Skip to main content
Journal Magazine: Informing Workplace and Facilities Management Professionals - return to the homepage Journal magazine logo
  • Search
  • Visit Journal Magazine on Instagram
  • Visit Journal Magazine on Twitter
  • Visit @Journal_Mag on Facebook
Visit the website of the Chartered Insurance Institute Logo of the Chartered Insurance Institute

Main navigation

  • Home
  • News
  • News analysis
  • Features
  • Study Room
    • A-Z
    • Question and Answer (Q&A)
    • Study Room Features
  • Opinion
  • CII Radio
  • Events
  • Digital Magazine
    • The Asia-Pacific Journal
Quick links:
  • Home
  • Features

Modelling the cyber risk

Share on
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print
Open-access content Monday 6th November 2017

Article hero image.

High-profile cyber attacks have once again highlighted this emerging threat. But, Tim Evershed asks, how do you model a risk with such a short data history?

Recent cyber losses, such as the data breach at credit monitoring agency Equifax and the ransomware attack WannaCry, have given insurers yet more reminders of the rapidly increasing size and complexity of cyber perils that they face.

Assessing the potential for future cyber losses is a major challenge for the insurance industry. However, the past couple of years have seen the launch of the first cyber models, which aim to quantify those risks.

In May this year, Risk Management Solutions (RMS) announced the release of its updated RMS Cyber Accumulation Management System. A month earlier, AIR Worldwide had released ARC.

AIR says ARC can evaluate any commercial policy (including those vulnerable to silent cyber), measure and monitor aggregations of cyber risk within a portfolio, as well as estimate potential insured cyber losses for portfolios.

But whereas a conventional catastrophe model assesses a named peril confined to a prescribed geographical area, the challenge for cyber models is to show insurers the risk they face from a constantly evolving threat that could emanate from anywhere in the world.

"In terms of the modelling itself, we use many of the same types of approaches to modelling natural catastrophes as we do cyber risk but structurally the models have to be very different," says Tom Harvey, senior product manager, RMS Cyber Accumulation Management System. "Cyber is not a single peril, it is really a loose collection of technology risks that have been grouped together under one label. When you look at the modelling that has to happen under that cyber umbrella, you have to model incidents that are driven by malicious external actors, including nation states and criminals."

These malicious external actors pose a range of threats including data theft, intellectual property loss, ransomware and theft of money. In addition, the models must also take into account the operational risk borne by companies, such as cloud outages, internal system outages and other system failures.

Mr Harvey continues: "It is much more akin to a network reliability modelling challenge than some of the outside, malicious external modelling. It is a very broad range of modelling challenges."

At present, insurers typically have very little information about the cyber risk characteristics of the companies they insure and instead they tend to rely on a market-share approach.

Scott Stransky, assistant vice-president, principal scientist research and modelling, AIR Worldwide, says: "ARC takes advantage of the detailed information that AIR has compiled on companies to help insurers identify their sources of aggregation risk and to determine with greater certainty which of their insureds would be affected by various aggregation scenarios."

DATA SHORTAGE

However, the cyber models have been received with some scepticism in parts of the (re)insurance markets. In particular, questions have been asked about their efficacy given the lack of historical data on cyber losses.

Sarah Stephens, head of cyber, content and new technology at JLT Specialty, says: "The challenge everybody runs into when they are modelling cyber risk is the relative immaturity of the historical losses. So, there is just a lot of guessing. But I don't think you can just say: if we had better data we could create better models for this industry."

Ms Stephens continues: "The dynamic right now is everyone is asking a lot of questions and collecting a lot of data points to see what sticks. We don't know yet which are the killer questions that will help us to predict what is a good risk and what is a bad risk."

According to AIR, although their data schema has several hundred fields, which aim to build a picture of the features of a company that make it either more or less likely to experience a cyber attack, most of those are optional.

Mr Stransky says: "If you know the industry of the company and the revenue of the company then that's actually all you need to get started on cyber modelling. Those two things are the biggest predictors of whether a company will have a breach or suffer a downtime."

Other key factors that a cyber model will take into account include employee count, the presence, or lack of, a disaster recovery plan and a chief security officer. In addition, it will look at how secure data storage and data transfers are.

And the modellers point out that although cyber risk is a comparatively new risk, the vast volumes of data being collected every day are closing that deficit.

Mr Harvey says: "If you look at cyber malicious events, there are thousands of events going on all the time. We don't have decades' worth of data but we do have 10 years' worth of data and you can get a really clear picture of the cyber risk landscape from that.

"From the modelling side, historical data is valuable but it does not provide a full picture of all the potential events that an insurer could suffer. That historical data needs to be blended with an understanding of the peril and the dynamics of how cyber events are carried out."

THE RISE OF CYBER SECURITY INCIDENTS

AIR infographic

You may also be interested in...

  • Big break for iNEDs
  • CRACK IN THE WALL
  • WORKPLACE WONDERS
Filed in:
Features
Topics:
Cyber Secutiry

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Today's top reads

BECOME A MEMBER

BECOME A MEMBER

SUBSCRIBE TO PRINT

SUBSCRIBE TO PRINT
The-Journal_NEW.png
​
FOLLOW US
Twitter
Facebook
Youtube
CONTACT US
Tel: +44 (0) 20 7880 6200
Email
Advertise with us
​

About the CII

About us
Membership
Qualifications
Events

The Journal

Digital magazine
Podcasts
Blog
News

General Information

Privacy Policy
Terms & Conditions
Cookie Policy

Get in touch

Contact us
Advertise with us
Write for The Journal
Want to receive The Journal?

The Journal Magazine is © 2020 Redactive Publishing Limited

All rights reserved.