The state of play in cyber risk modelling

Published in: Risk, Risk Models, UK, Rest of Europe, US - Canada - Bermuda, ROW, Software - IT

Companies: Guy Carpenter, RMS, CyberCube Analytics, Symantec

Sarfraz Thind talks to Jeremy Platt, US cyber specialty practice leader at Guy Carpenter, to get the broker’s view on latest developments in cyber risk management and modelling

Jeremy Platt, Guy Carpenter

How are cyber risk models evolving?

Modelling this risk is evolving rapidly and it’s different than modelling physical perils, for instance. Cyber aggregation events are not subject to geographic limitations in the way a natural peril can be, due to the interconnected systems around the world.

In addition, due to the evolving nature of cyber risk, there is limited historical data on which to base assumptions. While historical data cannot be ignored, the past is not the best predictor of future impact for this evolving peril.

There is no doubt these are serious risks. WannaCry and NotPetya produced well over $300m of losses

The types of cyber-attacks, and the motivations behind them, are constantly changing and it can sometimes take years to discover an event has even taken place. The damage can be difficult to quantify and attribute and attacks can be perpetuated over an extended period of time.

But there is no doubt these are serious risks. The recent WannaCry and NotPetya attacks affected organisations in over 150 countries and produced systemic losses estimated to be well over $300m, equating to financial loss, reputational damage and loss of customer data.

How do you try to understand the risk?

We have a proprietary model (GC ForCas Cyber) that produces a non-cat view of gross loss distributions using an experienced-based approach by leveraging an extensive database of economic cyber losses. Frequency and severity assumptions consider the industry sector, company type and size, and frequency considerations incorporate historical industry-level correlations.

We’ve also been a development partner of CyberCube Analytics, formerly part of Symantec Corporation, for the last three years, helping produce the industry’s first inside-out, stochastic view of cyber exposure.

And we license RMS’s Cyber Accumulation Management System, which includes five affirmative cyber scenarios and five non-affirmative, or silent, scenarios and can model five return periods for the former. We continue to invest in and evaluate additional cyber models.

The US appears more advanced than other regions in cyber modelling, would you agree? How much of this is down to local regulations?

Many of the available models have geographic biases favouring the US. This is primarily due to the availability of data, particularly with respect to data breaches, as a result of the prevalence of data breach disclosure laws in the US.

The cyber insurance market is still dominated by US exposure, though international premium is growing

This is changing, however, with data breach disclosure laws becoming common in more jurisdictions (EU, Australia, and Singapore to name a few), and cyber re/insurance take-up rates in Japan increasing in the last 24 months.

In addition, the script of the global cyber insurance market is still dominated by US exposure, though international premium is growing. Still, approximately 75% of global cyber insurance premiums of $2.5bn-3.5bn are generated in the US.

How significant is cyber risk considered in the US?

Very. In 2017 there was a 46% increase in new ransomware variants, a 54% increase in mobile malware variants, and an incredible 600% increase in Internet of Things attacks compared with the previous year, according to data from Symantec. Research supported by CyberCube estimates hackers currently cost the global economy in excess of $275bn per year.

Companies are more dependent on their IT systems and data than ever, and interference with those assets can destabilise them overnight. And as the nature of cyber incidents shifts from affecting primarily consumers to impacting global political or economic systems, increasing points of attack and more advanced threat actors are increasing awareness.

Insurers are starting to quantify how cyber as a peril can trigger coverage across their other lines of business

Traditional physical processes carried out by industrial control systems, including critical infrastructure, are coming online, while more sophisticated tools and the support of nation-states are enabling highly-skilled hackers, who quickly spread attack methodologies through the ‘dark web’ and a thriving black market.

Insurers are recognising, and starting to quantify, how cyber as a peril can trigger coverage across the other lines of business they write, including but not limited to property, marine, casualty and aviation. Insurers are not only dealing with how to quantify this risk, but how to protect against systemic losses that could have implications across numerous lines of business as a result of a cyber incident.

How are insurers doing with cyber risk modelling? Is the industry as a whole well prepared?

Insurers are using internally-built models, licensing external models, or leveraging a combination of the two as they work to understand this risk.

Cyber modelling is certainly a major focus and there are strategic investments of time and resources being made.

The models have matured over the last few years, but given all of the discussion around silent cyber, there is still a lingering concern that the industry could be caught off guard by a new attack vector or the development of claims from the interpretation of policy wording that had not been anticipated.

Insurers are incorporating and constantly adjusting and updating these models in their approach to quantifying cyber, whether affirmative or silent.  

How does the CyberCube platform work?

The CyberCube platform informs stochastic catastrophe modelling for affirmative cyber through 23 scenarios that impact two or more insureds – with additional silent scenarios expected soon – and represents the first cyber model developed with insights from both a re/insurer or re/insurance broker and the cybersecurity industry

It leverages exabytes of data and applies analytic methods to help insurers manage cyber accumulations and understand their tail risk. The model, parameterised in large part by telemetry data contributed by Symantec, was developed in collaboration with Guy Carpenter and a select group of re/insurers, and includes a proprietary data feed.

It also allows for sensitivity testing so clients can see what happens if they change the business interruption waiting period from eight hours to 12 hours, for example. It also easily integrates with capital modelling platforms.

Is silent cyber risk a major problem?

Yes – it’s probably one of the largest areas of focus at the moment.

Cyber policies were originally written to cover third-party liability exposures, but now there are multiple insuring agreements, including first-party coverages, that look to align with increasingly sophisticated hackers and growing connectivity.

As reinsurance solutions tend to follow the coverages offered in the primary market, silent cyber exposures can exist in a reinsurer’s portfolio when exclusions are not present or are ambiguous, or when insuring agreements are satisfied but the reinsurer did not price for or contemplate such scenarios.

There are various models to help insurers manage affirmative cyber accumulations, but capabilities on the silent side have been limited to date

For example, a law firm could have exposure under its professional liability policy if digitised client records are compromised. A publicly traded company suffering a network breach might see claims under its directors and officers liability policy if its stock price drops and there is no cyber perils exclusion.

A network security issue at a pharmaceutical company could result in its pain reliever being tampered with, resulting in bodily injury claims under its commercial general liability policy as well as product recall policy losses. Terrorism is silent in most cyber policies as well; you have to offer it in the US, but it typically doesn’t meet the definition of an act of war and so the exposure can’t be removed via the war exclusion. And the list goes on and on.

While there are various models to help insurers manage affirmative cyber accumulations, capabilities on the silent side have been limited to date with few, if any, such scenarios incorporated.

That’s why we’re working with vendors such as CyberCube and RMS to increase carriers’ ability to understand the silent cyber exposures within their book of business.

Sarfraz Thind