CFC aiming to set up independent cyber cat body by end-2023

CFC Underwriting has confirmed it is aiming to set up an independent body to categorize cyber catastrophe events in the UK and make it “operational” by the end of 2023.

In conversation with CyberInsurer.com, James Burns, CFC’s head of cyber, said an independent committee of experts made up of law enforcement and IT professionals, academics and others would define whether a cyber event was an attritional or a catastrophic event. Neither CFC nor any other cyber underwriter would sit on the body, in order to ensure its independence. 

A category-based system based on financial impact thresholds and impacted population thresholds will make it for the industry to model systemic cyber events, and to include or exclude such events from policies, Burns said.

The objective, he explained, is to stimulate the establishment of a “thriving event-based cyber cat insurance market”.

“Insurers could use a single cat exclusion linked to the declaration by the independent body which potentially could replace the long list of much narrower and overlapping exclusions that we’ve got,” he told CyberInsurer.com “Insurers would be free to determine where they want to set that threshold based on their own appetite.”

Cyber cat events could include major cloud outages, mass extortion events, major data breaches, or a global malware outage, for example.

Events would be categorized according to severity in a model that is reminiscent of the Saffir-Simpson Hurricane Wind Scale, which is used to measure hurricane severity. 

“There's a really good parallel with the property insurance market and how they handle their version of systemic risk,” Burns said. “Floridian property insurers have to be able to bifurcate between traditional claims and systemic weather events such as hurricanes and the only reason that's possible is because everyone agrees on exactly what a systemic weather event is.”

The body would initially only concern itself with cyber losses in the UK, but the idea is to eventually broaden it internationally. 

It would be set up using a Companies Limited by Guarantee (CLG) structure, which are for private companies that do not have shares or shareholders but instead have members called guarantors. CFC has already obtained legal and regulatory advice on the body’s creation.

Many cyber insurers and reinsurers have called for the creation of an independent body of this kind as a means of unlocking reinsurance and third-party capital to support a line of business in high demand.

At the most recent Monte Carlo reinsurance conference in September, Swiss Re’s chief underwriting officer Thierry Leger said the lack of models and objective triggers in cyber meant was preventing capital markets investors from participating in cyber.

And many major reinsurers, including the four major European reinsurers are taking a “wait and see” approach to cyber reinsurance because of their concerns about systemic risks, thereby putting pressure on primary carriers.