The Prudential Regulation Authority’s latest priorities carry a sharper tone than in previous years. Against a softer market and growing uncertainty, the regulator is forcing insurers to confront a harder question: how resilient are they, really?
For Jessica Wills (pictured), of PKF Littlejohn, the message is less about new risks and more about confidence being tested.
“The introductory paragraphs do paint quite a negative picture,” she said. “It talks about being prepared for bad times, soft markets, downside scenarios, even solvent exit.”
That tone signals a clear shift, away from growth assumptions and towards stress preparedness, with firms expected to demonstrate resilience rather than rely on it.
At the centre of that shift is underwriting discipline. In a softening market, resilience rests less on capital strength alone and more on whether fundamentals hold under pressure.
“There’s a clear focus on disciplined pricing and bottom-line underwriting performance,” Wills said. “Understanding where your exposure lies, and having strong data to support that, is critical in current conditions.”
The regulator’s concern, however, extends well beyond underwriting. Operational resilience, cyber exposure and third-party dependencies all feature prominently, areas where weaknesses often remain hidden until tested.
“Cyber risk isn’t going away,” she said. “But there’s also increasing attention on third-party risk, not just delegated authority, but operational suppliers as well.”
In the London market, delegated authority remains a natural pressure point. The growth of MGA models has made it central to many business strategies, but also increases the need for consistent oversight.
“There’s a lot of delegated arrangements in the market, so it’s highly relevant,” Wills said. “But strong oversight isn’t a new message. The market has done a lot of work here, this feels more like a reminder to stay focused.”
Where the gap begins to show more clearly is in areas like solvent exit planning. While requirements are in place, readiness across the market remains uneven. “There’s a requirement to have solvent exit analysis ready by June,” Wills said, adding that “from what we’re seeing, that work is still very much underway.”
The issue is not simply completion, but credibility. Firms must demonstrate that those plans can withstand scrutiny, including how they will be assured. “They need to think about how they’ll get assurance over it, whether internal or external,” she said. “There is definitely time pressure.”
That same gap between planning and execution is set to come under pressure in the PRA’s upcoming “DyGIST2026” exercise. Unlike traditional stress testing, this scenario is expected to play out in a more operational, real-time way, shifting the focus from modelling to execution.
As Wills said, it is “not just about headline capital ratios”, but “the operational practicalities – who’s involved, how you manage day-to-day business alongside a live crisis scenario.” The test, in other words, is not just whether firms can model stress, but whether they can operate through it.
That distinction is already visible across the market. Cyber resilience is now firmly embedded at board level and, as Wills noted, “always on board agendas” with “genuine concern” rather than a tick-box approach.
Operational resilience is less settled. While firms have met regulatory milestones, embedding those frameworks into live decision-making remains uneven. “Firms have done a lot to meet the requirements,” she said, “but embedding it into decision-making is still evolving.” The risk is that resilience is treated as something demonstrated periodically, rather than continuously reassessed, particularly as businesses change.
A similar pattern is emerging with artificial intelligence. Adoption is accelerating, often in response to immediate operational pressures, but governance is not always keeping pace. In some firms, Wills said, AI is already being used in “quite sophisticated ways”; in others, it remains more tactical, addressing specific operational bottlenecks.
In both cases, oversight can lag. “The governance and controls can be an afterthought,” she said, with “a lack of awareness at board level about where AI is actually being used.”
The PRA’s 2026 priorities do not point to a single weakness. Instead, they highlight a broader concern, that resilience is being assumed in some areas rather than consistently tested. The challenge now is to close that gap, ensuring it holds not just in frameworks and plans, but in how the business performs under real strain.
