be familiar with this, is that human nature, of course, particularly when you are running an SME, tends to be optimistic; “These things are never going to happen”. You live in Maidenhead and I live near Huntingdon. Terrorist incidents never happen in Huntingdon—until outrages happen in Huntingdon. We generally downplay the likelihood of something happening, but the impact, when it does happen, becomes massive, which is why for the SMEs we were suggesting to cut the price and make it as easy as possible. Do not try to get them to engage with the market and do not compel them to do it, but use the might of the insurance companies that are much larger to enable that.
Professor Nicola Ranger: I will try to make some brief points, first, on industry. What we see again is the financial sector doing a lot in this space. Banks such as Barclays, Lloyds and NatWest are doing a lot to engage with their clients, including SMEs, on these issues and they are very keen to support clients in building their resilience. There is a lot happening there. What we hear though from corporates and financial institutions is that they are not getting enough guidance from government and, in particular, there are very limited resilience standards. So they now apply to infrastructure but, beyond that, there is not a sense of what good looks like in this space. Having clear guidance from government is something we hear being explicitly referenced; that could be guidance or in regulatory standards.
Regulatory standards are particularly useful. We see that in evidence, for example, in the water sector, where that has mobilised a lot of investment into resilience. The role of insurance is key. A sister to Pool Re would be Flood Re, which has been extremely helpful in providing insurance to households that otherwise would not be able to get insurance, but it covers only a certain number of properties and does not cover SMEs. In a growing risk environment, the Government must look at how to work more with the insurance industry to maintain insurability. The Bank of England has identified this as a significant risk around the withdrawal of insurance, and it has a knock-on effect for whole-economy financial stability if insurance is withdrawn. There is a need for action there.
Another thing that we hear from the Government is about how to support firms. For example, we have a National Wealth Fund that is investing a lot in mitigation-related investments. It is not doing anything on adaptation. Why do we not have some sort of equivalent support facilities to support our firms to adapt to climate change? There are a number of gaps. If you look at the architecture that supports firms, there are a number of ways that they are falling through at the moment.
A final point is around our civil contingencies and critical national infrastructure and this area. It covers particular types of firms quite well, but anything related to the food sector, critical minerals, anything beyond the security, cyber and finance is very poorly covered now in terms of guidance to firms. We should be looking again at the architecture that protects the UK economy, at which firms are falling through and how to fill those gaps. That is essential.
The Chair: Thank you. You mentioned cyber and that links into Lord Oates’ next question.
Q133 Lord Oates: I think this is primarily for Jonathan Gray. How do you think the insurance sector can help embed national resilience across the whole of society, including by improving organisations’ cyber security?
Jonathan Gray: That is a very good question. Thank you very much for that. As we have already touched on, the cyber element has certainly been growing in people’s understanding and knowledge in the past few years. The private insurance market decided to break cyber out and, in essence, created a new product line called cyber. That was quite right. The accumulations that were possible were too large to be managed under a normal property policy, and that is why it went down that route. We should all be proud of the fact that the London market is recognised as a global centre of excellence and innovation in the cyber space, and I am very proud of the London insurance market from that point of view.
Our challenge is that, quite rightly, because they are operating in a regulated space, there are two very large exclusions that sit in the cyber policies that are bought. Obviously lots of people are not even buying a cyber policy, because they do not understand it, it is not marketed very well and brokers are not very keen to sell things that they do not fully understand. We are essentially excluding cyber warfare and damage to critical national infrastructure.
If I go back to the points I made about SME policies, previously when you were an SME and you had a loss you picked up the telephone to your insurance company and expected to be paid. You did not expect to have a long conversation about, “Well, you didn’t buy this and you didn’t not buy that” and thereafter. At the moment, cyber warfare and critical national infrastructure will not be paid out, under any policy, for anybody of any size. Very, very small amounts are available.
There is a real challenge for which our sector is looking to partner with the Government because, if you think about it, there are systemic issues that are simply too big for an industry with a finite capital base to engage with. The ABI has given you a written response to your call for evidence and has made some good points about the work that has been done on that, and I would echo that in the sense that the real issues out there cannot be solved by the insurance industry alone; it requires a joint effort that we need to work on together.
Baroness Winterton of Doncaster: Going back to what you were saying earlier about your remit in Pool Re and whether it should be expanded, do you think there should be a separate organisation set up to provide reinsurance for resilience or should that be incorporated into the existing structures by making them more flexible?
Jonathan Gray: The insurance industry can be a highly effective partner with government in solving some of these really difficult risks that are hard to insure. We have heard both Pool Re and Flood Re mentioned here: two good examples, two different risks and two different approaches to solving that risk at this point in time. I think those public/private partnerships do not need to be temporary; they could become a permanent feature of the risk management landscape that we have, provided that they are well designed and dynamic. The important point is that it should be crowding in the private market, not replacing the private market. Both Pool Re and Flood Re have given good examples: that £13.2 billion I have told you about is private money that has been crowded in to solving that risk.
How that is done and in what shape or form that looks like I think is for others to decide. You heard from an earlier witness giving evidence, Baroness Batters, about co-ordination across government. I think that will be a challenge if you want to set up, in effect, multiple reinsurance companies dotted around Whitehall, in making sure that they are all working together and then asking the obvious question of why they are replicating management structures, systems and all the rest of it. It is a very good question to pose and certainly one that should be carried forward.
Q134 Lord Oates: As you are probably aware, the House of Lords Risk Assessment and Risk Planning Committee in 2021 recommended that the Government should work with the UK insurance industry more closely on risks that are too large for the private sector to address alone. Can you tell us whether that recommendation has had any impact? Have the Government stepped up their work with UK insurance on that?
Perhaps while you are answering that, as I was interested in what you said about how cyber warfare is excluded from cyber policies, and given that most state actors involved in cyber warfare presumably deny that they are involved, how do you determine what cyber warfare is? Is there a danger that it just renders all policies null and void?
Jonathan Gray: Attribution is a very difficult point and there is some really good work being done, at a national and industry level, in trying to work out how we can speed up working out attribution for losses and whether things are or are not covered. I am sorry for painting a bit of a bleak picture in that respect, but I do so deliberately, in that I do not want anyone to be under any illusion: if there is a co-ordinated cyber warfare attack on the UK, most UK insurance policies for cyber will not respond. That challenge needs to be looked at.
I was aware of the work that you did in 2021 and read through it. It is very sensible, and adds a strong golden thread of continuity to the conversation that we are having here today. There is a lot of collaboration going on between industry representatives and the Treasury, and there is a lot of work and discussion taking place, but it would be difficult to point to concrete evidence that we have definitely moved forward in the way that your committee recommended back in 2021, on this point.
Q135 Baroness Northover: Coming on to the financial sector—this is largely for Professor Ranger although Mr Gray may want to comment—we want to know what good practice on preparedness and resilience the financial sector has adopted and how this might be applied to other industries. I want to add a whole other side: what is missing in the financial sector? What does it need to do now? I would like to flag the Financial Services and Markets Bill, which is going through the Lords at the moment, where the emphasis is on growth and the removal of regulation from primary legislation, so that the 2023 provisions on climate change and therefore climate risk are removed from primary legislation and moved to the regulators’ strategies. Do you see risks in this, given what you said about the need for clarity and to move these things forward, when you remove these things from the stick, as it were, of primary legislation?
Professor Nicola Ranger: Perhaps I will answer the first part first and briefly go through some of the key elements of financial sector preparedness from which I think other sectors can learn. A number of those practices were particularly strengthened after the 2008 financial crisis. One is various requirements around stress testing and scenario analysis. All financial institutions in the UK, particularly banks, are required to conduct regular stress testing and scenario analysis against any material financial risks. Given that the evidence is very clear that both climate and environment-related represent material financial risks that should be in there, and there are very clear supervisory expectations on firms particularly around climate-related risks that were updated last year. So there is a clear expectation set by the Bank of England on firms to conduct analysis of particularly climate-related risks. There is not, as I mentioned before, a lot of clarity within that on what timescale and types of scenarios they should look at, so that is creating a challenge.
Some of the other key areas of practice are particularly for what are called systemically important financial institutions—national ones, but particularly global institutions. For example, global systemically important banks are the too-big-to-fail banks, which in the UK are HSBC, Standard Chartered and Barclays; they have additional requirements set by them which are co-ordinated globally. The additional requirements are to hold additional capital to reflect the fact that, basically, if something happened to that bank, it would have wider contagion effects on the whole economy and potentially the global financial system. They are subject to additional requirements around scenario analysis and capital adequacy allocations.
There are also requirements around disclosures of which you will be aware. Financial institutions above a certain size, as well as all corporates above a certain size, are required to disclose information on the climate-related risks that they face. That level of practice is certainly variable across different types of corporates. It is still relatively new, as I mentioned, and they are not necessarily required to do anything about it. They are required to disclose what they are doing and what risks they face, but not to act on that. Those are some of the key elements. There are also issues around particular operational resilience rules on banks and the suppliers that also support that.
I am coming to the second part of your question about what is missing. I would say that the UK, until around 18 months to two years ago, was a global leader in this area. It no longer is. In particular, a number of jurisdictions around the world have moved further than the UK—particularly Europe, but also some Asian jurisdictions are moving much more quickly than the UK now, and the level of emphasis on this has declined. We can see that in practice. For example, only about 18 months ago, the Treasury’s mandate letter to the Bank of England made clear a need to think about nature-related risks as well, and we have seen no progress on that in the public domain.
We still see important statements being made by the Bank of England on this. Recently there was a recognition around insurance, as I mentioned earlier, and a recognition around the impacts of climate on prices and the potential implications for monetary policy. There was the recent update to the expectations on firms, but the emphasis has reduced, and I think that is a step-back from practice internationally. I am very involved in the Network for Greening the Financial System, which is the network of global central banks in which the Bank of England is still very active, but, if you look at practice across many of the central banks and at what the UK is doing, it is falling back compared to many others. There is a growing gap and keeping pace with the rate of increasing risks is not happening.
Baroness Northover: So there is a risk in removing that from primary legislation.
Professor Nicola Ranger: Yes, a big risk.
The Chair: We have two more questions. Are you okay for time? Good.
Q136 Lord Marland: I must declare an interest, having multiple insurance interests past and present, one of which was as a founder and shareholder of AXIS, which you worked for, and another as an adviser to Pool Re when it was set up all those years ago.
You mentioned various things that the Government should be thinking about. Professor Ranger said that you are not getting enough guidance from the Government and that the regulatory standards are not strong enough. Various people have mentioned perhaps setting up Cyber Re and even expanding Flood Re to include SMEs. What legislation do you think is required to assist in these various concerns of yours?
Professor Nicola Ranger: I am not a legal expert, I should say, but, certainly from what we hear from firms, regulatory standards for resilience are incredibly impactful. The lack of clarity over the expectations to manage these risks is a barrier to action. That is what we clearly hear. We hear a call to have much more clarity on that within the architecture somewhere.
Thinking about broader efforts, particularly forward looking, we hear in particular that firms do not have enough of a clear expectation about what the future risk environment will look like and what the Government expect them to do about it. That is the key gap that we hear about.
Jonathan Gray: I would add that regulation in and of itself certainly gets attention. For example, people know that Martyn’s law is happening and they know they need to respond to it; whether they are doing that at the rate and in the way that they should is another question, but regulation and regulatory standards certainly get people’s attention.
A point that sits very clearly with me is that, ultimately, particularly when I look at my sector, if somebody does not pay out—if an insurance company does not pay out for a particular action—they come knocking at your door or a politician’s door very quickly for a solution. Normally, something needs to be done. The real question is whether the appetite is one for dealing with these in advance of the problem coming along or whether we will have discretion to act in the light of who has been affected and who we would like to help on the other end of it. Insurance, as you know, is a very efficient way of distributing money in a relatively fraud-free, safe way through to both individuals and businesses, so I think insurance definitely has a part to play in that ecosystem.
Q137 The Chair: You mentioned Martyn’s law a couple of times today. We have received some evidence suggesting that, welcome though the legislation is, its effectiveness will be limited unless there is training for premises staff to implement it to make it work, and that there is no sign of that training. Can the insurance and reinsurance sector apply some pressure to encourage that to materialise?
Jonathan Gray: I think the regulator has a little more time before it is in the situation where this must be done. We are still in the implementation phase at this point, but I certainly appreciate people’s frustration in thinking, “What do I need to do?” I believe that that guidance will come through. Insurance companies, unquestionably for the higher-tier premises, will be looking very carefully as to whether this is being implemented and taken seriously. I think we are still in that implementation phase.
The Chair: Okay, it is too soon to be seriously worried, then. Lord Farmer has the last question.
Q138 Lord Farmer: Thank you very much for your very good contributions today, which we will take away and meditate on. A simple question: what one recommendation would you make to the Government about preparedness and resilience? What is your number one? Professor Ranger, we will start with you.
Professor Nicola Ranger: If I can just preface it by a statement, a key problem on the private sector side is that there is nothing in current legislation policy that incentivises a company to do things in the national interest when it comes to resilience. All the current regulations on firms—for example, the Companies Act—are about a company protecting itself. Aside from a very few cases—the water sector, for example—there is nothing that encourages a firm to do things that are in the national interest. Particularly for sectors that are not incorporated in current cyber finance and so on, such as the food sector and critical minerals, the recommendation would be to look at where there are gaps and where there are ways to encourage them to account more for their impact on overall resilience of the UK.
A first specific recommendation would be to look at the gaps in current policy legislation around critical suppliers and sectors, and to look at scenario analysis. The type of scenario analysis that the financial sector is required to do should be required of other sectors, as well, particularly where they have a big impact on UK national resilience.
Jonathan Gray: For myself, clarity and cohesiveness are the items that I would like to see. Despite the Cabinet Office now having a resilience directorate and a head, too many of the problems that we have discussed today and that you look at cut across multiple departments with differing priorities.
That leads us to a rather deeper question: what is it that we value and want to protect? Generally that is what we will prioritise as we go forward. The Government want a whole-of-society approach to solving these issues and addressing this challenge. One of their challenges is how to drag in those parts of the economy that do not see themselves as traditional members of the resilience community. In my sector—supermarkets, media companies, banks, et cetera—none of them wakes up in the morning thinking, “National resilience is what I am all about” but they have a key role to play in all of that. If I can leave you with one thing, it would be that national resilience requires a national effort and the Government need to tell us all how to play our part in that.
The Chair: That was an excellent note to finish on. Thank you very much indeed, both of you. That has been very helpful and enlightening.