Classifying cyber risks

A commonly understood classification system can provide a mechanism for insurers to deal with systemic cyber risk. That is the focus of James Burns, head of cyber strategy at CFC, the latest guest to feature on Mark Geoghegan’s podcast, The Voice of Insurance.

The cyber world and its insurers need be able to classify the severity of the systemic loss events to continue to grow and fulfil the needs of customers and society as a whole.

The industry does this for more traditional risks, especially natural perils, such as earthquake, floods or wind risks. Everyone who underwrites Florida property catastrophe, for example, knows the difference between storm categories, all the way from damp squibs in reinsurance terms to the most intense and market-turning hurricanes.

The same cannot be said, at present, for cyber risks – even the phrase is so broad as to be relatively meaningless – given that the threats range from malware that slows down laptops and frustrates SMEs or individuals on a daily basis, to specific ransomware attacks that can cost an individual firm dearly, to the kind of macro-level systemic risk attack that gets talked about as “cyber cat” or “cyber warfare” that could cripple an entire economy.

James Burns, head of cyber strategy at CFC, a London market cyber specialist MGA, is on the ground floor, as Mark put it, of ambitious but highly necessary efforts to create a new institution for the insurance industry. The Cyber Monitoring Centre’s founders want it to function as a pan-industry body with a mission to work in the best interests of the market and society at large.

“Major cyber events threaten society and the economy more now than at any point in history. Yet we still don’t have a commonly agreed upon and understood system for classifying them objectively and consistently,” Burns told host Mark Geoghegan.

The Cyber Monitoring Centre aims to be reflective of the new world and the new threats that cyber brings, he explained.

“The core mission of this body is to bring transparency, and clarity to a world which I think is otherwise quite chaotic and confusing, opaque and obfuscated – the world of major cyber events,” Burns said.

Without classification efforts, analysing data to determine trends, will be much more difficult for insurance companies and other cyber security stakeholders, he emphasised.

“All the time, I’m seeing confusion and conflation between events – real events that have actually occurred – and the discovery of new vulnerabilities. Those are two completely different things, with different implications, but they get confused and conflated and reported as if they’re exactly the same,” he added.

The lexicon of technology and cyber can be confusing for anyone who doesn’t make it their area of focus, he suggested. WannaCry and NotPetya, for example, are seen as “two rock stars” of the cyber insurance loss world, Mark quipped, but few people could tell you their characteristics or the key differences between them.

“They were actually very different events in terms of what they cost, who they impacted, and where they had impact,” Burns said. “It’s quite worrying, because this is one of the biggest threats facing us today, particularly facing businesses and organisations, and it’s so poorly defined and so poorly understood.”

For now, the Cyber Monitoring Centre is a UK-focused endeavour, and Burns defines it as responsible for identifying two core metrics in relation to any specific cyber events in the UK, then combining them to provide a severity rating.

“Those metrics will be one how widespread an event is, so what proportion of UK organisations are being impacted by an event. Secondly, what the economic impact and/or financial impact of that event is, so how much is this event costing those affected organisations,” he said.

At the lowest end of the scale, like a category one storm, Burns suggested, a not-very-severe event could impact less than 0.1% of UK organisations and cost less than £20m in economic cost.

“At the other end of the scale, a much bigger event might impact more than 5% of organisations in the UK, costing more than £5bn in economic damages. That might be a Category Five cyber event,” he added.