Behind the scenes of an evolving independent cyber event declaration system

The cyber insurance sector can't afford to wait for its Hurricane Andrew moment

Behind the scenes of an evolving independent cyber event declaration system


By Mia Wallace

This article was produced in partnership with CFC

Mia Wallace, of Insurance Business, sat down with James Burns, head of cyber strategy at CFC, to discuss the rollout of an independent cyber event declaration system.

While a new concept in the context of the digital world, the roots of the idea behind a trusted rating model differentiating between attritional claims and catastrophic scenarios run deep. It was in 1992 that Hurricane Andrew created some $26 billion worth of damages, causing 16 insurance companies to go insolvent and calling the very viability of Florida’s property insurance market into question.

Several things had to change to ensure that private insurance could continue to offer homeowner protection in Florida, highlighted CFC’s head of cyber strategy James Burns (pictured), among them the creation of a new event-based approach to categorising and evaluating hurricane catastrophe risk – one which still stands today.

The idea behind CFC’s creation of an independent cyber event declaration system

Thirty years later, at the 2022 CFC Cyber Forum, CFC set out its stall clearly – identifying the need for an equivalent to this model for the digital world and unveiling advanced plans to support the creation of an independent cyber event declaration system (CEDS). Providing an update on the development of this ambition, Burns noted that the idea behind it was born out of frustration at the lack of viable market solutions able to delineate attritional and catastrophic claims in a way that works for customers as well as insurers.

“There are ways the market is doing this already, including as at CFC,” he said. “Insurers have exclusions within their policy wordings which are aimed at addressing systemic risk and protecting the market from uninsurable events. The recent developments on war exclusions are a good example of that, but the market has got everything from infrastructure exclusions to core internet failure exclusions – and they’re all designed to help protect against systemic events.

“But in our minds, it just felt wrong for the market to continue down that path. We don’t think it’s necessarily right that we continue to address this topic with very scenario-specific exclusions. Because there are always going to be scenarios you might not have thought of, so you’re not necessarily offering the market the best level of protection. And, by definition, scenario-specific exclusions can get quite complicated to understand for customers, which doesn’t feel right either.”

With that in mind, CFC went back to the drawing board, he said, looking for a solution that would serve the market by helping insurers manage systemic risks correctly while also making the cyber insurance offering clearer for brokers and customers alike. All roads led back to the idea of the CEDS solution where a body of independent experts would use a transparent, objectively defined set of criteria to identify, define and categorise cyber events.

Understanding a CEDS – in theory and in execution

While conceptually, the CEDS is quite simple, Burns said, where it gets complicated is in the granularity of detail and technicalities required around how the panel will operate and the methodologies they will use. But at a high level, the CEDS will see the establishment of an independent body comprised of experts in fields of knowledge beyond insurance.

These experts will examine systemic cyber events as and when they occur, using a transparent and pre-determined methodology to determine the severity of the event by measuring its scale (i.e. the number of organisations affected) and its impact (i.e. how much financial damage the incident is doing to each affected organisation). Using this methodology, he said, the body will utilise multiple data inputs to establish how widespread and impactful any given event is going to be.

“The idea is that they can then use that to determine a severity rating for the event,” he said. “For instance, a category one event might be low level, not very widespread and not cost very much, while a category five event might be a catastrophic scenario affecting a significant proportion of all UK organisations and costing billions of pounds.

“The parameters are still yet to be determined. But the key factor is the independence of that body and everyone trusting it to declare events accurately which means that insurers can use those declarations to ring-fence systemic events within policies.”

How far along is the work on a CEDS?

Touching on how the event declaration system is evolving, he shared that while work is ongoing, CFC is very happy with the progress that has been made. When the firm first announced its support for the development of serviceable CEDS, Burns emphasised that “by definition, this cannot be a CFC or even an insurance market-owned initiative”. Following up on this, he highlighted the collaboration inherent to the creation, rollout and success of the initiative.

“We’re not seeing this as a CFC-led project,” he said. “We’re trying to corral market support but also to set up a collaborative environment where we’re able to draw in non-insurance market experts with the experience to be able to do this job. We’re in a good place and we’re making progress and working with a number of third-party bodies. And we’re looking forward to continuing to share updates in the months to come.”

The reaction from the insurance market to date has been very positive, he said, and ongoing conversations with insurers, brokers and reinsurers alike underscore the challenge that exists within the sector and the shared drive to find a solution that works for everyone.

What a CEDS will mean for the cyber market overall

Among the key implications of the declaration system, it will ensure everybody is on the same page when it comes to determining what a systemic event is – a consistency currently missing from the market as each insurer and reinsurer has a different definition. It’s difficult to try and tackle a problem when you can’t all agree on what the problem is, he said, so creating a common taxonomy will make it easier to try and build solutions to fix pre-defined exposures.

In addition, the CEDS should allow pricing to become much more precise and sophisticated, due to a better understanding of systemic risk and the elimination of quite a lot of the uncertainty that currently exists in the cyber insurance market. Having a more accurate idea of their exposures should allow reinsurers to price more forensically, he said, which can then be passed on to policy-level premiums – a move likely to be welcomed by brokers and customers alike.

While still a way off in the distance, Burns said, the far-reaching ambition behind the development of the CEDS is that by enabling systemic risk to be dealt with in a much simpler and more coherent way, the categorisation system will mean insurers can remove a lot of the overly complex exclusions that have built up in the back-end of cyber policy, creating a simpler and more streamlined product.

“Something like this is so fundamental to the long-term sustainability of the market that most stakeholders that we’ve spoken to are very keen to help and have been very positive in their feedback about how something like this might work,” he said. “I think the simplicity angle is key here. There’s a lot of detail and work beneath the surface, but at a conceptual level, it’s something that people can easily understand – whether they’re insurers, reinsurers, brokers or customers. And that makes it easier for people to buy into.”

Why a CEDS is not a supply-side specific solution

Critical to bear in mind is that the declaration system is not aimed solely at solving a supply-side problem in the market, Burns said. The creation of the CEDS will have huge implications for insurance brokers and their clients, among them the aforementioned increased pricing sophistication and the simplification of cyber insurance products.

“But it’s also about accessibility,” he said. “If we’re able to make the product simpler, and the pricing more accurate, and actually create something where people understand systemic risks, because we can point to this third-party body who are there to declare events, then it makes the whole concept of what cyber risk is much more accessible. In the UK at the moment, we’ve still got circa 10% penetration of standalone cyber insurance policies, probably lower at the SME end.

“So, anything we can do to make this whole topic more accessible and to get brokers more comfortable talking about it has got to be a win. Hopefully, this will serve a purpose in helping us achieve that end and grow market penetration within the UK and globally because it’s still absolutely clear that clients need to protect themselves against cyber risk - and this will make that process easier for them and for their brokers.”

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!