Skip to main content

Cyber Core Data Requirements

Our collaboration

Through collaboration with LMA, AIR, Cambridge Centre for Risk Studies, and RMS, Lloyd’s has sought to establish a common core schema for cyber exposure data and common core features for input data used in cyber risk tools in the market, both in relation to key attributes that should be considered when evaluating cyber risk and in relation to the way in which this information should be collected in line with the existing industry-standard codes.

These common features have been observed to be compatible with information already collected by underwriters, brokers and industry organizations assessing cyber risk, and include:

Commonality in collection of geographic information on insured companies using ISO country codes such as:

  • US – United States
  • GB – United Kingdom
  • DE – Germany
  • FR – France

Standard Cyber Peril Codes, such as:

  • PCY - Cyber security data and privacy breach
  • PCZ - Cyber security property damage

Agreement on key indicators of cyber vulnerability such as:

  • Enterprise Size as captured by revenue and headcount
  • Organization Industry or Business Sector as captured by NAICS codes. Examples of NAICS 2012 codes are:
    • NAICS Code: 42: Wholesale Trade
    • NAICS Code 524: Insurance
    • NAICS Code: 519130 Internet Publishing and Web Search Portals

Aligned Cyber Coverages including, but not limited to:

  • Security Breach of Privacy
  • Liability
  • Business Interruption
  • Cyber Extortion
  • Replacement of Lost Data and Software
  • Regulatory fines
  • Physical Damage and Bodily Injury

Common cyber risk attributes including:

  • Number and type of records held by an enterprise which could be breached. Identifiable Data Types at risk include but are not limited to:
    • Credit Card
    • PII (Personally Identifiable Information)
    • PHI (Personal Health Information)
    • IP (Intellectual Property)
  • Identification of cloud service providers
  • Internet Business Interruption potential

Further information will be available when AIR and Cambridge Centre for Risk Studies publish their more detailed schemas. They will highlight the core information described above.