By Rebecca Bole, Head of Industry Engagement
A US Treasury advisory committee this week (Feb 1) heard that cyber catastrophe models have transitioned from being “interesting” in the early iterations, to being “useful” for strategic decision-making and for risk transfer transactions both within and outside the insurance industry.
CyberCube was invited to present to the Advisory Committee on Risk-Sharing Mechanisms (ACRSM), chaired by Fermat Capital Management co-founder John Seo, on the maturity of cyber cat risk modeling and its usefulness to inform strategic cyber risk decision-making.
CyberCube and other cyber risk modelers, participated in the event in Washington DC as the US government continues to scope the potential size and shape of a federal insurance response to cyber catastrophe risk. This work was announced by the US Department of the Treasury, in November 2023 and will be debated at a Federal Insurance Office-hosted conference in April 2024.
The ACRSM committee members heard that over the past eight years, cyber models have been trained on a robust set of attritional losses, catastrophe near-misses and counterfactual analysis, to develop a deep understanding of peak perils that drive systemic cyber losses and the frequency of those events.
Market acceptance of these models proves their credibility in modeling cyber catastrophe risk. CyberCube, for example, serves 75% of the top 40 US and European cyber carriers (by premium) and recently announced it had exceeded 100 clients.
Recent financial market acceptance of cyber risk - in the form of cyber Insurance-Linked Securities (ILS) in 2023 - is a sign of the maturity and credibility of the modeling. CyberCube models were used in all of the Q4 2023 cyber ILS issuances, resulting in the successful placement of $415mn in four transactions in the period. This is a strong vote of confidence that the models are established, mature and provide a robust view of the drivers of cyber catastrophic risk.
This transition also means we have credible models to start to dimensionalize catastrophic losses and their impact on enterprises, insurers, and taxpayers.
ACRSM members enquired about the data sets used to train cyber cat models and whether a closer public-private partnership could improve the data applied to cat risk modeling.
The modeling firms, CyberCube, Moody’s RMS and Guidewire Cyence, all called for improved incident data on aggregation events and some standardization of data hygiene classification. For example, there is no equivalent of the National Oceanic and Atmospheric Administration (NOAA) to report on cyber incidents, as is the case with storms. Neither is there an ISO-type certification for cyber hygiene, leaving insurers uncertain of the voracity of stated cybersecurity measures, such as back-ups of servers. Filling these gaps in data could move the needle to modeling, the modelers said.
The ACRSM also heard from ratings agency AM Best Chief Ratings Officer, Stefan Holzberger and Senior Director Michael Lagomarsino, who outlined the process underway to collate cyber risk data from the top 60 cyber insurers. AM Best intends to use the data collected to inform ratings assessments on balance sheet risk, operational risk, business profile risk and the enterprise risk management posture of their rated entities.
CyberCube’s team is looking forward to continuing its work on this Federal Government initiative, by applying our analytics to quantify one of the major risks facing society today and help build societal resilience to extreme cyber loss events.