ABI and Lloyd’s Unveil Comprehensive Framework to Define Major Cyber Events

The Association of British Insurers (ABI) and Lloyd’s of London have jointly released a new guide aimed at helping (re)insurers define major cyber events. Recognizing the challenges posed by the lack of historical precedents in cyber risk, the guide proposes a comprehensive framework to enhance understanding and management of cyber incidents in the insurance industry. Although this guide is meant for (re)insurance providers, understanding their recommendations should help brokers and cyber insurance purchasers.

A Holistic Approach to Cyber Risk Definition

The framework identifies seven key components essential for defining major cyber events:

• Attribution (Who): Identifying the responsible parties behind the cyber event.
• Cause of Loss (What): Understanding what exactly caused the loss.
• Footprint (Where): Determining the geographical and digital locations affected.
• Start and Duration (When): Pinpointing when the event started and how long it lasted.
• Spreading Mechanism (How): Analyzing how the cyber event propagated.
• Motive (Why): Uncovering the reasons behind the cyber attack.
• Monetary Loss (Impact): Assessing the financial impact of the event.

By considering these factors, insurers can develop a more nuanced view of cyber risks, facilitating better communication among stakeholders and improving risk modeling.

Implications for Policy Language and Exclusions

While the recent definition does not directly change the War Exclusion clause in insurance policies, it underscores the importance of clarity in defining and attributing cyber events. This emphasis may lead insurers to refine policy language and exclusions, including those related to war or state-backed cyberattacks, to ensure they are robust and unambiguous.

Effect on Past Cyber Incidents

The framework could have provided a more structured approach in analyzing incidents like the NotPetya attack on Merck. By focusing on factors such as the responsible party, motive, and impact, the definition might have clarified whether such attacks fall under exclusions like the War Exclusion. In Merck’s case, the court ruled that the War Exclusion did not apply since the attack was not considered a traditional military action. A clearer definition of major cyber events could have influenced the interpretation of policy terms and exclusions, potentially affecting the outcome by providing a consistent basis for determining coverage.

Enhancing Risk Modeling and Management

The insurance industry can improve risk modeling methods for cyber events by incorporating the comprehensive framework outlined by the ABI and Lloyd’s. Enhancing data collection and analysis is crucial for understanding potential impacts and loss scenarios. Incorporating both insured and economic losses offers a more complete picture of risk. Using advanced technologies and analytics can help simulate and predict cyber event outcomes more accurately. Collaboration among insurers, cyber professionals, and stakeholders is essential for sharing insights and best practices. Continuously updating models to reflect emerging cyber threats and technological advancements is vital for maintaining effective risk assessments.

Improving Capital Allocation for Cyber Risks

To enhance risk management and capital allocation, insurers can adopt several strategies:

• Developing Robust Frameworks: Defining and categorizing major cyber events helps set clear parameters for risk assessment.
• Advancing Data Analytics: Improved modeling techniques allow for more accurate predictions of potential losses.
• Fostering Collaboration: Working with businesses and regulatory bodies can lead to shared insights and enhanced risk management.
• Encouraging Proactive Measures: Incentivizing insured entities to adopt established, proven security practices can reduce potential losses.
• Establishing Clear Guidelines: Allocating capital effectively ensures resources target areas with the highest impact potential.

These steps strengthen the industry’s resilience against cyber threats by ensuring resources are directed where they are most needed.

Determining Aggregation of Losses

Effective determination of loss aggregation in cyber events involves establishing clear criteria for what makes up a single event. By understanding the cause of loss, spreading mechanism, and footprint, insurers can decide whether individual losses are related. Setting predefined thresholds for the number of impacted insureds or total monetary loss can aid in classifying an event as “major”. Advanced data analytics and modeling tools help identify patterns between losses, ensuring aggregation is based on comprehensive information. Consistent communication among insurers and stakeholders supports effective aggregation by aligning interpretations and methodologies.

The Role of Causation-Based Language with Aggregation

Causation-based language is crucial in defining cyber event aggregation as it allows a broader range of losses to be grouped under a common originating cause. This approach identifies unifying factors, such as shared vulnerabilities or delivery mechanisms, linking multiple losses. Focusing on the underlying cause enables insurers to aggregate losses even when intervening factors are present. This broader interpretation facilitates comprehensive assessment of a cyber event’s scope and impact, aiding in determining coverage and financial responsibility.

Understanding Insured vs. Economic Losses

The paper also describes how insured losses in cyber events refer to the financial impact covered by insurance policies, focusing on direct costs to insured entities. Economic losses encompass the broader financial impact on the economy, including both insured and non-insured entities. The recent definition suggests that while insurers focus on insured losses, considering economic losses is crucial. In events with low insurance uptake, insured losses might be disproportionately small compared to economic losses, potentially skewing perceptions. Therefore, considering both types of losses is essential for fully understanding a cyber event’s impact and setting appropriate thresholds for defining major events.

Supporting Businesses in Mitigating Cyber Risks

The insurance industry can better support businesses by offering tailored insurance products addressing specific vulnerabilities. Providing structured risk assessment services and guidance on best practices helps businesses manage their cyber exposure. Providing access to cybersecurity resources, such as training and technology solutions, enhances a company’s defenses. Encouraging proactive risk management through incentives, like premium discounts for robust security measures, further supports businesses. Collaboration with cybersecurity experts and regulatory bodies ensures comprehensive support for businesses navigating the complex cyber risk landscape.

Preparing for Updated Insurance Changes

Chief Information Security Officers (CISOs) and other cyber insurance purchasers can better prepare for updated insurance changes by aligning their risk management strategies with the framework provided by the ABI and Lloyd’s. However, the ABI and Lloyd’s of London do not recommend any specific risk management frameworks for insured companies, such as the NIST RMF. Engaging in ongoing conversations with insurers to clarify policy terms and exclusions is crucial, particularly considering emerging threats. This proactive approach ensures that insurance policies are robust and provide adequate protection against evolving cyber risks.

Conclusion

The release of this comprehensive guide by the ABI and Lloyd’s represents a significant step toward standardizing how the insurance industry defines and manages major cyber events. By adopting this framework, insurers can improve risk modeling, enhance capital allocation, and better support businesses in mitigating cyber risks. Continuous collaboration and adaptation are essential as the cyber threat landscape evolves, ensuring resilience and clarity in the face of emerging challenges.

#cybersecurity #risk #insurance

Whitepaper ?? https://www.abi.org.uk/globalassets/files/publications/public/cyber/componentsmajorcybereventreinsurance191124.pdf [pdf]

If you forgot about Merck ?? https://www.wsj.com/articles/mercks-insurers-on-the-hook-in-1-4-billion-notpetya-attack-court-says-528aeb01?reflink=mobilewebshare_permalink