Behind the scenes of an evolving independent cyber event declaration system

This article was produced in partnership with CFC

Mia Wallace, of Insurance Business, sat down with James Burns, head of cyber strategy at CFC, to discuss the launch of an independent cyber event declaration system.

While a new concept in the context of the digital world, the roots of the idea behind a reliable rating model distinguish between attritional claims and catastrophic scenarios. It was in 1992 that Hurricane Andrew caused about $26 billion worth of damages, causing 16 insurance companies to go bankrupt and calling into question the viability of Florida’s property insurance market.

Many things need to change to ensure that private insurance can continue to offer homeowner protection in Florida, emphasized CFC’s head of cyber strategy James Burns (pictured), including creating of a new event-based approach to categorizing and assessing hurricane disaster risk – one that still stands today.

The idea behind the creation of the CFC is an independent system for the declaration of cyber events

Thirty years ago, at the 2022 CFC Cyber ​​Forum, the CFC set its stall clearly – identifying the need for an equivalent model for the digital world and revealing advanced support plans to create an independent cyber event declaration system (CEDS). Giving an update on the progress of this ambition, Burns noted that the idea behind it was born out of the frustration of the lack of solutions in the market that could delineate the attritional and destructive claims of way available for customers as well as insurers.

“There are ways the market is already doing this, including with CFC,” he said. “Insurers have exclusions within their policy wording aimed at addressing systemic risk and protecting the market from uninsured events. Recent developments in exclusions in War is a good example of that, but the market has everything from infrastructure exclusions to core internet failure exclusions – and they’re all designed to help protect against systemic events.

“But in our opinion, it feels wrong for the market to continue on that path. We don’t think it should be right that we continue to discuss this topic with scenario-specific exclusives. Because there are always scenario that you can’t imagine, so you don’t have to offer the market the best level of protection. And, by definition, the exclusions of the specific scenario will be too complicated for customers to understand, which is also not right .

With that in mind, CFC went back to the drawing board, he said, looking for a solution that would serve the market by helping insurers manage systemic risks while also making cyber insurance offerings more transparent. for brokers and customers. All roads lead back to the idea of ​​the CEDS solution where a group of independent experts will use a transparent, objectively defined set of criteria to identify, define and categorize cyber events.

Understanding a CEDS – in theory and in practice

While in concept, CEDS is simple, Burns said, where it gets complicated is in the amount of detail and technicalities required in how the panel works and the methods they use. But at a high level, CEDS sees the establishment of an independent body composed of experts in the field of knowledge beyond insurance.

These experts will analyze systemic cyber events when they occur, using a transparent and predetermined method to determine the severity of the event by measuring its scale (i.e. the number of organizations that is affected) and its impact (ie how much financial damage is caused to each affected organization). Using this method, he says, the body uses multiple data inputs to determine how widespread and impactful any given event is.

“The idea is that they can use that to determine a severity rating for the event,” he said. “For example, a category one event may be low-level, less widespread and less costly, while a category five event may be a catastrophic scenario affecting a significant proportion of all UK organizations and worth billions of pounds.

“The parameters have not yet been determined. But the key factor is the independence of that body and all those who rely on it to declare the events accurately which means that insurers can use the declarations to ring-fence the systemic events within policies.

How far does a CEDS work?

Talking about how the event declaration system is progressing, he shared that while the work is ongoing, the CFC is very happy with the progress made. When the company first announced its support for the development of the applicable CEDS, Burns emphasized that “by definition, this is not a CFC or even an initiative owned by the insurance market”. Following this, he emphasized the collaboration inherent in the creation, launch and success of the initiative.

“We don’t see it as a CFC-led project,” he said. “We are trying to corral the support of the market but also to set up a collaborative environment where we can get non-insurance market experts with experience to do this work. We have in a good place and we are developing and working with many third-party bodies. And we look forward to continue sharing updates in the coming months.

The reaction from the insurance market so far has been very positive, he said, and ongoing conversations with insurers, brokers and reinsurers alike highlight the challenge that exists within the sector and the shared drive to find a solution that works for everyone.

What a CEDS will mean for the entire cyber market

Among the key implications of the declaration system, it will ensure that everyone is on the same page when it comes to determining what constitutes a systemic event – a consistency that is currently missing from the market because each insurer and reinsurer has a different meaning. It’s hard to try and tackle a problem if you don’t agree on what the problem is, he says, so creating a common taxonomy makes it easier to try and come up with solutions to fix pre-defined ones. exposures.

In addition, CEDS should allow pricing to be more accurate and sophisticated, due to a better understanding of systemic risk and the elimination of many uncertainties that currently exist in the cyber insurance market. Having a more accurate idea of ​​their exposures should allow reinsurers to price more forensically, he said, which can then be passed on to policy-level premiums – a move likely to be welcomed by those brokers and customers alike.

While it’s still a long way off, Burns said, the long-term ambition behind the development of CEDS is that by making systemic risk manageable in a simpler and more uniform way, the categorization system means that insurers may be removed. many of the overly complex exclusions are built into the back of the cyber policy, creating a simpler and more streamlined product.

“Something like this is so important to the long-term sustainability of the market that most of the stakeholders we spoke to were very willing to help and very positive in their feedback about how it would work,” he said. “I think the simplicity angle is key here. There’s a lot of detail and work underneath, but at a conceptual level, it’s something that people can easily understand – whether they’re insurers, reinsurers, brokers or customer. And that makes it easier for people to buy.”

Why CEDS is not a fixed supply solution

The critical thing to remember is that the declaration system is not only aimed at solving the market supply problem, Burns said. The creation of CEDS has significant implications for insurance brokers and their clients, including the aforementioned increase in pricing sophistication and the simplification of cyber insurance products.

“But it’s also about accessibility,” he said. “If we can make the product simpler, and the price more accurate, and actually create something where people understand the systemic risks, because we can teach this third party that body that is there to report events, then it makes the whole concept of what cyber risk is more accessible. In the UK at the moment, we still have circa 10% penetration of standalone cyber insurance which policies, perhaps lower at the SME end.

“So, anything we can do to make this whole topic more accessible and to make brokers more comfortable talking about it should be a win. Hopefully, it will serve the purpose of helping us to achieve that goal and grow market penetration within the UK and globally as it becomes increasingly clear that clients need to protect themselves against cyber risk – and this will speed up the process for them and for their brokers. .”