The gap in cyber risk models is just starting to be filled, but developers need to confront a unique set of challenges before such tools can become as commonplace as their Nat CAT counterparts.
In February 2015, Willis Re launched what it said was the “insurance industry’s first cyber risk modeling tool that will enable insurers to quantify and manage their portfolio exposure to data breaches”, and “help execute the most effective reinsurance strategy”.
PRISM-Re™ “provides an objective analysis of the susceptibility to data breach events across the insurer’s portfolio”, said the company. “Based upon the latest exposure data, the tool estimates the frequency of data breaches and the potential severity of insured losses arising from those events.”
Willis’ other model – PRISM – is aimed at helping buyers of cyber insurance against cyber risk, the latest version of which was launched in April 2015.
Close on Willis’ heels is Aon Benfield, which has also been developing a cyber risk model with an “imminent” release date, said a spokesperson. Further details on the model were not available at press time.
And last September, CAT modeller AIR Worldwide announced tie-ups with security risk and cyber data providers BitSight Technologies and Risk Based Security (RBS) to build a probabilistic cyber model, and plans to release the first version within the next two to three years. “However, companies who are willing to become development partners with AIR and share claims and exposure data will receive preliminary model results as early as 2016,” said Mr Scott Stransky, Manager and Principal Scientist.
But despite the growing phenomenon of cyber attacks, modelling tools remain few – pointing to the unique challenges facing developers. In fact, cyber risk modelling is “multiple times more complex” than modelling Nat CAT, said Dr Praveen Sandri, Managing Director and Senior Vice President of AIR Worldwide’s India office during the Dubai Rendezvous last November.
Scarcity of relevant data
A key challenge in developing a model for cyber is getting enough relevant data. Unlike other lines of business, cyber claims data can be hard to come by – the cyber threat is still relatively new compared to other types of catastrophes, and information is not readily shared as companies may be reluctant to publicise their breaches and what it has cost them.
PRISM-Re currently focuses only on privacy breach, “because that is where we were able to obtain the most comprehensive data”, said Ms Alice Underwood, Executive Vice President at Willis Re.
“In the future, we plan to expand modelling into other cyber insurance coverages. Given legal reporting requirements in the US, our data set is most reliable for US insureds and so that is the basis for the baseline parameter set. However, we are able to handle other geographies by applying regional relativities to the US parameters,” she added.
AIR Worldwide’s models are built on three main components – hazard, vulnerability, and loss results – “and we have faced and continue to overcome challenges in each area”, said Mr Stransky.
“On the hazard side, we are collaborating with RBS to gain access to a database of over 16,000 historical cyber incidents. On the vulnerability side, we are working with BitSight Technologies, a company that produces unobtrusive ratings for potential insureds based on their real-time situation,” he said.
To meet the challenge of collecting insurance claims and their associated exposures, “we have met with dozens of companies in the insurance, broker and reinsurance spaces, and have begun receiving data from several of these companies”.
Borderless and interconnected risks
Unlike Nat CATs, cyber risks have no geographical borders – a data breach can affect thousands of users across regions.
The highly interconnected nature of cyber risk which is a key challenge, according to an article co-authored by RMS and the Cambridge University Centre for Risk Studies, published in The Actuary.
The article said: “Shocks to one part of a network can quickly cascade throughout the whole system. Further, there is no commonly agreed magnitude scale for a cyber event. The footprint of a cyber scenario is not a geographical region; it is a set of relationships and commonalities of businesses and government organisations. The chief ‘geography’ of cyber correlation risk comes from the common IT technology platforms that share the potential for exploitation and are used by businesses across many industries.”
Modelling potential damages
Modelling potential damages from a cyber attack poses another difficulty, said Mr Stransky. Although first-party costs – for example, money paid to lawyers, forensic firms and public relations firms – following a breach can be relatively straightforward to estimate, the same may not be true for third-party liabilities.
There could also be rising disputes relating to which coverages are triggered, especially if hackers go from merely stealing data to damaging physical factory equipment. “Suppose hackers get into the computer system running a dam, causing the dam’s spillway to malfunction and flood a neighbourhood near the dam,” he said. “While the dam itself is not physically damaged, who pays for that? Until we know which insurance policies will pay for that, we will not be able to model damages for that.”
Non-linear risk
Another obstacle to modelling stems from the non-linear nature of cyber risk, meaning that a small or large event can occur and there is no way to tell the difference between the two, said Mr Mark Clancy, Chief Information Security Officer for The Depository Trust & Clearing Corp, a post-trade market infrastructure for the global financial services industry.
“Cyber risk is the same, there is no history of similar events and so many events are not comparable,” he told Risk & Insurance. “Part of the problem is you are trying to model a non-linear system.”
Confronting the challenges
With reinsurance brokers looking to be a step ahead of traditional CAT modellers in developing cyber risk models, is the latter group late in the game?
Mr Stransky said: “The tools being developed by the brokers are very useful and will help companies evaluate their cyber risk in the near term. However, a fully probabilistic catastrophe model, which requires several types of data from different sources, takes some time to build.
“We expect that AIR’s model will include novel and useful features, such as explicitly capturing the cyber supply chain. This will allow our clients to directly model the impact of two seemingly unrelated risks sharing a common third-party vendor. Additionally, we are looking at complex security breach expenses, for example studying business interruption and liability due to cyber attacks.”
AIR began work on its cyber model about two years ago, “prior to the uptick in interest we are seeing today from clients”, he noted. It has met with more than 40 interested clients and there is a “very strong demand” for a probabilistic cyber risk model.
In addition to probabilistic loss estimation, the AIR Cyber Risk Model will offer a set of deterministic scenarios to help companies understand their aggregated risk from large-scale cyber attacks.
Model enhancements
Just like their traditional counterparts, cyber risk modelling tools will need to keep evolving.
“When tackling a complex and difficult problem such as modelling cyber risk, we believe it’s best to start with a high-level approach and then refine that over time,” said Ms Underwood. “To make a simple analogy, a model of single-life insurance risk that asked only the age of the insured and whether they smoke would not capture all of the factors that affect mortality, but it would provide a baseline differentiation capturing a significant portion of the risk.
“The current version of PRISM-Re focuses on the insured company’s industry and size, because those were the two variables that our modelling indicated as the most statistically significant. As a first-generation model, PRISM-Re will be developed, improved and enhanced over time. We are already working on the next version of the model, with the intent to release this in 2016.”
AIR plans to release its cyber exposure data standards in conjunction with its parent company, Verisk, in the near future. “These standards will allow companies to begin to assess their accumulation risk by making use of deterministic studies for things like blackouts and cloud breaches,” said Mr Stransky.
In a world where information is key, the sharing of relevant data will be crucial in overcoming a primary hurdle to cyber risk modelling.