Global cyber insurance rates have been rising year over year along with increasing claims, with all signs indicating that this trend will likely continue. The question is how much worse can it get?
There is a high level of uncertainty relative to the increasing level of sophistication in cyber attacks, attack frequency, and severity, both at the individual risk and accumulation levels. The concerns of insurance risk managers are how to best price and manage capacity relative to not just their experience with past cyber attacks, but to potential future cyber attacks.
In this three part blog series, Defining the Possible, I’ll be discussing how CyberCube approaches the development of cyber catastrophe scenarios to define and quantify realistic scenarios that could occur. In Defining the Possible Part 1, I’ll highlight some of the considerations CyberCube accounts for when developing our cyber catastrophe scenarios.
Over the past few years, enterprise risk management (ERM) executives have worked on incorporating accepted actuarial methods to manage against insured cyber risk, including the use of cyber catastrophe risk models. These statistical models are powerful risk management tools that have been in use for over two decades — however, defining potential accumulation risk scenarios is one of the most challenging underpinnings of the cyber risk model methodology.
While there are significant commonalities in the assessment of insured catastrophic risk, characterizing potential cyber attack scenarios has unique modeling considerations.
Here, we’ll provide insight into a structured approach to understanding and building a plausible foundation for developing potential cyber attack scenarios to ultimately quantify exposure to future catastrophic attacks.
Some of the key themes unique to cyber catastrophe scenario development include the lack of a formally identified catastrophic insured cyber event and the fact that the past is not a predictor of the future for assessing the insured impact of cyber attacks.
Key questions that cyber risk management executives need to address include those in Exhibit 1:
Exhibit 1
The first consideration listed here is a fundamental one: What is the definition of an insured accumulation event? Economic loss thresholds can be one defining factor. However, there isn't a single standard. There is also the consideration regarding the time frame over which an event occurs. However, this is very difficult to define from an insurer perspective. For example, data breaches can go undetected for years.
In this context, CyberCube defines a potential catastrophic event as impacting two or more companies or entities. It is also defined as being executed by threat actors versus those due to accidental actions.
The second consideration is what cyber costs are insurable? Insurability considerations relative to policy terms and conditions (e.g. act of war exclusions linked to government attributions for nation state attacks, physical damage, and voluntary shut-downs) need to be taken into account when selecting relevant cyber attack scenarios.
Non-affirmative cover is complicated by policies such as those based on crime policies worded for property rather than digital asset holders. Additionally, cyber coverage and cost assumptions are scenario specific and are complicated by costs such as legal deliberations in court that take place months and years after an event has occurred.
Thirdly, it’s important that scenarios are developed with a methodology for defining the number of impacted insureds. The footprint of an event, or how many insureds are impacted, is differentiated from other models in that they can encompass a large regional and even global impact. In this context, an insured's supply chain exposure to a vulnerable technology or service, or a Single Point of Failure (SPoF), needs to be defined. A SPoF can include hardware, software, operating systems, and technology service providers. A complication that needs to be addressed is that a single company may have exposure to a vulnerability but is not financially impacted due to limited use for that technology or service.
The fourth and fifth key considerations are common components to every catastrophe risk model: the scenario frequency and severity. The lack of a formally identified historical catastrophic insured cyber event along with the associated claims data showcases the difficulties in modeling these components. Event duration and correlation are not as easily defined as the duration of a hurricane passage and subsequent flooding, for instance.
Differentiators that are common in other models (but are currently not in cyber) are issues such as demand surge, or the increase in the cost to remediate or recover from an attack due to a spike in demand for materials and services.
Finally, scenario validation needs to be addressed. Similar to other catastrophic risk models, the understanding and validation of tail risk with the inclusion of uncertainty measures are a challenge for insurers. This is especially the case for perils such as cyber with both a limited history of large or catastrophic events to benchmark against and a rapidly changing risk environment.
The goal of cyber catastrophe risk models is to define and address these considerations. In this context, both the analyst and the insurance executive have the basis for assessing and asking informed questions relative to the use of cyber attack scenarios in assessing risk.
In this blog, Defining the Possible Part 1, I’ve identified some of the wide-ranging key factors CyberCube takes into account when developing scenarios as illustrated above. However, the unique nature of cyber risk and the way it is constantly evolving makes it fundamental that scenarios are frequently reviewed and modified.
At CyberCube, we have years of experience in building catastrophe scenarios, so we understand what needs to be considered. Our solution, Portfolio Manager, provides access to a broad, detailed catalog of cyber catastrophe scenarios, making it easy to assess your loss exposure.
Check out the part two of the Defining the Possible series — Criteria for incorporating cyber attack scenarios in insured loss models.
If you’d like to learn more about cyber catastrophe scenarios, check out our free report — Designing a Cyber Catastrophe.