RMS recently participated in a cyber model comparison exercise at the Cat Risk Management and Modelling conference in London. These types of comparison for natural catastrophe models have been performed at several conferences during the last decade, but this was the first time that losses from multiple cyber models had been compared in this way. The assessment included established cyber model firms such as RMS and Guidewire, as well start-ups including Corax, Kovrr and CyberCube.
This comparison exercise clearly demonstrated that the cyber modeling industry has not reached a consensus on the likelihood and impact of extreme cyber catastrophes. The comparison was run against a small number of accounts – looking at a total of 46 U.S. companies across a range of industry sectors.
Each model team was asked to provide the Annual Average Loss (AAL) and various points on the Annual Exceedance Probability (AEP) curve – showing only gross losses. The differences in losses were fairly stark, with a 4.1x differential between the highest and lowest result at the one-hundred-year return period (RP 100), and a 6.7x differential at the ten-thousand-year return period (RP 10,000). These variations excluded one model that was a clear outlier in the results.
What is clear from these results is that the modeling firms in this comparison are all taking different approaches. A quick assessment of the model reporting the lowest losses would suggest that this uses a simple actuarial approach to extrapolate from limited historical incident data to extreme return periods. This type of approach is clearly flawed when applied to cyber where historical data is of only limited use in assessing future potential catastrophes.
For example, if you extrapolate historical cloud failures (a major source of concern for the insurance community), you would most likely conclude that an extreme cloud outage is not possible (see Figure One below). While cloud providers have been shown to be more secure and resilient than on-premise environments, it would take a brave person to say categorically that a major cloud outage couldn’t exist!
Another major reason for this differential comes from the challenges around correctly assessing a company’s revenue. For several firms the range was surprisingly large – with two widely different assessments of US$750 million and US$75 billion being given for the same firm. Given that a key driver of cyber loss comes from business interruption (BI), accurately capturing this factor is critical in any BI loss calculation. To support this, RMS invests substantially in building out our enterprise company database that allows insurers to accurately enrich their exposure data.
The catastrophe modeling industry has been built on having deep expertise on the peril being modeled and building a framework that captures the physics and dynamics of the underlying systems and interdependent processes. The RMS Cyber Model uses a multi-dimensional assessment to identify and quantify key risk variables that determine the frequency and severity of cyberattacks. This includes a thorough assessment of threat-actor groups, human vulnerabilities, digital assets at risk, outside-in vulnerabilities, historical cyber incidents, loss process footprints, and the interplay with insurance contract terms – including reinsurance terms and conditions.
This proprietary research is embedded within an innovative risk modeling framework, designed to represent the stochastic nature of cyber risk, that can be used to model both individual and portfolio-level risks. Critically RMS have performed extensive calibration of our model against insurance claims data and with leading experts in cyber security form both academia and industry.
Overall, this cyber model comparison was an interesting exercise and it certainly triggered some healthy debate about various modeling approaches. If you would like to discuss these results further – and to find out which model result was ours – please contact your RMS representative or click here to contact us for more information.