CFC plans cyber catastrophe rating agency
MGA's head of cyber underwriting says rating system will help differentiate between 'attritional losses and true catastrophic events, which should facilitate the development of a thriving event-based cyber reinsurance market'
Categorising cyber attacks in a similar way to hurricanes could remove the need for complex scenario-based exclusions and address the aggregation concerns that are holding back the market
Managing general agent (MGA) CFC Underwriting is leading efforts to develop a cyber catastrophe rating agency in an attempt to address aggregation concerns that have held the market back.
An independent system for categorising cyber attacks would help the insurance industry solve the problem of accumulation by removing the need for complex, scenario-specific exclusions, James Burns, head of cyber at the London-based specialty MGA, said.
CFC is looking to collaborate with others in the cyber insurance market to ensure the body, which will be modelled on the National Hurricane Center in Miami, is trusted and independent.
Despite cyber being one of the fastest-growing insurance lines, the market has been stifled by a lack of capacity, driven by concerns about large accumulative events, such as major malware attacks, major cloud computing outages or attacks on important infrastructure.
The cyber market is working to develop exclusions to limit insured losses in the event of a major cyber incident.
While event-specific exclusions are necessary, they are confusing for clients, reduce the usefulness of coverage and still leave insurers open to unexpected events, Burns said.
Having an independent body that can classify cyber attacks would allow for a clear delineation between attritional and systemic losses, helping the cyber market mature in a similar way to the property catastrophe market.
“Imagine a single exclusion linked to a declared category five cyber event, which could serve exactly the same purpose as a long list of narrower, overlapping exclusions,” Burns said.
“What that also does is create the simple deviation in cyber policies between attritional losses and true catastrophic events, which should facilitate the development of a thriving event-based cyber reinsurance market, so the customer doesn’t actually have to lose out,” he said.
This would allow insureds to buy back cover for extreme cyber events in the same way as the property catastrophe market allows, Burns continued.
“In all of our conversations today with insurers, reinsurers and third-party capital providers, there does not appear to be a real lack of appetite for cyber cat risk, rather a frustration at the lack of agreement on precisely what cyber cat risk is.
“This solution can solve that problem and provide the mechanism by which a cyber cat market can fully develop so the customers can buy back cover for extreme scenarios should they wish to.”
The UK cyber rating body would eventually track incoming cyber threats and give them a category rating based on their likely impact. It could also designate named cyber events, similarly to how major storms are named, Burns suggested.
CFC is already in the process of creating a company limited by guarantee – a legal structure commonly used by charities and non-profits – to fund and operate this body, including articles of association and a detailed methodology ready to circulate by the end of this year.
Burns said he hoped to have something operating by the end of 2023, even if it was not yet usable for insurance purposes.
“This cannot be a CFC- or even an insurance market-owned initiative – it has to be independent in nature to work. But we can push it forward to get to something that might benefit not only the insurance market, but hopefully wider societies as well,” Burns said.
“We’re using that motivation to act as a catalyst to get something going here, even if this body ends up as an inspiration for something else or a precursor to a different similar end solution.”