Updating cyber risk models: Deciding on the ‘When’ and the ‘Why’

Updating cyber risk models: Deciding on the ‘When’ and the ‘Why’

Cyber risk is a dynamic, man-made peril that is evolving rapidly. The motivations of cyber attackers, their methods and the technological vulnerabilities they exploit are constantly in flux.

Developing a robust, defensible view of risk and identifying the cyber events that could bring tail risk to insurance portfolios is difficult. Cyber risk is forward-looking in nature: there are too few systemic cyber-attack precedents to solely use past experience as a predictor of future events. This creates increased uncertainty for reinsurance buyers and portfolio managers trying to identify portfolio exposure accumulations and develop impactful reinsurance programs.

CyberCube’s Portfolio Manager is a cyber risk accumulation model, enabling stress-testing of catastrophic events that could cause significant systemic losses. Following its launch two years ago, CyberCube has updated this model and is now releasing Version 2 (v2).

“If cyber risk is in constant flux, then why choose to update right now?” you might ask.

We first launched Portfolio Manager in March 2018. It was a significant launch because it was the world's first fully-probabilistic cyber catastrophe model. We've had a regular cadence of minor model updates since then, typically every few weeks. These minor releases follow engineering “sprint cycles” as is typical with software development. Each individual release contains one or multiple of the following:

  • new product features or functionality, addressing both internal and external road map wish lists
  • product usability (UI/UX) enhancements
  • bug fixes
  • additional/enhanced data visualizations, which allow already-existing analysis results to be displayed in ways that are helpful to clients looking to embed Portfolio Manager into their existing workflows.

This major model update (v2) gives us a chance to explicitly address new and revised assumptions and events that have occurred since that initial launch. Examples of this are specific event realizations (occasionally alongside associated insurance losses), changes in legal environment(s) and associated judicial rulings or settlements, and scenario class trends (e.g. an increase in the prevalence of ransomware).

While we may change this model as frequently as every six months, we only want to do so when necessary; on average, we may expect to see an update every year or so; it’s important to balance clients’ need for model stability with the need to reflect new information or observed incidents in our modeling assumptions.

Looking forward to the future, is there likely to be a Version 3? Absolutely! Similar to what we’ve seen historically within the natural catastrophe vendor space, we expect a regular cadence of updates, and expect to deploy a v3, v4, v5, and beyond.

Additional details of Portfolio Manager can be found on our website. I’ve recorded a video explaining some of the key differences between v1 and v2 which can also be found on our website.



Download Resource