Cyber risk: cat modelling's biggest challenge yet

28 June 2016

Cyber risk is growing, unavoidable and ripe for insurance solutions. But can the industry really get to grips with such a rapidly evolving risk? Christopher Cundy reports

As risks go, cyber is possibly the most capricious that companies have to deal with. It's veiled in anonymity, lurking in bits and bytes, and evolving in ways only limited by the human imagination. Yet it's unavoidable for business and growing fast, and therefore attracts the attention of insurers keen to tap a new market.

The difficulty in managing the risk means many insurers are approaching the market with trepidation. There are dozens of firms offering specific cyber products, some with experience going back a decade, but in private some executives admit that the risk is borderline insurable. The policies they do offer often feature tight limits to control potential exposure to the biggest worry: that of a cyber catastrophe, a large-scale attack or failure that hits many cyber policies simultaneously.

"Cyber has the potential to expose all of the policies that are written at Lloyd's"

By better understanding the potential accumulation of risk in these specific "affirmative" policies, insurers could write more business. But this is just the tip of the iceberg for insurers considering their exposure management. It's possible that a cyber attack or IT failure leads to extensive physical damage and business interruption, so hiding beneath the water there are "silent" exposures in all manner of property, casualty and specialty policies.

The breadth of the risk is enormous. "Cyber has the potential to expose all of the policies that are written at Lloyd's," states Caroline Dunn, an executive in Lloyd's performance management team.

Understanding the probable maximum loss (PML) from cyber is a task which the insurance industry has started, but even the most experienced practitioners admit there is a long way to go to deal with a peril that's unlike any seen before.

Nature of the risk

For all the stories of data thefts and distributed denial-of-service (DDos) attacks, we have yet to witness a genuine cyber catastrophe where many large claims arise from a single cause.

Caroline Dunn, Lloyd'sHeadline events like the credit card hack on US retailer Target, though large and costing hundreds of millions of dollars, are precisely the kind of incident that insurers anticipate when they write a policy. What is harder to predict, and the source of insurers' fears, is the exploitation of a flaw or a system failure that takes down a gamut of companies or has dramatic knock-on effects.

The threat is apparent in millions of PCs infected with malware, for example, or the destruction of equipment at Iranian nuclear facilities by the Stuxnet worm. The challenge of understanding cyber is that there are so many possible causes of a catastrophe, past experiences can quickly become irrelevant, and the interconnectedness of the cyber world means it is hard to understand how extensively a problem could propagate.

"The dynamic nature of cyber risk and the difference in how this risk manifests itself between different sectors or sizes of company means it's a bigger technical challenge than natural catastrophe risk, which is already considered clunky," says Dom del Re, a director at consultancy PwC who specialises in cat risk management. "Cyber is always moving, at a pace faster than the underlying science that governs nat cat and other peak exposures in the market."

According to Éireann Leverett, risk researcher at the Cambridge Centre for Risk Studies, more than 900m data records have been hacked to date, half of US companies have experienced a distributed DDos attack and one in eight firms have had their websites disrupted. "But there's no guarantee that these will be the cyber scenarios in 2017," he says.

Data problems

Attempting to understand a risk and model it requires lots of data, and this is where cyber kicks up other barriers.

As a relatively new risk, there is no large, rich data set that insurer can access. Clients are an obvious source, but information collected by underwriters has varied enormously and the conditions in the market are not helping. "For property insurance, one in three quotes get bound, compared with one in 10 for cyber," explains Scott Stransky, senior scientist at catastrophe modelling firm AIR Worldwide. Since clients are more likely to purchase cover if they are faced with fewer questions, this is leading to minimal information being collected, he says.

Justyn Hardcastle, Tokio Marine KilnEarlier this year AIR Worldwide and RMS launched cyber exposure data schemas in an attempt to impose some uniformity on the data collected. Unsurprisingly there are differences between the rivals' schemas, so Lloyd's stepped in to try and bring some harmony. The schemas now highlight their common elements and they have agreed to use similar terminology and definitions.

"Everyone has been classifying cyber differently in terms of what data they are collecting and how they are applying that to work out accumulation," says Justyn Hardcastle, a cyber underwriter at Tokio Marine Kiln. "The release of the data schema should significantly improve matters, by making everyone ask for the same information."

The lack of history of cyber data does not help the cause of model creation, but the nature of the risk means a more dynamic, real-time collection may be appropriate. This will involve tapping into alternative data sources.

Alice Underwood, head of analytics at broker Willis Re, which last year launched a model – Prism Re – to help quantify cyber breach exposure, notes that potentially useful information is collected by telecoms companies or malware protection providers. "They have a lot of information about what kinds of things are happening, but they are not looking to model the risk. Accessing these sources will be important and getting together with the IT community will be very valuable – I'm expecting to see more developments along those lines in the next 12-24 months," she says.

When cyber risk becomes terrorism or war risk

Terrorists and governments can – and have – engaged in cyber attacks. So at what point does a cyber risk become terrorism or war, and what does that imply for risk management? One of the difficulties with cyber is identifying the perpetrator – witness all the speculation that North Korea was behind the Sony Pictures leak. So it would have to be a declared act of war or terrorism.

For countries with a terrorism backstop – such as the Terrorism Risk Insurance Act (TRIA) in the US, or Pool Re in the UK – it is a grey area. Pool Re is investigating whether it could cover cyber risk and there are calls for the US government to review TRIA and make it explicitly cover cyber.

Using third-party sources also helps avoid another difficulty with relying on insureds to give information: that of disclosure bias. Commercial sensitivities mean a reluctance to share data on breaches or losses. Furthermore, it's not unusual for firms to be unaware of breaches. Efforts are being made to create cyber loss databases, for example at the US Information and Sharing Analysis Center, but it is still early days.

There are also unusual drivers for cyber risk. Some experts estimate that a third of cyber incidents arise because of disgruntled employees or contractors, so getting the measure of an organisation's culture may become important in the future.

Severity and frequency

Trying to calculate a PML requires an assessment of the severity of a cyber cat and the frequency with which it happens.

Work on designing realistic disaster scenarios has helped insurers get a much better handle on the severity question, but it's still very much a developing area.

Eric Durand, a senior business analyst for underwriting strategy at Swiss Re, says some cyber perils – for example, data breach – are easier to analyse with the traditional methods and the aggregation risk is smaller.

Even so, data breach brings the question of legal liabilities and, as with so many liability risks, insurers are at the mercy of the courts and a step-change in settlement trends. Take the recent case of Travelers Indemnity vs. Portal Healthcare Solutions; the latter firm suffered a data breach and successfully claimed on its general liability policy for the defence costs of a class action lawsuit brought by the affected customers. The ruling changed perceptions of what insurers could be liable for and sent shockwaves through the industry.

"[Cyber is] not altogether different from the supply chain issues present in business interruption and contingent business interruption covers – but it's more complex"

Understanding other cyber perils means delving deep into the dependencies in the internet. While there are no traditional geographical confinement zones for cyber risk, there are technological confinements: most attacks pick on a particular vulnerability that may, for instance, only affect a particular brand of routers with a certain firmware with the latest patch. Obviously, these confinement zones are constantly changing. "That creates an aggregation risk that can't be handled with regular analysis methods," Durand says.

"It's not altogether different from the supply chain issues present in business interruption and contingent business interruption covers – but it's more complex and needs a new technological approach to understand the connectivity of systems and suppliers. For example, what happens if a big cloud provider goes down for a couple of days? You have to understand who depends on that cloud and for what type of activities."

However, it is the frequency element that some say presents the bigger challenge. Willis Re's Underwood explains that, "With a privacy breach, we have some kind of handle on frequency, because companies are required to report it. When it's something like network outage, they would prefer people not to know. Obtaining that information from auxiliary, anonymised sources would be really helpful, but right now there are no authoritative sources."

Scenarios dominate, for now

The ultimate aim for many is to establish a probabilistic model capable of producing PMLs. While that may be feasible for the more straightforward cyber risks, such as breach, it remains very challenging for others where the 'science' is constantly changing.

Cyber accumulation scenarios

The first major move by cat modelling firm RMS into cyber risk has been to develop five accumulation scenarios covering the major loss processes: data exfiltration, denial of service, cloud service provider failure, financial theft and cyber extortion.

As RMS notes in its Managing Cyber Insurance Accumulation Risk report, "Each of these cyber loss processes is a particular technique or mode of attack that occurs today in companies and triggers insurance claims on cyber policies.

"By understanding these processes and analysing how they occur, developing metrics and studying past case studies, we can extrapolate to a plausible extreme scenario of large numbers of individual claims for use in accumulation management."

In the near term, the assessment of aggregation will focus on developing and running scenarios (see box). But insurers and model vendors are working hard. Aside from their data schemas, RMS has developed five detailed scenarios (see box) to help the industry get a better grip on accumulation.

AIR Worldwide is launching a series of deterministic scenarios, starting with cloud service provider failure, and is aiming for a probabilistic model within the next two years.

Lloyd's has pushed its syndicates to submit three cyber disaster scenarios to help the corporation understand its accumulation risk. While some may see this as the syndicates 'marking their own homework', it also means that the corporation gains a broad understanding of the possibilities. Rating agencies and regulators are also pushing for more disclosure from firms and helping to accelerate the efforts to understand accumulation.

Creating a model that can be used for pricing seems a little further off. "The challenge of modelling for rating purposes is greater than that for PMLs," says PwC's del Re. "Getting close to your cedents and building a technical relationship with them lends itself to the underwriting tradition in the London market, and this could be more effective in the short term than relying on sophisticated probabilistic models – which at this moment in time might give you a false sense of security."

The path ahead

The small size of the today's cyber market makes it relatively manageable for insurers, but there should be no complacency, even in the absence of cyber catastrophes to date. If the market grows to $10bn by the end of 2019, as some predict, understanding loss potential will become increasingly necessary.

Dom del Re, PwC"Over the next two years we should expect insurers to be better able translate the individual cyber risk characteristics of a cedent into rating and accumulation metrics. This is currently lacking but the industry has awakened, and new services and data standards will come online to bridge that gap," says del Re.

Insurers will also have to take steps to address the question of 'silent' policies. "My hypothesis is that five years from now, every policy will have cyber language in it," says Tom Bolt, president for the UK and Southern Europe at Berkshire Hathaway, and former director of performance management at Lloyd's.

Understanding cyber accumulation is certainly very challenging, but the message from the market is that it's not impossible.

Andrew Coburn, vice-president for catastrophe research at RMS, sums up the task: "We need to bring together people who understand insurance and who have the specialist cyber knowledge. This is about understanding tail risk by taking evidence-based science through to conjectural examples of what the universe of tail risk looks like."

How do you assess cyber accumulation?

Eric Durand, Swiss Re: "For monitoring purposes we use three very general scenarios: data privacy breach; a generic potent malware attack that causes information system business interruption (ISBI); and an attack on supervisory control and data acquisition (SCADA) systems, followed by an electric blackout. They are quite generic and take more of a statistical approach than a footprint approach. For the purpose of capacity control and limitation we have now moved to a real PML approach for the ISBI scenario and are working at developing a similar solution for other types of cyber threat scenarios."

Justyn Hardcastle, Tokio Marine Kiln: "We have worked up a number of scenarios, but because it's an evolving risk, new scenarios are constantly coming up. We also look at non-technical triggers – how could a market downturn affect our clients and potential for cyber losses, for example? We have created models based on our scenarios, which we run quarterly to see how the change in our book affects our aggregated loss, but we welcome the development of vendor models as it's going to improve the market's understanding of cyber risk."

Andrew Pryde, Beazley: "We have been developing realistic disaster scenarios over the past few years, but there are still some unknowns that we continue to understand. I recall that the understanding of natural catastrophe exposure went on a similar journey, from firstly pricing to then realistic disaster scenario testing and currently more sophisticated stochastic modelling.

"We have put together a suite of seven scenarios which we review on a quarterly basis. We do probabilistic modelling within the capital model because those are the Solvency II requirements. The main challenge is setting the frequency assumption. We shouldn't lose sight of the fact that we haven't seen a major aggregated event. It's difficult enough when you're probabilistically modelling earthquake exposure and we don't see that many earthquakes. However, that doesn't mean we shouldn't carry on trying to assess the frequency. This is a challenge that is being picked up by a number of third-party modelling providers."