CFC’s Burns: Clarity on systemic events will enable cyber reinsurance market to grow

The planned UK Cyber Monitoring Centre can help deliver the clarity around systemic event definitions required for the cyber reinsurance market to grow at pace, according to CFC’s James Burns.

During an interview on The Insurer TV’s News in Focus programme, CFC’s head of cyber strategy warned that while the cyber insurance market was now in a healthier place than pre-Covid, the reinsurance market was still facing challenges around event definitions for larger, potentially systemic exposures.

But Burns said the planned Cyber Monitoring Centre, which he said was still on course to launch on 1 January next year, will make it easier for reinsurers to more effectively price, and where necessary exclude, cyber exposures

“The key challenge that the market’s had is that it’s been really difficult for insurers to delineate between small-scale attritional events that they want to insure, and the large, catastrophic widespread events that they need to treat differently,” added Burns.

“Part of the problem has been in defining those events. One way that insurers have tried to deal with this is trying to identify the types of scenarios that might lead to a really oversized loss, such as war, which is why you tend to see war and cyber war exclusions in the cyber policy.”

Other scenarios that some insurers have crafted exclusions for include critical infrastructure failure and mass vulnerability exploitation.

But a long list of systemic risk exclusions in cyber policies runs the risk of making the product too complicated for some customers, particularly SMEs, which may impact penetration levels of the overall product.

“What the Cyber Monitoring Centre could do is provide a replacement for that long list of overly technical, detailed exclusions with a single catastrophe exclusion, pointing to a declaration made by the body,” Burns explained.

For example, an exclusion could simply read that the policy excludes any category five event as declared by the centre.

“The beauty of that is that because it is such an objective trigger for an exclusion and it’s so easy to parameterise, that makes it much easier for reinsurers to price that risk. They can model the chances and the likelihood of the impact of that happening,” Burns concluded.

Monitoring Centre on track for 1.1.24 launch

Announced at the CFC Cyber Forum last month, the Cyber Monitoring Centre will look to declare and classify UK cyber events in a consistent and objective manner to enable greater harmonisation in the studying, reporting and understanding of systemic events, such as global malware outbreaks and mass zero-day vulnerabilities.

“From an insurance perspective, there's benefits to that, because a single classification system can help the cyber insurance market solve one of its big challenges – systemic cyber risk,” Burns explained.

He added that the technical committee – which will be responsible for analysing the two key metrics of an event in order to assign a severity rating – will not be made up of professionals from insurance backgrounds, but instead comprise experts from academia, law, public policy and security.

The centre will develop metrics showing how widespread an event is in terms of the percentage of UK organisations that are impacted, as well as its financial/economic impact. These two metrics will be combined to establish a severity rating between one and five, which will be used by the centre to classify the event.

“Even though CFC, as part of the industry, is looking to catalyse the development of something like this, it's important that it's recognised that this body operates independently and that it's not there to serve the industry,” Burns said.

“If we're thinking about broader societal benefit, it wouldn't be that helpful to non-insurance stakeholders if the body was just there to help (re)insurers determine what their aggregate losses are in relation to any given specific event.”

In addition, this will help to establish greater long-term credibility and trust in the body, as down the line it may be possible for underwriters to use event declarations and classifications made by the centre in policy language.

Burns confirmed to The Insurer TV the centre remains on track to launch into its incubation period on 1 January 2024.

Insurance market stabilises

Burns said the cyber insurance market has stabilised in the past year with more capacity entering following a period of sustained compound rate increases in 2020-2021 in response to heightened ransomware activity.

“We’ve seen a drop-off from rate increases, and that feels like a natural response to the market carrying out a lot of corrections – in terms of pricing, a shift in appetite and requiring clients to have more optimum controls, and that’s led to much healthier loss ratios,” Burns said.

“In insurance, we tend to get obsessed with the concept of rate change; actually, it’s rate adequacy we need to be focusing on. I think that’s what all the major insurers have been through in 2020-2021, we’ve learned a lot about what rate adequacy looks like for cyber risk.”

Burns added that while there is still progress to be made in upgrading the sophistication of models, the cyber insurance market overall is in a better position than it was pre-2020, which is indicative for a sustainable, longer-term future.

However, the same cannot yet be said for cyber reinsurance, where Burns said it was important to achieve clarity around definitions of cat risk.

“In my mind, I think we could solve that fundamental problem around event definitions so that we can make sure that cyber cat is able to be priced as forensically as possible, which triggers a flourishing cyber catastrophe reinsurance market, and then that way we'll truly unleash potential.”

Watch the full interview with CFC’s head of cyber strategy James Burns to hear more about:

  • Slowdown in price increases attracting cyber insurance capacity
  • Accessing ILS capacity for cyber
  • Issues in the cyber reinsurance market around defining systemic events
  • How the UK Cyber Monitoring Centre will operate
  • How the insurance industry can use the centre for policy language down the line