UK Cyber Monitoring Centre officially launches

By Michael Loney

Feb 14 - (The Insurer) - The Cyber Monitoring Centre has officially begun categorising cyber events which affect UK organisations after its incubation year, marking the latest move towards a formal framework for a putative state-backed cyber reinsurance pool.

The CMC – which launched on January 1, 2024 as a not-for-profit organisation with backing from CFC – was created to deliver a consistent, objective framework to assess the severity of major cyber events in the UK by categorising incidents as they occur on a simple classification scale from one (least severe) to five (most severe).

The framework is applied to cyber events with a financial impact greater than 100 million pounds and impacting more than 0.01% of UK businesses.

The measurement of financial impact is focused on short-tail costs in the immediate 30-day period after the event. These include business interruption, incident response costs and ransom payments, but exclude any liability payments or fines that may arise later on.

The body's technical committee – which is chaired by former National Cyber Security Centre CEO Ciaran Martin – utilises a range of data and analysis to assess and categorise incidents against the framework.

During the event assessment process, the technical committee will conduct an initial review of preliminary research, before collecting from various data providers (including cyber modelling MGA Parametrix, the British Chamber of Commerce and the Office of National Statistics) and calibrating with incident response firms and insurance claims teams.

Once the technical committee has categorised an event, the CMC will publish the event category alongside an event report, which will provide an explanation of the analysis.

Speaking at the CMC's official launch in Whitehall in February, CMC CEO Will Mayes outlined the challenges in the insurance industry's current approaches to managing systemic cyber risk, including its attitude to war exclusions. Mayes described the attribution process as challenging, lengthy and contentious.

"Within insurance, wordings get more and more complex as insurers are trying to define tightly exactly what a war event or a critical infrastructure event looks like. That complexity leads to uncertainty, both for the policyholder and for the insurer," he said.

Mayes added that if a cyber event does occur, this uncertainty may lead to a policy responding in a way that is unexpected for the policyholder, or that does not quite match the terms laid out by the insurer, potentially leading to litigation.

"The solution to that is to have an independent body to categorise cyber events based on their scale and impact – an organisation like the CMC – and then have clear, easy-to-understand policy language linked to those categorisations that provides clarity to both the policyholder and to the insurer," said Mayes.

This publication has previously reported that the CMC has been slated as a probable source for a systemic event declaration and classification system which could trigger cover from a public-private cyber (re)insurance scheme.

In June, the BCC – which represents over 50,000 businesses employing six million people across the UK – joined other industry bodies in urging the UK government to work with the insurance sector to create a state-backed reinsurance pool to protect firms from catastrophic cyber risk.

"At CMC, we don't have our own view on the cyber government backstop. If you did want to set up a government backstop, you'd have to agree a trigger for when that backstop would apply," said Mayes.

"In order to have that trigger, you need an independent body to do it. So if at some point in the future the government does decide that there is a need for a government backstop for cyber, then you would need an organisation like the CMC that's independent to determine when an event would trigger that backstop."

IUA CALLS FOR GREATER FOCUS ON CYBER BI

The International Underwriting Association (IUA) argued in February that cyber business interruption (BI) risks must receive the same level of attention as information technology security controls and ransomware threats.

Research conducted by the market body in association with Baker Tilly showed the cyber insurance market has seen a significant increase in the number of BI claims since 2018 in terms of both value and volume.

There are currently two forms of policy wordings used in cyber BI policies to determine indemnity: the loss of net profit plus continuing fixed costs (net profit); and the loss of gross profit.

"Generally, the loss of gross profit approach is more widely understood by non-BI specialists, e.g. policyholders, given that it starts at the top of the profit and loss account and, in effect, works downward. However, there can be issues, given the difference between insurance and accounting gross profit," said the report.

"In cyber, the sum insured is typically an aggregate limit applicable to all insuring clauses. Consequently, a standalone sum insured for BI under a cyber policy isn't required, nor is there a need to identify which costs are expected to be saved and therefore defined as an uninsured working expense."

The report continued that the net profit wording – which is the more commonplace approach used in the cyber market – also faces a common problem in that the specific reference to "continuing normal expenses incurred including payroll" is often misinterpreted as indemnifying policyholders for the loss of (insurance) gross profit and the ordinary costs the business continues to incur following an incident, such as payroll.

However, as the IUA noted, the insured business would have paid these costs but for the incident; there is therefore no change in the level of costs incurred.

The IUA has recommended a simpler, alternative BI wording that is focused on the standard turnover and how that has changed due to the insured event.

CHALLENGES IN UK CYBER MARKET HINDERING SME TAKE-UP

In other UK-related cyber news, the Association of British Insurers warned near the end of January that SMEs are increasingly at risk of cyberattacks but remain both largely unaware of the threat they face and unprotected by insurance.

Research published by the influential trade body in partnership with law firm Grant Thorton identified a severe cyber protection gap in the SME segment, which in turn makes these businesses an easier and a more attractive target for cyber criminals.

Launched at the ABI’s inaugural Cyber Conference held in London, the study found that the SME segment offers a major growth opportunity for cyber insurers globally, but that misconceptions around the cost, value and complexity of insurance products have kept take-up of cover low.