Portfolio Manager v4: The next evolution in model sophistication

Portfolio Manager v4: The next evolution in model sophistication

With Portfolio Manager version 4 (PMv4), CyberCube has extended its industry-leading cyber risk catastrophe model to be even more powerful for our clients by enhancing it to better distinguish which companies are at the most risk for economic loss from cyber catastrophes.

CyberCube is continuously vigilant when looking to source, clean, and curate the most appropriate data for cyber risk insurance. Now, we have added an unprecedented level of intelligence on how we interpret and use the data.

The cyber insurance ecosystem can rely on the results of PMv4 with more confidence than ever, and make data-driven decisions in the dynamic and hardening market.

Primary themes of the PMv4 release

Modeling key scenarios with added depth

It is always important to carefully consider any decision that adds complexity to a model.

- Is the cognitive load on the model user worth it?
- Can the additional elements be meaningfully parameterized?
- Is the problem that the added complexity solves going to persist as a critical aspect to model?

For PMv4, the answers were yes. From direct market feedback, it was clear that there was an appetite for an increased level of modeling sophistication on two of PM’s most utilized scenarios, rather than a shallow update of all 29 of the PMv3 scenarios.

The two scenarios in question – cloud outage and widespread malware – are both big drivers of loss in the model, and extremely relatable scenarios that often take center stage for any (re)insurer’s leadership. For each, we added several elements to the modeling. Some highlights include:

- Event Families - These scenarios were further broken down into a handful of alternative narratives that describe how the catastrophe could unfold. The CyberCube model is very tangible and grounded in realistic scenarios. There was always some amount of implicit inclusion of adjacent and similar narratives within the core narrative for each scenario. With PMv4, we make those explicit and model each scenario class variant individually.
- Incorporating Company Security Score - In the case of cloud outage and especially widespread malware, the security of each individual company now plays a direct role in both the likelihood of being impacted and in the severity of that loss. This is in contrast to many other catastrophe scenarios, where the security of the insured does not play a big role, such as the event where a payment system goes down or the insured’s data is breached via a third-party that they had shared the data with.
- Severity differentiation by SPoF - CyberCube scenario classes always have a list of potential Single Points of Failure (SPoFs) that could be at the heart of the incident causing claims to the insureds that rely on them. All scenario classes confront the relative likelihood of the event being centered on one SPoF-type or another. With PMv4, we consider the relative severity from the event being centered on one SPoF or another, as different SPoFs may have different remediation and/or recovery times and so on.
- Importance of Dependency - Insureds that depend on a SPoF are those that might experience a loss, but not all dependencies are created equal. In PMv4, we identify those that are more or less important to the operations of an affected company and use that in estimating their claim from an event.

General model methodology enhancements

An underlying modular model mechanics applies to all scenarios. This is sufficiently universal as to apply to all scenarios, and can be well parameterized by our data and expertise. Each module does a particular job, with the three most important being:

- Frequency - how often can each scenario be expected to happen?
- Footprint - which companies will be affected by each event?
- Severity - what will the financial loss be to each affected company?

In PMv4, we paid particular attention to the Footprint module, and developed an approach that generates more precise and realistic answers to that question. Our basic methodology is to first look at the data we have on detailed dependencies between SPoFs and their customers. Then, recognizing that it is impossible to observe these dependencies perfectly with 100% accuracy and certainty, the detailed dependency data is supplemented with an estimate of how many more companies are likely to be customers of a particular SPoF without showing up in our data.

Since we gather the signals over time from a variety of providers using a variety of methods and across a company’s network, we’re able to come up with a confidency of dependency rather than a simple yes/no for detailed dependencies.

Then, for estimating dependencies we don’t directly observe, we: 1) develop an estimate on a regional basis since our ability to observe is stronger in certain regions and 2) account for not just what we know about one SPoF at a time, but what we know about the whole SPoF list for the scenario and identify companies that are true negatives that are very likely not using a certain SPoF.

Leveraging the power of data science

In addition to the general and specific model enhancements, there was also a data update as part of the PMv4 release. Since the cyber world evolves quickly, it’s critical to be using up-to-date data. As part of this update, CyberCube’s datasets expanded significantly. For example, we now use more than a billion technical dependencies.

Beyond just getting more and fresher data, however, this release is significant for how it makes smarter use of that data. Data science enhancements were weaved into model enhancements at all levels via our twin innovations of importance of dependency and confidence of dependency.

In addition, we made a significant update to our record count estimator, using real data from the tens of thousands of companies our insurance broker clients have run through our platform. Now, if you don’t have the information on the number of records or what data type each insured in the portfolio might have, PMv4 can automatically leverage a more robust and realistic estimate. Each of these projects is interesting from a pure data perspective, but where it gets really powerful is when they come together to play their parts in the model.

How PMv4 quantifies cyber catastrophe risk

Incredibly, for many diversified portfolios, overall results may not change too materially as the net result of all these updates. What does change, however, is the balance of the risk. The power of the model to differentiate what scenarios drive different parts of the loss curve, and what kind of companies contribute to those losses is where you will experience the improvements. So at a high level, CyberCube’s overall view of cyber catastrophe risk is relatively stable.

With PMv4, the model has become even more transparent, realistic, and reliable, and is now an even more valuable tool to quantify risk and use detailed data to differentiate one portfolio from another.

Find out more about Portfolio Manager's features and how it helps you manage your portfolio successfully in our blog — Portfolio Manager: how to create a forward looking view of risk


Download Resource