The creation of risk scenarios is one of the most important, complex and (for many) interesting aspects of risk management in the insurance sector. As a means of “stress testing” insurance portfolios and markets, the method is certainly not perfect. Nonetheless, the stress test serves as an important tool in an insurer’s arsenal, allowing planning and management for future financial risk in the face of rapid change. Indeed, since the financial crisis of 2009, scenario testing by financial regulators has become a common supervisory concept.
In cyber insurance, in particular, rapid change is coupled with a relatively young industry that businesses and criminals alike are keen to embrace in order to derive advantage. This creates both opportunity and risk for insurers: Data is key and the application of that data in order to predict and manage risk could mean the difference between success and failure.
Cyber risk is particularly challenging to model, fundamentally, because of the lack of extended historical precedence. Traditional insurance modeling of future risk (e.g. earthquake, tropical storm, flooding) relies very heavily on historical data, sometimes going back hundreds of years. In contrast, the first cyber attack is cited as occurring in 1989 and significant commercial exposure to such attacks has grown with hyper-connected systems and the mainstream use of the Internet. Whilst we certainly now have a growing library of cyber events that we can learn from, the amount of true “catastrophes” are very few. In some cases, people might argue there are none.
Additionally, this is a challenging space as cyber is a very dynamic and fast-moving domain. A decade ago, the concept of self-driving cars, 4G/5G wireless networks, the home “internet of things”, and an automated transport network may have seemed far fetched. However, in many regions, some of these are already part of everyday life with known cybersecurity risks.
In this context of a rapidly evolving risk, a significant challenge in modeling catastrophic cyber risk is how to develop credible cyber risk scenarios that reflect both current and future cyber attacks.
CyberCube has recently published a paper summarising what our practitioners have learned during the collective years of experience derived through the building of scenarios.
The paper “A Guide to the Thought Process Behind Creating Cyber Disaster Scenarios”, can be found on cybcube.com