That necessity is the mother of invention is a well-accepted premise – and it was necessity that led to the establishment of a new event-based approach to categorising and evaluating hurricane catastrophe risk in the wake of Hurricane Andrew in 1992. Now, nearly 30 years later this delineation between attritional events impacting policyholders and systemic weather events still stands.
What made this delineation possible, noted James Burns (pictured), head of cyber at CFC, at the 2022 CFC Cyber Forum, is that widespread agreement existed around exactly what these systemic events look like. This, he said, was established by a group of independent experts who used a transparent, pre-determined, objectively defined set of criteria to identify, define and categorise severe weather events as and when they develop.
“This is what gives the property insurance market the mechanism required to bifurcate between the types of events they can cover as standard, and those that they need to treat a bit differently,” he said. “We think we need an equivalent professional for the digital world. We need to be able to agree on exactly what a ‘cyber hurricane’ looks like.”
“In recent months, CFC have advanced plans to support the creation of such a solution. We started out some months ago by commissioning a legal feasibility study into the establishment in the UK to have an independent body which would exist to identify, define and categorise cyber events. The findings of that study stated that this was doable, it found no legal or regulatory reason as to why a body couldn’t be set up.”
With that confirmation in place, CFC has started work on determining what this body would need to look like. Recommendations posit a CLG structure, he said, which is typically used by charities and non-profits wherein members can fund the establishment and operating costs of the body but the body is a legal identity distinct from those members. As it stands, CFC is acting as the initial sole sponsor and is keen to encourage broader stakeholder support from both within and outside the insurance industry.
“Once established,” Burns said, “the board of the body will oversee the setting up of the technical committee drawn from non-insurance backgrounds in IT security, research, academia and law and whose job will be to identify, define and categorise cyber events. To do this, they will need to assess inputs from a range of data feeds and analyse them within the framework of an objective methodology.”
The construction of that methodology is where the bulk of the work going into this new initiative is currently focused. So, CFC is engaging with a broad range of experts to create a methodology that is rigorous and robust while also being practical and workable. The team will shortly be able to provide a high-level overview of the first iteration of this initiative with wider stakeholders, he said, and as it stands, conceptually the technical committee will have three primary tasks.
Their first job is to identify potential cyber events as they start to develop. To support identification, he said, it’s likely that an event alerting system will need to be established and given its role as a frontline responder, the cyber insurance industry is well-placed to be the primary supplier of data feeds into any such event alerting system.
Burns highlighted that the second job of the technical committee would be to identify the specific nature of the events by a thorough analysis of technical indicators of compromise and the tactics, techniques and procedures deployed in order to accurately define the events. Systemic scenarios might range from malware outbreaks to mass extortion events, major data breaches to cloud failures.
“The technical committee’s experience and expertise will be required to make an assessment of what’s happening quickly and accurately,” he said. “For this second phase, third-party contributors to the event alerting system will also provide additional data to support the definition of the event… Importantly, we propose that once defined at this stage, the body should also assign an official name to the event. Creation of a commonly agreed naming convention feels like an important step forward in the space to make sure that everyone’s on the same page as these events arise.”
The third and final task of the technical committee should be to categorise the severity of the events according to two factors – how widespread it is and how significant its overall financial impact is. By assigning a rating based on the size of the affected population and combining that with an economic impact rating, he said, the event can be ascribed a catastrophe rating – with one being the lowest and the five the highest.
Once complete, Burns said, CFC believes that the entire process of identifying, defining and categorising cyber events could be completed within a 30-day window.
“We know that this initiative is ambitious,” he said. “It’s a model that is simple in concept but complex in execution. But that simplicity of concept is what we think makes this avenue worth pursuing.”
The solution will look to create a simple delineation in cyber policies between attrition losses and true catastrophic events, which should facilitate the development of a thriving event-based cyber reinsurance market. In all CFC’s ongoing conversations with insurers, reinsurance and third-party data providers, he said, there does not seem to be a real lack of appetite for cyber cat risk. Rather there is a real frustration at the lack of agreement around precisely what cyber cat risk actually entails.
“This solution will solve that problem and provide the mechanism by which a cyber cat market can fully develop so that customers will buy back cover for extreme scenarios should they wish to,” he said.
In terms of the next steps, CFC is close to having the CMG set up with articles of association drawn up, he said, and a proposed detailed methodology ready to circulate by the end of this calendar year. While this will take time, the group is keen to see something operational towards the end of the next calendar year, even if it’s not useable for insurance purposes right away, and to hopefully create a model that can be replicated in other territories and jurisdictions.
“The initial feedback from everyone - from insurers, reinsurers, brokers and government - has been overwhelmingly positive,” he said. “And seeing so many different stakeholders all so excited about the same thing is incredibly motivating. We’re using that motivation to act as a catalyst to get something going here.
“Even if this body ends up as an inspiration for something else, or as a precursor to a different, similar end solution, that’s OK. By definition, this cannot be a CFC or even an insurance market-owned initiative. It has to be independent in nature to work, but we can push it forward to get to something that might benefit not only the insurance market but hopefully wider society as well.”
