High-profile cyber attacks have once again highlighted this emerging threat. But, Tim Evershed asks, how do you model a risk with such a short data history?
Recent cyber losses, such as the data breach at credit monitoring agency Equifax and the ransomware attack WannaCry, have given insurers yet more reminders of the rapidly increasing size and complexity of cyber perils that they face.
Assessing the potential for future cyber losses is a major challenge for the insurance industry. However, the past couple of years have seen the launch of the first cyber models, which aim to quantify those risks.
In May this year, Risk Management Solutions (RMS) announced the release of its updated RMS Cyber Accumulation Management System. A month earlier, AIR Worldwide had released ARC.
AIR says ARC can evaluate any commercial policy (including those vulnerable to silent cyber), measure and monitor aggregations of cyber risk within a portfolio, as well as estimate potential insured cyber losses for portfolios.
But whereas a conventional catastrophe model assesses a named peril confined to a prescribed geographical area, the challenge for cyber models is to show insurers the risk they face from a constantly evolving threat that could emanate from anywhere in the world.
"In terms of the modelling itself, we use many of the same types of approaches to modelling natural catastrophes as we do cyber risk but structurally the models have to be very different," says Tom Harvey, senior product manager, RMS Cyber Accumulation Management System. "Cyber is not a single peril, it is really a loose collection of technology risks that have been grouped together under one label. When you look at the modelling that has to happen under that cyber umbrella, you have to model incidents that are driven by malicious external actors, including nation states and criminals."
These malicious external actors pose a range of threats including data theft, intellectual property loss, ransomware and theft of money. In addition, the models must also take into account the operational risk borne by companies, such as cloud outages, internal system outages and other system failures.
Mr Harvey continues: "It is much more akin to a network reliability modelling challenge than some of the outside, malicious external modelling. It is a very broad range of modelling challenges."
At present, insurers typically have very little information about the cyber risk characteristics of the companies they insure and instead they tend to rely on a market-share approach.
Scott Stransky, assistant vice-president, principal scientist research and modelling, AIR Worldwide, says: "ARC takes advantage of the detailed information that AIR has compiled on companies to help insurers identify their sources of aggregation risk and to determine with greater certainty which of their insureds would be affected by various aggregation scenarios."
However, the cyber models have been received with some scepticism in parts of the (re)insurance markets. In particular, questions have been asked about their efficacy given the lack of historical data on cyber losses.
Sarah Stephens, head of cyber, content and new technology at JLT Specialty, says: "The challenge everybody runs into when they are modelling cyber risk is the relative immaturity of the historical losses. So, there is just a lot of guessing. But I don't think you can just say: if we had better data we could create better models for this industry."
Ms Stephens continues: "The dynamic right now is everyone is asking a lot of questions and collecting a lot of data points to see what sticks. We don't know yet which are the killer questions that will help us to predict what is a good risk and what is a bad risk."
According to AIR, although their data schema has several hundred fields, which aim to build a picture of the features of a company that make it either more or less likely to experience a cyber attack, most of those are optional.
Mr Stransky says: "If you know the industry of the company and the revenue of the company then that's actually all you need to get started on cyber modelling. Those two things are the biggest predictors of whether a company will have a breach or suffer a downtime."
Other key factors that a cyber model will take into account include employee count, the presence, or lack of, a disaster recovery plan and a chief security officer. In addition, it will look at how secure data storage and data transfers are.
And the modellers point out that although cyber risk is a comparatively new risk, the vast volumes of data being collected every day are closing that deficit.
Mr Harvey says: "If you look at cyber malicious events, there are thousands of events going on all the time. We don't have decades' worth of data but we do have 10 years' worth of data and you can get a really clear picture of the cyber risk landscape from that.
"From the modelling side, historical data is valuable but it does not provide a full picture of all the potential events that an insurer could suffer. That historical data needs to be blended with an understanding of the peril and the dynamics of how cyber events are carried out."
THE RISE OF CYBER SECURITY INCIDENTS