By Yvette Essen
The indiscriminate nature of cyber, its ability to cross geographical boundaries and the manner in which it filters into different classes of business creates difficulties when modeling cyber risks.
These were some of the challenges recently highlighted by Hiscox and Swiss Re in an insightful discussion regarding developing realistic cyber catastrophe scenarios. They were taking part in a webinar featuring Lloyd’s, Guy Carpenter and CyberCube on the creation of realistic disaster scenarios (RDS).
In a session moderated by Oli Brew, CyberCube’s Head of Client Services, discussions centred around how the use of RDS has evolved in the natural catastrophe space. However, they have only relatively recently been used with a real operational impact in the domain of cyber.
Anthony Cordonnier, Head of Cyber Product Management for Swiss Re, highlighted how the (re)insurance industry “can draw upon the wisdom of our property colleagues, especially with nat cat exposure”. However, cyber differs as it can be associated with many different risks.
“If you look at North American hurricanes, accumulation is driven by the presence of a cluster of insured risks in a defined geography, and their vulnerability to the same natural peril,” he said. “Accumulation in cyber is driven predominantly by human factors, which are inherently more difficult to model than natural perils. It could be caused, for example, by the failure of a widely used piece of software, or a concerted attack against certain risks.”
Devin Page, Head of Specialty Reinsurance at Hiscox Re, outlined further challenges. He said: “Another additional complexity is the non-geographical basis of cyber risk. Another layer of complexity if a cyber loss happens across multiple jurisdictions. We are trying to create scenarios on things we haven’t necessarily seen yet.”
Despite the various difficulties associated with modeling cyber risk, both Anthony and Devin agreed the quantification and qualification of silent cyber are very important.
The creation of risk scenarios is one of the most important, complex and (for many) interesting aspects of risk management in the insurance sector.
CyberCube recently published a paper “Designing a Cyber Catastrophe”, which acted as a guide to our thought process behind creating cyber disaster scenarios. It examines how in cyber insurance, in particular, rapid change is coupled with a relatively young industry that businesses and criminals alike are keen to embrace in order to derive advantage. This creates both opportunity and risk for insurers: Data is key and the application of that data in order to predict and manage risk could mean the difference between success and failure.