CFC’s chief underwriting officer says cyber insurance has ’had to grow up’, but balancing regulation and value propositions is tricky

Cyber will be the biggest risk code for Lloyd’s of London in 2023, according to Andy Holmes, chief underwriting officer at MGA CFC Underwriting.

A risk code is a classification system that Lloyd’s uses to standardise risks and rank their severity. 

Speaking at the CFC Cyber Forum in London on 30 November 2022, Holmes explained that the fact cyber will be Lloyd’s of London’s largest risk code next year is very telling considering the cyber market is relatively immature compared to other lines of business and has only been around for about 20 years.

Therefore, the recent work of the collective cyber insurance market to put this risk so centrally on Lloyd’s agenda is something to be proud of, he said.

“Cyber has had to grow up – in many ways it has been the best and the worst of times [for cyber risks],” Holmes continued.

“That’s forced [the insurance market] to reappraise its pricing, its risk selection and the value proposition to customers, investors and regulators.”

Holmes believes that cyber insurance is now starting to “lead the way” – for example, by asking customers less questions in the onboarding process and finding out more about personal risk profiles.

Preventative stance

The cyber insurance market has also played a hand in breaking down the concept of insurance being an annual exercise - there is talk around Lloyd’s of London’s Blueprint Two, for example, about paying customers’ claims before they even happen.

Holmes explained that cyber insurance has begun to take a more preventative approach.

He added: ”That’s a good value proposition [that] other classes of insurance can learn [from].”

Value proposition

Despite the strides that the cyber insurance market is making, Holmes added that some of the value of cyber insurance products has been lost due to systemic issues and keeping the regulator happy.

“I could probably list out the cyber risks that are not covered by a cyber policy,” he explained. ”If that is the case, then something has gone wrong.” 

As an example, Holmes cited state-backed cyber attacks, such as incidents relating to the Russia-Ukraine war, being excluded from standalone cyber policies.

CFC Underwriting has around 60,000 small business customers with cyber insurance policies. Therefore, if a ransomware attack was to occur and the MGA was waiting for Russian president Vladimir Putin to confirm the incident stemmed from Russia, “that’s not a sustainable piece of [service] from a customer perspective”, Holmes added.

“Balancing the considerations of our prudential regulator with our conduct regulator is something we need to get more right today,” he continued.

Insurance Times has contacted Lloyd’s of London for further comment.