Insurance Day is part of Maritime Intelligence

This site is operated by a business or businesses owned by Maritime Insights & Intelligence Limited, registered in England and Wales with company number 13831625 and address c/o Hackwood Secretaries Limited, One Silk Street, London EC2Y 8HQ, United Kingdom. Lloyd’s List Intelligence is a trading name of Maritime Insights & Intelligence Limited. Lloyd’s is the registered trademark of the Society Incorporated by the Lloyd’s Act 1871 by the name of Lloyd’s.

This copy is for your personal, non-commercial use. For high-quality copies or electronic reprints for distribution to colleagues or customers, please call UK support +44 (0)20 3377 3996 / APAC support at +65 6508 2430

Printed By


CFC plans cyber catastrophe rating agency

MGA's head of cyber underwriting says rating system will help differentiate between 'attritional losses and true catastrophic events, which should facilitate the development of a thriving event-based cyber reinsurance market'

Categorising cyber attacks in a similar way to hurricanes could remove the need for complex scenario-based exclusions and address the aggregation concerns that are holding back the market

Managing general agent (MGA) CFC Underwriting is leading efforts to develop a cyber catastrophe rating agency in an attempt to address aggregation concerns that have held the market back.

An independent system for categorising cyber attacks would help the insurance industry solve the problem of accumulation by removing the need for complex, scenario-specific exclusions, James Burns, head of cyber at the London-based specialty MGA, said.

CFC is looking to collaborate with others in the cyber insurance market to ensure the body, which will be modelled on the National Hurricane Center in Miami, is trusted and independent.

Despite cyber being one of the fastest-growing insurance lines, the market has been stifled by a lack of capacity, driven by concerns about large accumulative events, such as major malware attacks, major cloud computing outages or attacks on important infrastructure.

The cyber market is working to develop exclusions to limit insured losses in the event of a major cyber incident.

While event-specific exclusions are necessary, they are confusing for clients, reduce the usefulness of coverage and still leave insurers open to unexpected events, Burns said. 

Having an independent body that can classify cyber attacks would allow for a clear delineation between attritional and systemic losses, helping the cyber market mature in a similar way to the property catastrophe market.

“Imagine a single exclusion linked to a declared category five cyber event, which could serve exactly the same purpose as a long list of narrower, overlapping exclusions,” Burns said.

“What that also does is create the simple deviation in cyber policies between attritional losses and true catastrophic events, which should facilitate the development of a thriving event-based cyber reinsurance market, so the customer doesn’t actually have to lose out,” he said.

This would allow insureds to buy back cover for extreme cyber events in the same way as the property catastrophe market allows, Burns continued.

“In all of our conversations today with insurers, reinsurers and third-party capital providers, there does not appear to be a real lack of appetite for cyber cat risk, rather a frustration at the lack of agreement on precisely what cyber cat risk is.

“This solution can solve that problem and provide the mechanism by which a cyber cat market can fully develop so the customers can buy back cover for extreme scenarios should they wish to.”

The UK cyber rating body would eventually track incoming cyber threats and give them a category rating based on their likely impact. It could also designate named cyber events, similarly to how major storms are named, Burns suggested.

CFC is already in the process of creating a company limited by guarantee – a legal structure commonly used by charities and non-profits – to fund and operate this body, including articles of association and a detailed methodology ready to circulate by the end of this year.

Burns said he hoped to have something operating by the end of 2023, even if it was not yet usable for insurance purposes.

“This cannot be a CFC- or even an insurance market-owned initiative – it has to be independent in nature to work. But we can push it forward to get to something that might benefit not only the insurance market, but hopefully wider societies as well,” Burns said.

“We’re using that motivation to act as a catalyst to get something going here, even if this body ends up as an inspiration for something else or a precursor to a different similar end solution.”

Related Content





Ask The Analyst

Ask The Analyst - Ask Your Question Send your question to our team of expert analysts. You can: • Ask for background information on/explanation of articles in Insurance Day * • Find out more about our views on industry developments • Ask for an interpretation of market trends • Source supplementary data relating to articles • Request explanations to further your understanding of current issues (* This relates to any Insurance Day that is included as part of your subscription) We will do the research and get back to you personally with the information you need.

Your question has been successfully sent to the email address below and we will get back as soon as possible. my@email.address.

All fields are required.

Please make sure all fields are completed.

Please make sure you have filled out all fields

Please make sure you have filled out all fields

Please enter a valid e-mail address

Please enter a valid Phone Number

Ask your question to our analysts