CFC Underwriting’s Head of Cyber James Burns Talks to Risk & Insurance

In May, London-based CFC Underwriting announced that it had named James Burns as head of cyber. Mr. Burns now heads a team of more than 50 underwriters who are devoted to underwriting cyber risk for large corporate clients and SMEs.
By: | July 15, 2021

In May, London-based CFC Underwriting named James Burns as head of cyber.

Burns spoke to Risk & Insurance® about this new opportunity. What follows is a transcript of that interview, edited for length and clarity.

Risk & Insurance: You’ve now been with CFC in a cyber role for nine years or so. How have you taken advantage of the opportunities presented to you?

James Burns: I think I’ve been really, really lucky, particularly in my career at CFC.

Prior to CFC, I was at Zurich for four and a half years, focusing on E&O lines. I joined CFC as a tech and cyber underwriter. Right at that moment, cyber, as a class of business, was really starting to take off, particularly in the U.S., which was CFC’s largest territory.

So the timing was really good, but I think the opportunity was also incumbent upon me to embrace what I thought was going to become, and has become, one of the fastest growing lines of insurance in the industry.

It’s a combination of good timing and also having the will and the want to embrace something new. I basically tried to make myself an expert in this class of business.

That’s what I really sought out to do from the start. So, starting out in an underwriting role within the cyber function was a great way to do that. There’s a lot of embracing the product, explaining the product, what the product does, and then to be able to articulate that to brokers and their clients. That’s as important a part of the role as the actual day-to-day of underwriting the risks.

That led into the next phase of my career at CFC, which was cyber product leader. Cyber was a part of the business where the insurance wordings and policies were changing really quickly, and I was able to carve out a niche for myself there. I was really trying to innovate around what I thought the next covers that this industry needed should be.

Again, I was incredibly lucky to be at an organization like CFC, which is very innovative by nature and heavily committed to cyber as a class of business.

From there, there was a natural transition into taking over management of the cyber underwriting team. My appointment as cyber practice leader involved building on not only my underwriting product development and broker development experience, but also applying my knowledge into developing the next tier, the next breed of cyber underwriters as we were building out that team.

That quite neatly led to my recent appointment as head of cyber, which is a newly created role within CFC. This is my chance to take the reins in respect to determining our strategic vision for the next few years when it comes to how we see the market unfolding and CFC’s place within it.

R&I: What’s energizing you about the role you’ve got now?

JB: For me, it’s the increasingly critical role cyber insurance is now playing in business and within the global economy.

We’ve been active in the cyber market field for 20 years since its very inception. Cyber insurance accounts for over a third of our gross written premium as a business. What we’ve seen over the past few years, and most acutely in the past year, is the market really starting to demonstrate its worth to policyholders and brokers.

Cyber risk is still incredibly new and scary for many organizations.

But there’s an opportunity for an insurer like us and for a team like ours that’s invested heavily in this class to continue to demonstrate our capabilities, not just from an underwriting perspective but from a claims and risk management perspective.

I find that incredibly exciting. I feel like we’re really stepping up when our clients and our brokers need it most. And I think we’re really positioned well to shape and lead this market as it matures.

R&I:  You mentioned policy wording. That’s been a challenge in terms of carrier cyber underwriting and how they resolve claims. Is that a key challenge still and if not, what would you describe as the key challenges?

JB: I think the biggest opportunity that I’ve just spoken about is also our biggest challenge, because we’re currently going through the biggest challenge we’ve faced in our history in the form of a huge increase in the frequency and severity of ransomware claims.

We’ve been active in the cyber market field for 20 years since its very inception. Cyber insurance accounts for over a third of our gross written premium as a business.

I’m sure you’ve heard about what’s happening with ransomware. It’s almost mainstream now, but most of the ransomware attacks being publicized in the press are insured events, and there are thousands more of those insured events per year that aren’t publicized.

So the challenge has really become one of profitability, I think, for the market.

As a market, we’re responding incredibly well. There’s been a swift and fairly pronounced rate correction happening, which was sorely needed given the deterioration in the loss environment.

I think more importantly than that, we’re starting to see cyber insurers start to reflect real, tangible positive behavior change with regards to cyber risk management amongst policyholders.

I know at CFC, we’ve invested millions in building out an in-house security team that is there to help our policyholders do that. The claims challenges that we’ve seen are actually making us better, both in terms of helping our customers to become more secure and also in ensuring that the market remains sustainable.

R&I:  What’s the size of your team and how is it broken down?

JB: We have got one of the largest underwriting teams by headcount in terms of dedicated cyber underwriters in the world.

On the underwriting side, we’ve got close to 50 underwriters now. We have them split broadly into an SME underwriting function and a large corporate cyber underwriting function.

The large corporate cyber function focuses on accounts with a billion dollars or more in revenue. The SME function account focuses on business with zero to $1 billion in revenue. The SME function is subdivided into a number of different territories. We’ve got two teams that focus on U.S.-domiciled business. We’ve got a team that focuses on UK-domiciled business. And then a team focused on what we call international, which is basically everything outside of the U.S. and the UK.

It’s a big team and that’s just the underwriting side.

When you start talking about number of dedicated cyber claims handlers, you’re talking about another 100 or so globally, with a lot of security team personnel based in Austin, Texas, a large number based in London, and a new division, which came out of an acquisition we just made in Brisbane, Australia.

In terms of our all-around capability, as a number of individuals attached, just to side within our organization, between claims and underwriting, I’d be surprised if there’s many insurers out there that have more people than we do, doing this.

R&I: Can you tell us where the business you oversee sits in terms of gross written premium in this area at this point?

JB:  We write over $300 million in cyber premiums globally.

R&I: What about CFC’s approach to talent acquisition? Do you think it’s working and feel like you can really support it?

JB: The best way in terms of attracting talent is creating an environment where your existing staff and existing personnel feel like they’re getting so much enjoyment and value of work in the organization that people start to hear that working somewhere like yours is a good place to be.

I think one of the ways CFC has done that is through incredible transparency and being very good at knowledge sharing.

One of the toughest things about teams as they grow is making sure everyone is in the loop on developments in the market or with claims trends. Particularly with cyber, you’ve got constant shifts in attack vectors, and ensuring proper sharing of knowledge can get so much harder when you get big.

When I joined the cyber team, we had 10 people all in all, tech and cyber combined. Now, cyber alone has more than 50 on the underwriting side. Keeping that joined-up approach to knowledge sharing is really difficult. Maybe even harder in the last year with the move to lockdown.

We shifted all of the work we were doing in terms of live presentations and staff training sessions, and we converted all that into virtual sessions, which in many ways made them more accessible to more people. I think we’ve done a really good job of continuing to produce great in-house learning content for our staff throughout the course of lockdown and with a good degree of regularity.

We’re currently in the midst of putting all of our cyber content onto a brand new e-learning platform, which should be invaluable with regards to staff training.

I think people who work at other organizations hear about that. They hear about how serious we take staff training and knowledge sharing. And I think that naturally makes an organization a desirable place to work, because people have a natural tendency to want to learn and develop.

R&I: If you look at what the commercial insurance industry should do more broadly, it would be to get better at knowledge sharing. Does that resonate for you?

JB: As an industry, insurers haven’t always necessarily been the best at being transparent.

As insurers, we’ve got a responsibility, particularly in an emerging area like cyber, to be as transparent as we can and explain to are our clients what’s really driving losses and why rates are going up whenever they do, and what approach we take to underwriting.

Obviously, there’s going to be certain things that are always commercially sensitive, but if we can be as transparent and open and honest as we can with our employees, our staff and our customers, our brokers, our policyholders, then I think that can only be a good thing ultimately.

R&I: Let’s talk about technology. What does the investment in technology look like for you and its use in underwriting in your claims area?

JB:  We’ve got some really exciting technology projects on the go at CFC.

We’ve got a huge team of in-house software developers. They count for something like more than 10% by head count of CFC as a whole, which is a really big proportion.

I think they’re worth their weight in gold in terms of what we’re able to do now on the cyber team.

We’re able to remotely scan organizations for threats and observable vulnerabilities — those indicators of how susceptible they might be to certain types of claims. We use this information in a variety of ways.

We’re currently in the midst of putting all of our cyber content onto a brand new e-learning platform, which should be invaluable with regards to staff training.

It can be used by our actuarial teams to run performance analysis and what’s really driving losses. It can be used by our security team to create risk alerts for vulnerable policyholders, so we can let them know that they need to secure themselves. And it can be used by underwriters to make risk selection decisions on new business accounts.

These capabilities are already becoming a really important part of how we operate, and they’re going to become increasingly critical as time moves on.

R&I:  How long has that remote scanning capability been in place or working for you and your team?

JB: We’ve always been a really technology-focused organization, but we made a decent sized acquisition towards the end of 2019 of a company called ThreatInformer.

It’s really with that acquisition of ThreatInformer that we’ve stepped up the game in relations to the use of remote scanning and data analytics and being able to start assessing the portfolio in a different way.

R&I: As you look at the landscape, I would assume system infrastructure attacks are pretty high on the list in terms of threats we need to be looking out for. Could you name maybe three more in your area of focus we should be watching for?

JB: I’d say ransomware, ransomware and ransomware.

I genuinely don’t see a bigger risk to modern day organizations than the reliance on technology that that brings.

So, ransomware is one method by which that destabilization happens, and it can happen to an organization’s own systems. Or it can attack and impact third-party systems that an organization relies upon.

It’s actually an over-reliance now that most organizations have on technology to function, and the sheer speed with which an organization’s entire intangible asset base can be wiped out is truly terrifying.

Maybe that’s not the best answer to the question, but I think it’s that important it’s worth saying three times.

R&I: You talked about your nine years with CFC. In that time period, and perhaps even at Zurich, what experiences really fed you as a professional?

JB: I’d say the opportunities that I’ve had to meet clients, the end purchasers of insurance products. I’ve always found them incredibly valuable.

I’ve been lucky enough to have fairly regular contacts with policyholders throughout my career. But as the insurer, our day-to-day is often several steps removed from the actual organizations that buy our products, especially if you’re playing in wholesale market as we do in a big way.

I think meeting and listening to a policyholder’s views on what they expect of their policy, what they think the claims service should do, how they expect their insurance provider to act in certain situations in general, to able to hear those experiences and views first hand is such a valuable experience, because ultimately there are people at the end of these products and these policies, and our biggest single priority is to make sure that the insurance products that we create are fit for purpose, fit for service.

Those encounters have always had a big impact on the way I see how the insurance market should work, and I think that’s served me pretty well. &

Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected].

More from Risk & Insurance