This article was produced in partnership with CFC
Mia Wallace, of Insurance Business, sat down with James Burns, head of cyber at CFC, to discuss the recent cyber mandate issued by Lloyd’s of London.
The three distinct stages which the philosopher Arthur Schopenhauer posited all facts must inevitably pass through were seen in sharp relief following the mandate issued by Lloyd’s of London, requiring that cyber policies written in the insurance market have an exemption for state-backed attacks. First, it is dismissed, then it is opposed, and finally, it is accepted as self-evident.
Discussing the move by Lloyd’s to limit systemic risk in the insurance marketplace, James Burns (pictured), head of cyber at CFC, highlighted that the initial reaction across the market was largely driven by some initial misreporting around the implications of the mandate.
“It was misreported in some quarters as a move designed to exclude all nation state sponsored or nation state executed attacks. And that’s not true,” he said. “The aim is to address attacks of such magnitude that they have a catastrophic impact on their target state. And we're talking about extreme scenarios here.
“The other slight misreporting was that Lloyd's was mandating use of one of the four LMA cyber war clauses published earlier in the year. And that's not true, either. The mandate recognises that use of one of the LMA clauses fits the criteria that Lloyds was setting out but actually they're giving cyber insurers the freedom and flexibility to tackle this challenge themselves, as long as the core tenets of the mandate are met.”
There are still challenges to be overcome with lots of what’s at play in the market, he said, particularly in relation to the concept of attribution and to how that might work for SME policyholders. That’s why it is to be welcomed that Lloyd’s has given insurers the freedom and flexibility to address those issues in their own way.
Examining the reaction of the market to the issuance of the new mandate, Burns noted that as with anything, clarity and comprehension are actualised by open dialogue and proactive education around what it actually means for insureds, brokers and the market as a whole. Certainly from his conversations, he said, once people understand that this is a move to protect the sustainability of the industry, there’s a much greater acceptance of why the sector needs to move in this direction.
“What we're talking about here is a move towards greater sustainability,” he said. “We're not talking about excluding all nation state attacks, because clearly, that wouldn't work for customers. We're talking about extreme scenarios that are going to lead to catastrophic outcomes. I think people do understand that and they understand that the industry needs to move to address it.
“This also doesn't mean that customers need to lose out. Where we’re hoping to move is to a position of greater clarity which, if we can get it right, precipitates the creation of a cyber cat market where this type of cover for catastrophic scenarios is available for customers. It's just that insurers themselves are managing it and pricing it in a very specific way… And as long as the conversation is clear and the dialogue is open – people can rest assured that we’re taking positive steps forward.”
The systemic nature of cyber risk is coming under increased scrutiny, and exploring whether the recent Lloyd’s mandate will help solve the problem of systemic risk, Burns emphasised that war is only one subset of systemic risk within cyber. It’s not the only form of systemic risk, he said, and in this case, it’s really something of a red herring, drawing so much attention to nation state actors and the concept of attributing attacks when actually it’s catastrophic outcomes that the market needs to address, regardless of who caused them.
“We think there needs to be a new approach to this challenge,” he said. “In the physical world, there are bodies whose job it is to identify, categorise and declare extreme weather events. And the insurance industry then uses those declarations in policy language to define what is and isn't covered as standard. We think the same needs to happen in cyber.
“We believe that the establishment of an independent body to declare major cyber events will allow insurers to then be clear around whether or not those extreme events are covered. What this would also allow is for the development of a cyber cat market. Because customers don’t need to go without cover for these extreme scenarios – the industry just needs to be able to clearly delineate between attritional and cat losses so the latter can be appropriately priced and managed.”
The independence of such a body to help with the declaration of these events as and when they happen would be a crucial step forward for the market, he said. And it is a precedent that has been set in the physical world – amid named windstorms, hurricanes and other catastrophic events. Even while the methodology will be slightly different, there’s no reason why the net outcome couldn’t be very similar to the systems that are successful elsewhere in the insurance industry.
Looking at where the market’s going, he noted that the establishment of such an independent body is in the cards – whether that be territory-specific or potentially on a global basis. A body capable of identifying, categorising and publicly declaring catastrophic cyber events is not a pipedream but rather something that could and should be established in the foreseeable future.
“And once we've got that body in place, I then do also see the establishment of a thriving cyber cat market,” he said. “We’ve seen it in other lines of business, we’ve seen it in property and marine policies which exclude traditional war. Those precipitated the creation of standalone specific war markets and marine war markets.
“There's no reason why we couldn't have the creation of a specific cyber cat market, particularly from a reinsurance perspective. That means that we're allowing customers to ensure they've still got cover for those extreme scenarios but also that the industry is able to provide that cover in a very responsible way – which allows us to manage the exposure, price the exposure and ensure it’s being done sustainably.”
Burns noted that with the right level of collaboration among industry players this is a solution that will work to the benefit of insurers, brokers and customers alike – creating a sustainable future for the market while protecting insureds.
“The appetite is there,” he said. “So, I see that as the future state - a method for declaring extreme cyber events, which then allows the creation of a secondary cat market, so that we're managing this exposure sustainably, but also giving customers all of the cover that they need and want.”
James Burns has served with CFC for over a decade – taking on a variety of senior roles and most recently stepping into the position of head of cyber in May 2021. He was previously spotlighted as one of Insurance Business’s ‘Young Guns’ in 2018.
