Lloyd's developing cyber insurance standardsReprints
Core data requirements devised by Lloyd's of London provide a critical first step in better underwriting and developing cyber risk models that will ultimately help the buyer.
Lloyd's said in late January that the common data requirements, which will let it track exposures and help underwriters better develop policies to cover cyber risks, were developed in collaboration with Boston-based AIR Worldwide; Newark, California-based Risk Management Solutions Inc.; and the U.K.'s Cambridge Center for Risk Studies.
Experts say the effort will encourage development of common insurance policy language, which will enable insurers and reinsurers to more accurately measure risk aggregation.
“Models for natural catastrophe risks are well-developed in the (insurance and reinsurance) industry, and the data requirements are relatively standardized,” Tom Bolt, director of performance management at Lloyd's, said in a statement. “But in comparison, models for cyber risks are still developing and need the industry to work collectively, so that risk can accurately be calculated.”
The effort will help buyers, said John Graham, Boston-based security and privacy product manager at Zurich North America.
“We as a company tap into our own data, but also look externally to what's publicly available,” Mr. Graham said. “The more those sources of data are aligned and the more useful that information is, ultimately that trickles down to our customers so we can better advise” them on managing risk.
Right now, “the insureds are overwhelmed by the different standards and the different suggestions about what best practices are,” said Kevin Kalinich, Chicago-based global practice leader of cyber risk solutions at Aon Risk Solutions.
The Lloyd's plan provides a “much better roadmap for the risk manager to identify what the key issues are,” Mr. Kalinich said.
“I'm hoping it will translate into more stability in the cyber market” by giving underwriters “additional accuracy and comfort to the point where maybe they will relax a little bit with some of my clients,” said Phil Norton, Chicago-based president of Arthur J. Gallagher & Co.'s professional liability division.
While there is a need for standardization, “how it gets met is the bigger question,” said Robert Parisi, New York-based national cyber product leader at Marsh L.L.C.
For other lines, including property/casualty, “pretty much most of the marketplace talks with a common vernacular” to describe risk, “with data points used to capture risk so actuarial tables can be built,” Mr. Parisi said. Right now, cyber policies are “trying to get to the same thing, but they're speaking with different accents as it were.”
The Lloyd's announcement “is an excellent first step, but not the end of the journey,” Mr. Parisi said.
Having a common language for cyber risk will allow brokers and underwriters to leverage much more information to ensure better coverage of cyber risks, said Ryan Jones, director of cyber risk intelligence at London-based brokerage BMS Group Ltd.
A lack of consistent terminology has meant that sometimes it is difficult to talk to buyers about cyber risks, said Sarah Stephens, head of cyber and technology and media E&O at JLT Specialty, a unit of Jardine Lloyd Thompson Group P.L.C. in London.
Elements of the common core data, such as which cloud computing provider a company uses, will give a better sense of whether underwriter fears about a so-called “cyber hurricane” resulting from risk aggregation are founded, Ms. Stephens said.
“There's a huge need” for standardized data to measure aggregation of cyber risk, which can be reflected in policies including directors and officers, property and general liability, said Ben Beeson, Washington-based cyber risk practice leader at Lockton Cos. L.L.C. Until now, the cyber insurance industry has been focusing on personally identifiable information and personal health information, he said.
“The concern is, do you, the underwriter of the syndicate, understand actually what that (risk aggregation) is, and there is a feeling right now — and I think it's accurate — that's not the case,” Mr. Beeson said.
One has to look only at asbestos to see that cyber risks' accumulation is an “existential threat” to the industry, he said.
“Aggregation is a key concern for most insurers and reinsurers,” said Geoff White, cyber underwriting manager at Barbican Insurance Group in London and chair of the Lloyd's Market Association cyber panel that worked on the cyber project.
The common core data requirements will let Lloyd's insurers offer more capacity, he said, noting that Barbican has increased the limits it can offer buyers to 25 million dollars, euros or pounds sterling, up from 10 million.
Aon's Mr. Kalinich said he likes the approach because it will not be static.
“It's a flexible framework that can grow with the changing exposures,” he said.