A comprehensive new framework for assessing cyber events, published by Lloyd’s and ABI, is the result of a collaboration among reinsurers to create a consistent definition of what constitutes a major cyber event. The resulting framework gives readers a map of critical aspects for consideration. “This holistic perspective is vital for grasping the full scope of a major cyber event,” they write.
Entitled Components of a major cyber event: a (re)insurance approach, the paper developed by members and affiliates of the ABI Lloyd’s cyber working group is intended to represent a snapshot in time within a broader, ongoing conversation about cyber risk management, they state.
Enhancing awareness
“This paper can be used for enhancing awareness, education and the development of risk appetite and (re)insurance solutions in managing cyber risk. While cyber risk practitioners may recognize the components of a major cyber event, this is the first time these elements have been brought together in a holistic, (re)insurance led way,” the report states.
It goes on to say that determining who is responsible for an event or determining why a major cyber event has occurred can be challenging. “However, these questions are essential during loss assessments,” they say. They also warn that not all typical components of a major cyber event apply to every modelled scenario. Similarly, they warn that the more detailed scenarios are, the more detailed that descriptions or modelled variables are, the less likely it is that the exact event is going to occur, “potentially creating a false sense of confidence,” they write.
Risk mitigation strategies
Rachel Turk, chief underwriting officer at Lloyd’s says cyber is the fastest growing class of business for the syndicate. “The proliferation of cyber threats has necessitated the development of risk management strategies, particularly in defining what constitutes a major cyber event,” she writes, adding that the effort is crucial for quantifying risks and for developing risk mitigation strategies.
ABI’s director of general insurance policy, Mervyn Skeet, meanwhile says businesses generally are currently grappling with a lack of awareness and readiness around cyber, along with the absence of standardized good practices and resourcing. “The challenges they face are significant, however this is where our industry, being at the forefront of understanding cyber risk, has a pivotal role to play,” he writes. “The scale of the threat is such that some events could dwarf the industry’s ability to respond. The defense against cyber-crime cannot solely be insurance, we have to collaborate.”
The report identifies key stakeholders, the types of activities (risk modelling, understanding) that the paper can support and then goes on to break down major cyber events into seven distinct elements for analysis. “(Re)insurers and partners can use this set of components to methodically analyze real or simulated insurance losses, which in turn may assist them in defining their risk appetite.”
Response and recovery measures
The working group’s introduction to cyber risk says “cyber events often lack a clear beginning, end or rational progression, spreading unpredictably from one system to another. The outcomes of these events can vary greatly, depending on the quality of the defense, response and recovery measures in place, as well as human actions within these man-made systems. Despite the increasing risk, as global dependence on technology grows, there is no comprehensive global definition of a major cyber event,” the report states, adding that the absence of historical events can also create uncertainty.
“Consequently, components of cyber risk may be approached in isolation, without the benefit of a combined and collective context throughout the risk management chain, or an understanding of their relationship with adjoining issues. This complicates efforts to model, monitor and transfer risk,” they say. “This holistic (re)insurance view marks the first time the full range of components has been detailed.”