Today saw the launch of a world-first initiative – the Cyber Monitoring Centre, an objective framework enabling the official categorisation of cyber events impacting UK organisations. Assessing the severity of major cyber incidents as they occur, the CMC will categorise these incidents from one (the least severe) to five (the most severe).
Chaired by Ciaran Martin, former CEO of the National Cyber Security Centre, the CMC’s Technical Committee will look to utilise both data and analysis for assessment and categorisation purposes – and so move the dial on how organisations tackle, learn from and recover from cyber incidents. The CMC will categorise cyber events that have a potential financial impact greater than £100 million, affect multiple organisations and where there is data or information available to enable assessment.
So, what does this mean for the insurance industry and, even more importantly, the buyers of insurance? Edward Lewis (pictured), CEO of the global cybersecurity consultancy CyXcel, and one of the leading forces behind the CMC during its incubation year, highlighted how it evolved from market reactions to the Lloyd’s bulletin on cyber war which faced backlash for its ambiguous definitions, attribution challenges and broad exclusions, including of cyber-related incidents not clearly linked to war.
“It was really important that these conversations came back to all buyers of insurance,” he said. “Because it might be alright for a global enterprise with very deep pockets to get caught up in a row about attribution and accept a delay in the paying out of a cyber policy. But the same cannot be said for SMBs which need to receive support, particularly financial support, in a measure of days not the weeks, months or even years that insurers, lawyers and brokers are arguing over whether the attack they suffered can be attributed as an act of war. There has to be a better way – and there is.”
Lewis, who in his capacity with the law firm Weightmans led the initial feasibility assessment that led to the development of the CMC, highlighted that this assessment resulted in three major recommendations, underpinned by the ambition for this to be a not-for-profit solution for the benefit of the wider public. The first was that it had to be non-mandatory but available to any and all market participants who wanted to use it on a non-discriminatory basis. The second was that the framework had to be for the benefit of insurance buyers, rather than the insurance market.
“We have set this up to give insurance buyers clarity and a system removed of any ambiguity,” he said. “We want to create trust and confidence in the insurance market, two ingredients that got shaken dramatically during the business interruption coverage disputes in the COVID years. We do not ever want the same scenario impacting the cyber sector.”
The third key recommendation was regarding the need for genuine independence, Lewis said, which is why so much careful legal architecture sits behind the structure of the CMC and the selection of its Technical Committee.
“During even our earliest conversations, we could see the potential for a bespoke set of clauses which would then provide much needed clarity and, importantly, precision without much scope for ambiguity of argument by lawyers,” he said. “So, if an insurer puts a clause in the policy that says ‘we will insure you in respect of losses resulting from a cyber event, including losses that are part of a systemic event up to Category Two on the CMC scale’ then there’s no ambiguity.
“What that also does is it enables the policyholder to say to their broker, ‘we might need to look at some excess layer cover above the primary because the primary taps out at point two on the scale and for anything above that, we need additional provision’.”
It might be that going forward there is the potential for a backstop solution, whether it’s publicly or privately funded. There are examples of such solutions, the success of which is seen by Flood Re and Pool Re, he said. And while there is no backstop for cyber at the moment, were the government minded to introduce a back stop or were there to be a privately funded version, the CMC's categorisation methodology would simplify the process by which cession might occur.
In that scenario, he said, the broker would empowered to give informed advice to the policyholder about the coverage they need to buy, and their options for additional coverage if it’s not deemed sufficient. The precedent for such a solution has already been set by other public-private partnerships, and it will be interesting to see where the sector goes next, newly equipped with a common, non-fussy language that brings together government, industry, regulators and the public in a new understanding of how systemic cyber risk impacts the UK.
These are some of the areas where the framework provided by the CMC really has the potential to shine, he said. A scale such as this facilitates the creation of a catastrophic loss market for cyber. There is a much needed requirement for clarity about where and at what level a catastrophic loss occurs and with the methodology developed by the CMC there is now real potential for that to happen.
As to what success looks like for the CMC in its first year, Lewis highlighted that this takes many forms. “We want to see the adoption and practical application of the declarations made by the CMC within insurance, but also within an industry on a national basis.” Participation from the insurance market is also crucial, and he reiterated that, while non-mandatory, insurers of every shape and size are welcome to participate as members of the CMC.
“In many ways, of course, the proof is in the pudding,” he said. “Once we make declarations formally and they’re publicised, it’ll be about seeing the reaction of the media, the industry and the public. There are so many use cases and applications for these declarations being made and we’re keen to hear the feedback from organisations about what it’s enabling them to go on and do.
“The real test, for me, is whether this ultimately serves its purpose, which is to create trust and confidence among buyers of insurance, but also UK society more widely. Not confidence that we don’t have to worry about cyber, but rather that we understand it and we’re able to go about our business in a more resilient, secure and compliant manner, no matter our particular sector or industry group.”
