New cyber categorisation could be a game-changer

As far as teething pains go, cyber has had its fair share: the market’s huge potential for growth has only been matched by the concern about systemic risk.

With so much of the world’s economy connected by technology, the danger a single event could have wide-reaching and catastrophic consequences is real. The answer so far has been to develop policy exclusions, a drawn-out but necessary process that has given underwriters confidence to continue writing business. But there might now be a better way.

Last week the Cyber Monitoring Centre (CMC) officially launched its cyber event index, which will categorise the severity of cyber events on a one-to-five scale, similar to how the National Hurricane Center categorises hurricanes in the US.

If adopted, this could limit the need for exclusionary wording by allowing insurers to use the CMC’s categories as triggers. This would take away any ambiguity as to when an event is deemed systemic giving both insurers and insureds more confidence in their policies.

Until now, exclusionary wordings have been the market’s best solution for systemic risk and have helped insurers grow their cyber books in a sustainable way. But there are problems, according to Will Mayes, chief executive of the CMC.

War clauses rely heavily on being able to attribute a cyber attack to a state actor, bringing uncertainty for insurers and policyholders. It took the US eight months to public attribute the NotPetya attack to the Russian state, for example. Mayes also points out declaring an event an act of war is often matter of politics and two similar events perpetrated by the same actor could easily be categorised as an act of war one day but not the next.

Slipping through the gaps

There is also the risk systemic events can still slip through the gaps. “We know there are events that aren’t war and aren’t critical infrastructure,” Mayes says.

CrowdStrike was just the latest example of an event that was neither an act of war nor an infrastructure outage. As it has before, the market got lucky in that the event was manageable. “There could be a similar event that is multiples of the size and it’s not war, it’s not critical infrastructure but it would be a category five on our scale,” he says. CrowdStrike was retrospectively classed by the CMC as a category three event.

The Covid business interruption cases are a good example of how complicated exclusionary language might not always provide the protection insurers expect. In one widely reported Supreme Court case, a judge lambasted the technical wordings of policy language, saying insurers needed to assume policy documents would be read by ordinary policyholders and “not a pedantic lawyer who will subject the entire policy wording to a minute textual analysis”.

Mayes continues: “I worry cyber is moving in the same direction where language is getting more complicated. It’s almost like whack-a-mole in that you’re trying to work out all the things that could happen and stop them with exclusions. This [index] is a simpler way of doing it. And it’s not just limiting, it’s tailoring coverage; it’s making it more specific; it’s buying reinsurance, enabling that full flow of capital and stopping things from slipping through that net.”

“Yes, we’re trying to build something that really solves the insurance use case – that’s where our funding comes from. But you can only solve that by being independent of insurance, because if you’re not independent, no one’s going to buy a policy that uses the categorisation”
_{Will Mayes
Cyber Monitoring Centre}

The index has broad support from the insurance sector, Mayes says, and he hopes it will be a useful tool. But despite these aspirations the CMC is taking a hands-off approach to how insurers eventually use it. “As far as I know [the National Hurricane Center] doesn’t have any meetings with the insurance industry,” he says. He expects that will be the model for the CMC.

That does not mean he is not hopeful the insurance sector will run with it. “The insurance industry has a good track record for using tools like this for natural catastrophes, so I imagine they’ll pick it up,” he says. “People often want to be first to things and it would be great to say ‘we were the first to place a policy using the Cyber Monitoring Centre index’. Hopefully someone jumps up and takes that plunge and then once it starts getting used it expands.”

He continues: “The insurers are telling us it’s needed, but it’s not clear how it’s going to be used by everyone… people wouldn’t put money into it if they didn’t think it was worthwhile.”

The importance of independence

The centre, while being independent, is financed by the insurance industry. The business is structured as a company limited by guarantee – a structure Mayes highlights is often used by members club to keep the management of the organisation separate from the ownership. “Yes, we’re trying to build something that really solves the insurance use case – that’s where our funding comes from. But you can only solve that by being independent of insurance, because if you’re not independent, no one’s going to buy a policy that uses the categorisation,” he says.

The CMC is planning more outreach to businesses. The centre has already developed links with the business community through its modelling system – including a partnership with the British Chamber of Commerce to conduct snap polls of businesses following a cyber event. This has all helped build the index, but businesses also need to know what the index means for them.

“We’ve had good conversations with the primary brokers and we plan to do more with policyholders – we want people to understand it,” Mayes says. “It needs to work for both parties: for policyholders and insurers. Comparing it to what exists today, I think it would be a far better solution.”

It will take time for the index to become adopted, Mayes acknowledges. So far, the CMC has only run its process on a handful of events behind closed doors, and it is yet to be fully tested on a live cyber event. “It will take a bit of time for people to get confident, but you’ve got to start somewhere,” he says. “Of the people we speak to, I’d say 80% of the insurance industry get it and are really interested in what we’re doing and supportive.”

Interest is coming from primary insurers and also elsewhere in the insurance value chain, including the cyber excess-of-loss market and cyber insurance-linked securities, where the index has the potential to act as a trigger for policies.

As the cyber market grows, so does the potential for systemic risk. Guy Carpenter recently estimated the size of the cyber market to be $16.6bn last year, with a global aggregated loss potential of between $20bn and $46bn at a one-in-200-year return period depending on which model is used.

A truly trusted and independent index could be exactly what the market needs to keep that in check.