Skip to content

PRA DyGIST 2026 Response Center: Insights to help you act with confidence

Follow CyberCube’s DyGIST 2026 coverage with weekly updates, expert commentary, and practical insights on the PRA’s Dynamic General Insurance Stress Test.

Continue Reading
  • 17 Minute Read

JUMP TO WEEK 2

Welcome to CyberCube’s DyGIST 2026 hub. This page brings together our weekly updates, expert commentary, and practical insights on the PRA’s Dynamic General Insurance Stress Test.

Throughout the exercise, we will use this space to share what is unfolding and what it means for the market. We will consider how firms can respond with confidence under pressure. In a live scenario shaped by changing assumptions, compressed timelines, and incomplete information, the real challenge is making decisions you can defend.

What is the PRA’s DyGIST 2026 exercise?

The Prudential Regulation Authority’s Dynamic General Insurance Stress Test, or DyGIST 2026, is a live-market stress test designed to assess how the insurance sector responds to a fast-moving systemic shock.

Unlike a static stress test built around predefined assumptions, DyGIST unfolds in stages. Participants receive new information as the exercise progresses where they must assess impacts and update assumptions. They then have to respond in real time, making it a practical test not only of solvency and exposure management, but of decision-making and responsiveness under pressure.

Why DyGIST matters

DyGIST matters because it reflects the real operating conditions organizations face during a live market event. For firms operating in the London and Lloyd’s markets, DyGIST is an important test of how well risk, portfolio management, analytics, and leadership come together when the scenario moves quickly.

For insurers, reinsurers, and brokers, it's vital to get to an answer that is both quick and robust enough to support defensible decisions and credible stakeholder communication. This makes this exercise vital for demonstrating crisis responsiveness, clarifying decision-making pathways, and strengthening the market’s collective ability to navigate complex aggregation events.

Dygest_WEB-Banner_1920x1080px_V2

CyberCube's Point of View

Our perspective: DyGIST is a test of defensible decision-making

Much of the market conversation around DyGIST focuses on preparedness, operational response, or technical capability. While these are important, there is more to defensible decision-making.

In a live exercise, the real pressure point is decision-making under uncertainty. Firms are asked to interpret emerging events and assess exposure rapidly, often without perfect information. In that environment, raw outputs are only useful if they support decisions that can be explained and defended.

CyberCube's approach is built around defensible insights so clients can act with clarity and confidence. We help firms move beyond black-box outputs and toward decisions they can stand behind in real time.

CyberCube's unique approach

CyberCube’s approach to DyGIST is built on three foundations that enable decision-making under pressure.

Model validation

In a live scenario, confidence in the model matters as much as speed. CyberCube helps clients work from models they can defend to internal stakeholders, regulators, and the wider business.

This reduces the last-minute scrambling that often happens when teams are forced to reconcile inconsistent assumptions or explain outputs they cannot fully stand behind.

Data quality

Decision-making depends on data and analytics that hold up under scrutiny. CyberCube helps clients work with transparent, auditable, insurance-relevant data and portfolio metrics that remain reliable as scenarios evolve. This enables decisions grounded in exposure data that supports credible action in real-world insurance contexts.

Institutional expertise

Our team brings deep experience in cyber risk, accumulation, and how firms respond during live market events. We know how scenarios unfold, and the challenges that come with that, such as how reporting pressure builds and where decision bottlenecks tend to emerge. Understanding this pattern is vital when clients need to interpret new developments quickly and respond with confidence.

Activating our support

CyberCube is participating in this event alongside our clients, meaning we do not receive advanced notice of event details. As the scenario unfolds, we are 'activating' a service similar to our Cyber Aggregation Event Response Service (CAERS) to support the market through this stress test.

CAERS is designed to help firms interpret cyber aggregation scenarios, assess potential impacts, and support decision-making during periods of heightened uncertainty. During DyGIST, that support includes:

  • Real-time Analytics: Timely intelligence and analytical support as the scenario evolves.

  • Modeling Guidance: Quantitative and qualitative insights to help firms assess exposure, and support internal and regulatory reporting requirements.

  • Strategic Support: Structured guidance to help clients understand potential impacts, evaluate response options, and move forward with greater confidence.

Our role goes beyond providing outputs, we help clients make decisions they can explain, justify, and act on.


Weekly DyGIST Updates

DyGIST runs over a four-week period, with new developments and escalating pressure introduced as the exercise progresses. Each week, we will share updates on the latest scenario developments, key themes emerging across the market, and the insights we can provide to help clients understand potential impacts and response priorities.

This section will serve as the running timeline of our public commentary throughout the exercise.

Week 0

The scenario guidelines and state of play was released on Friday 01 May. Inside it contained background context information, with a special provision for cyber.

"The initial state for DyGIST is the current real-world situation, extrapolated to incorporate adverse consequences that could reasonably materialise.

The DyGIST opening balance should reflect the state of the real world, where risks are elevated, namely that:

  • 2026 has seen a continuation of heightened geopolitical tensions, including protectionist trade measures and military actions.
  • Against this backdrop of geopolitical uncertainty, cyber-attack frequency has continued to increase. In part, this increase can be attributed to threat actors leveraging AI-related techniques to identify vulnerable targets and conduct more effective social engineering attacks.
  • Ransomware has continued to dominate.
  • However, given the economic environment, many organisations face spending challenges, including on their cyber security defences, despite increasing reliance on technology and digital systems."

 

Week 1

Key takeaways

  • Week 1 introduced a systemic ransomware scenario affecting manufacturing via a compromised software update.
  • The key modeling focus is downstream Business Interruption across North America, Europe, and the UK.
  • CyberCube’s guidance remains unchanged, with uncertainty centered on outage duration, severity, and coverage response.

Tuesday 05 May 17:11
--
The 2026 DyGIST exercise kicks off with a significant cyber scenario in play. A sophisticated "Big Game Hunting" scenario targets key software in the global manufacturing supply chain. A threat actor has leveraged AI-enhanced social engineering to compromise a company's software, pushing a Trojanised ransomware update to a global manufacturing customer base. This has effectively halted production across some of the market in North America and Europe, illustrating the devastating systemic potential of a Single Point of Failure (SPoF) in the technology stack.

The Week 1 cyber inject highlights the systemic risk created when a widely used software dependency becomes a transmission mechanism for ransomware. The scenario is not centered on data theft or direct operational technology sabotage, but on production disruption caused by a compromised trusted software update. This reinforces the importance of understanding shared technology dependencies across manufacturing portfolios.
For (re)insurers, this scenario presents a complex modeling challenge: quantifying the fallout from a "full limit loss" on the provider while simultaneously assessing Business Interruption (BI) across a diversified portfolio.

A key first step for firms is exposure scoping. Participants should focus on manufacturing risks across North America, Europe, and the UK, while also considering whether large or diversified organizations may have manufacturing operations that are not immediately visible from standard industry coding. This is where data quality becomes critical: firms need enough portfolio clarity to identify the right exposures before estimating potential impacts.

CyberCube’s methodology will go beyond some of this scenario, supporting our clients with the SPoF Intelligence and Portfolio Manager tools needed to map these exact upstream dependencies and identify high-risk clusters. 

Infographic Week 1

 

Wednesday 06 May 23:51

CyberCube instructs clients with a proposed modeling guidance report for implementing the PRA DyGIST
manufacturing downtime scenario. The guidance is structured to explain the exposure scope, model
settings, Event Occurrence ID selection, and loss estimation approach required to translate the PRA
narrative into a CyberCube modeling workflow.

The most relevant loss components for this scenario are expected to include business interruption, incident investigation and response, data restoration, and potential extortion-related costs where applicable. Given the current scenario information, the emphasis is on disruption and restoration rather than liability costs associated with data exfiltration.

One important consideration is whether precautionary shutdowns by uninfected companies could trigger coverage. This is a policy wording and interpretation question as much as a modeling question, and firms should assess it explicitly when developing their loss range.

 

Friday 08 May 12:35

As of May 8, 2026, CyberCube has not had to update guidance to reflect the latest developments in the DyGIST exercise. Following a review of the mid-week (Thursday) scenario updates, we have confirmed that our core modeling recommendations remain robust and unchanged. Our review of the latest injects did not result in a material change to CyberCube’s core approach. The scenario remains best understood as a downstream manufacturing disruption event arising from a shared software dependency, with further uncertainty around outage duration, severity, and coverage response. Additionally, we have integrated market loss validation insights and supplemental resources to help clients refine their estimates as more information becomes available.

CyberCube will provide industry-level loss estimates to clients and will continue to provide timely updates throughout the duration of the DyGIST exercise. CyberCube has developed preliminary market loss validation to help clients benchmark their own views of the event. These estimates should be treated as evolving rather than final, as actual outcomes will depend on portfolio mix, outage duration, policy wording interpretation, and how future injects clarify the scenario. The key takeaway for firms is not only to produce a point estimate, but to maintain a defensible range that can be explained as conditions change.

Firms should continue to test their assumptions against their own portfolio data, policy wordings, and internal view of risk. In particular, outage duration and coverage response remain important sources of uncertainty.

As the exercise progresses, firms will need to distinguish between what is known, what is assumed, and what may need to be revised as new information becomes available.

Week 2

Monday 11 May 16:45

As the scenario information from week 1 is now being collated and formatted for submission to the PRA from our (re)insurance clients, our Cyber Threat Principal, William Altman shares some of the threat intelligence background from this scenario.

Tuesday 12 May 14:00

The second week of the DyGIST scenario expands the impact of the ransomware event beyond the manufacturers directly affected by systems encryption or downtime. Some manufacturers that were not taken offline by the ransomware are beginning to use manual workarounds and contingency plans. However, disruption is still ongoing for manufacturers with encrypted systems, with further assumptions expected in a later inject. For manufacturers required to take systems offline, the PRA has now provided interruption duration assumptions by revenue size, with a portion of affected organizations still marked as to be confirmed.

A key development is the emergence of wider downstream supply-chain disruption across North America and Europe, including the UK. Participants are asked to assume several sectors experience interruption, including energy, utilities, manufacturing, telecommunications, retail, transport, construction, and real estate. This broadens the scenario from a manufacturing-led cyber event into a cross-sector business interruption and accumulation challenge.

The update also introduces limited losses associated with perishable goods for a subset of impacted manufacturers. While this is a narrower component of the scenario, it adds further complexity to loss estimation, and raises questions of coverage from an insurance class perspective, particularly where operational disruption affects time-sensitive inventory.

The market impact has also intensified. The PRA notes an additional cyber-induced shock on top of the existing market stress, with further equity declines and credit spread widening concentrated in manufacturing and information-and-communications sectors.

This reflects how operational disruption from the ransomware event can flow through to broader financial market repricing, particularly in sectors most exposed to the cyber-induced disruption.

 

Thursday 14 May 15:00

The Week 2 DyGIST update develops the cyber scenario from a direct manufacturing outage into a broader business interruption event. Manufacturers affected by encryption continue to face disruption, while those that took systems offline as a precaution are beginning to return to operations as recovery measures progress. This distinction is important because it shows how a single technology dependency can create different loss pathways across the same sector: some organizations experience direct ransomware-related disruption, while others face interruption from operational caution, dependency management, and the time required to restore confidence in affected systems.

As shown in the infographic below, the Week 2 update separates the affected manufacturing population into two broad groups: organizations experiencing direct system disruption and those that took systems offline as a precaution. It then shows how the scenario moves beyond the original manufacturing cohort, with downstream supply-chain interruption creating potential business interruption exposure across other sectors.

This structure helps illustrate one of the central challenges of systemic cyber risk: losses may begin with a defined group of affected organizations, but can quickly extend through operational dependencies and supply-chain relationships.

PRA Dygist week 2 14 May infographicWeek 2 DyGIST cyber scenario update: from direct manufacturing disruption to second order impacts
This infographic summarizes how the Week 2 update separates directly affected manufacturers from those that shut down as a precaution, before showing how disruption can extend into downstream supply chains and selected second order impacts.

The scenario also introduces second order impacts beyond the original manufacturing population. Downstream interruption is now expected across a range of sectors that depend on affected manufacturers, including energy, utilities, telecommunications, retail, transport, construction, and real estate. The update also includes a limited perishable goods component, which adds another layer of complexity where disruption affects time-sensitive inventory.

Taken together, Week 2 reinforces the need to understand not only who is directly impacted by a cyber event, but how disruption can transmit across sectors and create a broader accumulation event.

 

Saturday 16 May 11:00

Week 2 marked a shift from identifying the immediate cyber loss to testing how far the event’s consequences could reasonably extend. The scenario now asks (re)insurers to distinguish between direct ransomware impacts, preventative shutdowns, downstream supply-chain disruption, and perishable goods losses — each with different assumptions, coverage considerations, and levels of confidence.

The challenge is not just modeling the event, but deciding which losses are sufficiently supported by the facts.

For (re)insurers, the key lesson from Week 2 is the importance of separating confirmed loss drivers from sensitivity-based assumptions. Directly encrypted manufacturers present the clearest cyber loss pathway, while precautionary shutdowns and downstream non-IT disruption depend more heavily on policy wording, claims interpretation, and portfolio-specific assumptions.

By this point in the exercise, DyGIST has become less about a single software compromise and more about accumulation management. It shows how a cyber-triggered outage can move through connected industries, creating a need for transparent assumptions, clear documentation, and a defensible view of where insured loss begins and ends.

 

Week 3

By this stage, the exercise is likely to test not only analytics but judgment. We will focus on the implications of scenario escalation, potential portfolio impacts, and the practical challenges firms face when response timelines tighten.

 

Week 4

In the final stage of the exercise, we will look at what the scenario has revealed, what decisions mattered most, and what firms can take away from the exercise as they assess resilience going forward.

 

Final recap

At the conclusion of DyGIST 2026, we will publish a summary of the key themes, decisions, and market implications that emerged across the exercise.

 

Frequently Asked Questions (FAQs)

  • The Dynamic General Insurance Stress Test (DyGIST) is a semi-live crisis simulation conducted by the Bank of England’s Prudential Regulation Authority. Spanning a focused 4-week period in May 2026, it assesses the UK general insurance sector’s ability to respond to a market-wide adverse event in real-time.

  • Unlike traditional stress tests that use predefined, static shocks, DyGIST is "dynamic." The PRA releases sequential "injects" of information throughout the live phase, requiring participants to mobilize quickly, assess evolving impacts, and refine their responses as the crisis unfolds. 

    There are three primary goals: (1) assessing the industry's solvency and liquidity resilience to systemic stress, (2) evaluating the effectiveness of insurers' risk management and executive decision-making, and (3) informing the regulator’s own supervisory response to real-world market-wide events.

  • The Cyber Aggregation Event Response Service (CAERS) is CyberCube’s specialized framework for supporting (re)insurers and brokers during major cyber incidents. It integrates deep threat intelligence with advanced analytical models to deliver rapid loss estimates, scenario modeling guidance, and strategic market insights.

  • Please use the DyGIST-specific support mailbox for questions related to the event, or through your client account manager: DyGIST2026@cybcube.com

  • Following the conclusion of the live phase and the submission of final reports by participants in July, the PRA will conduct a sector-wide analysis. A summary of the results and insights into sector resilience is expected to be published by the PRA in December 2026. CyberCube will also publish our summation of our findings throughout the exercise and in a report once the exercise has concluded.

  • Having worked with Lloyd’s on complex scenarios before, CyberCube brings deep experience in tailoring systemic risk assessments for the unique needs of the London market.

    Our unique approach ensures firms can meet both immediate "speed layer" estimates and long-term "accuracy layer" reporting.

    CyberCube's analytics model over 70% of global cyber premiums and are utilized by 75% of the top 40 cyber insurance carriers. This market-wide adoption provides a standardized "common language" of risk.

  • Portfolio Manager and Single Point of Failure Intelligence (SPoF) allow firms to quickly identify digital supply chain concentrations and model "directionally correct" loss estimates within the tight 48-hour windows demanded by dynamic exercises. Portfolio Manager will provide the broad scenario library needed to assess cumulative impacts as scenario injects are released.

    CyberCube will be utilizing our full product suite to help clients understand the risk accumulation and to help model loss alongside these tools.

 

Follow our DyGIST 2026 coverage

We will continue to update this page throughout the exercise with analysis, commentary, and practical perspectives on what the scenario means for the market.

To learn more about CyberCube’s approach or access support during DyGIST 2026, please contact your account manager or our dedicated mailbox via DyGIST2026@cybcube.com.