An action plan is crucial for any company facing a crisis, and when it comes to cyber events, having a well-defined strategy can make all the difference. The newly released guide, “Components of a major cyber event: a (re)insurance approach,” from the Association of British Insurers (ABI) and Lloyd’s of London, serves as an action plan for (re)insurers, providing a comprehensive framework to understand and address major cyber events. The guide may prove essential for establishing industry-wide standards and improving crisis response in an era of increasingly complex and frequent cyber threats.
With a lack of historical data on major cyber events, the insurance industry has faced challenges in establishing clear definitions and policy wording for such incidents. The guide, developed by senior leaders in the cyber (re)insurance sector, aims to provide a structured framework for systematically analyzing and categorizing cyber incidents, enhancing risk assessment and aggregation.
Key Components of a Major Cyber Event
The guide identifies seven key components that (re)insurers should consider when defining a major cyber event: WHO (attribution of responsibility), WHAT (cause of loss), WHERE (geographic and digital footprint), WHEN (start and duration), HOW (spreading mechanism), WHY (motive), and IMPACT (monetary loss).
Industry Perspectives
Mervyn Skeet, Director of General Insurance Policy at the ABI, emphasized the challenges posed by the emerging and complex nature of cyber threats. “There is no one single definition of a major cyber event, and history does not yet provide enough evidence to build one. However, getting ahead of these threats and understanding the risk they pose is where our industry excels,” Skeet said. Skeet highlighted that the joint effort with Lloyd’s provides a consistent set of components for firms to consider, promoting greater certainty for insurers, governments, and customers.
Rachel Turk, Chief Underwriting Officer at Lloyd’s, underlined the significance of a shared understanding in addressing cyber risks. “With over a fifth of global cyber insurance being placed at Lloyd’s, a shared understanding of the approaches to defining a major cyber event is crucial for quantifying risks and developing risk mitigation strategies,” Turk noted. She added that the guide offers a robust framework for enhancing the resilience of the insurance industry in the face of growing cyber threats.
The guide is 36 pages long, and you can get a copy of it here. Below is our condensed take.
Overview of the Seven Components
WHO: Attribution of Responsibility
The WHO component deals with identifying who is responsible for a cyber event, whether it is a nation-state, a group, or an individual. It also considers whether the motives are malicious or non-malicious, highlighting the challenges of determining responsibility, especially when multiple actors are involved.
Importance: Proper attribution is critical for insurers to assess risk accurately and determine liability. Knowing who is responsible can also have legal implications and affect the ability to take corrective or defensive measures.
WHAT: Cause of Loss
The WHAT component looks at the cause of the loss, drawing from aggregation clauses common in property and casualty insurance, now adapted for the cyber context. This helps (re)insurers determine whether multiple losses can be treated as a single aggregated event.
Importance: Understanding the cause of loss is essential for determining coverage applicability and ensuring that insurers can effectively group related incidents, thereby improving claims processing and limiting ambiguity.
WHERE and WHEN: Geographic and Temporal Scope
The WHERE and WHEN components focus on the incident’s geographic reach and digital footprint, as well as its start time and duration. Given the spread of cyber incidents across multiple regions or industries, defining an event’s start time and duration can be challenging. The paper suggests using approaches like fixed loss tolerances, external reporting standards, and methodologies like the MITRE ATT&CK framework.
Importance: Knowing an incident’s geographic and temporal scope helps understand its potential impact and ensure proper resource allocation. It also plays a role in policy wording regarding territorial limits and loss aggregation over time.
HOW: Spreading Mechanism
The HOW component describes the mechanism by which the cyber event spreads—whether manually, through mass deployment, via wormable attacks, or through the supply chain. Understanding the spreading mechanism helps determine the event’s reach, the potential for containment, and the eligibility for aggregation of related losses.
Importance: The spreading mechanism influences how quickly and widely a cyber incident can escalate. Understanding it allows (re)insurers to better model risks, evaluate containment strategies, and assess the potential for cascading effects across different sectors.
WHY: Motive
The WHY component explains the motive behind an attack, whether financial, political, or otherwise.
Importance: Identifying the motive is crucial for assessing the nature of the threat and tailoring risk management strategies. Motive can also influence coverage decisions, especially when differentiating between criminal acts and politically motivated attacks.
IMPACT: Monetary Loss
The IMPACT component assesses the monetary loss caused by the event. While defining a major cyber event does not depend solely on monetary loss, understanding both insured and economic losses is vital for quantifying the overall impact. For instance, events with low insured loss but high economic loss, such as certain ransomware attacks, can skew the industry’s perception of severity.
Importance: Monetary impact is a key factor in determining the severity of a cyber event. It helps insurers decide on coverage limits, understand potential exposure, and improve pricing models based on the financial consequences of similar past incidents.
Conclusion: Building Industry Resilience
ABI and Lloyd’s guide aims to provide a consistent approach for defining and analyzing major cyber events, ultimately improving coverage, risk modeling, and resilience. By fostering collaboration among insurers, customers, and regulatory bodies, the paper strives to establish a clearer understanding of systemic risks posed by cyber incidents and create a more resilient insurance industry.
Other News: Beazley CEO Praises Resilience Amid Cyber Claims, Maintains 80% Combined Ratio Goal.
Other News: German Police Disrupt DDoS-for-Hire Platform dstat[.]cc; Suspects Arrested.