Tag Archives: cyber risk

Unlocking the Potential of Cyber Insurance

The cyber insurance market presents insurers with an attractive growth opportunity. It also presents a significant challenge to overcome. Coverage constitutes the largest genuinely new class of business developed by the insurance industry for at least a generation. And its potential at even the conservative end-of-the-scale can be measured in tens of billions of US dollars.

However, with limited tools to measure the threat, carriers have been understandably reluctant to throw too much capital at the risk. With warnings about the systemic nature of the threat reverberating through the press to boardrooms, the industry has so far approached the risk with caution and coverage has been limited.

Yet the need for insurance solutions to assist corporates with their cyber threat is real and great. In the wake of losses such as Target’s $67 million settlement with Visa over a breach of customer payment data, and an estimated annual global cost of cybercrime of $445 billion, companies are eager to offload what they rightly see as a large and looming financial risk.

Industry Concerned by Systemic Nature of Cyber

We recently surveyed 40 RMS clients already writing cyber, including insurers, reinsurers, and brokers, to gain an understanding of their concerns. They had a number of common challenges.

Firstly, due the dynamic and emerging nature of the peril it’s difficult to quantify just how big and systemic a potential cyber catastrophe might be. In addition, with so many different attack methods available to cyber criminals—even knowing where the attack will come from poses some difficulty.

Another common challenge was the uncertainty of how cyber attacks could impact non-affirmative cyber policies—the so-called silent exposure. With limited precedent set for how cyber-related losses would trigger these policies there is uncertainty around the impact of a cyber catastrophe.

Lastly, the lack of a common data standard or a mechanism for understanding aggregations of risk, pose a further challenge, hindering companies in understanding their capital implications, setting risk appetites, and meeting their regulatory reporting obligations.

A Response to the Problem

We have tackled our clients’ cyber risk management concerns by developing a cyber accumulation management solution, built on three core elements.

  1. A data standard for the industryOur Cyber Exposure Data Schema was developed in conjunction with the Centre for Risk Studies at the University of Cambridge, with support from leading market companies. It provides an approach to standardising cyber data as a distinct peril. It copes with both affirmative and silent cyber coverage, and allows risk to be tracked and transferred by providing a consistent framework for data capture, storage, and analysis. Critically, it is open source, model-agnostic, and extensible.
  1. Five loss scenarios to stress test portfoliosThe new RMS cyber loss process models assess actual books of business against multiple realistic loss scenarios, testing various levels of severity for the top five cyber threats identified by our industry development partners at Cambridge. Running analyses shows underwriters how loss events would interact with their exposure, and isolates the key drivers of risk, allowing an informed, independent view of cyber to be formed.
  1. A Cyber Accumulation Management SystemThe accumulation engine is the framework for generating loss projections. The analytical capabilities enable companies to report exposure aggregates by coverage type and potential loss characteristics, to a previously unthinkable level of granularity. It highlights accumulations and correlations, giving insurers, reinsurers, and brokers all of the tools necessary to answer questions regarding portfolio optimization, capacity and capital requirements, while delivering answers to regulatory demands.

Together these three components comprise a complete cyber risk management solution which solves the key, real-world challenges facing the insurance industry today. We have created a new standard for the capture and management of cyber exposure data, and mechanisms both to get a handle on affirmative and silent cyber risks, while simultaneously meeting reporting requirements. All of that delivers the insights necessary to unlock the capital necessary to meet ultimate insureds’ demands for cyber cover, and allow the insurance sector to grow confidently into this exciting new line of business.

Learning More About Catastrophe Risk From History

In my invited presentation on October 22, 2015 at the UK Institute and Faculty of Actuaries GIRO conference in Liverpool, I discussed how modeling of extreme events can be smarter, from a counterfactual perspective.

A counterfactual perspective enables you to consider what has not yet happened, but could, would, or might have under differing circumstances. By adopting this approach, the risk community can reassess historical catastrophe events to glean insights into previously unanticipated future catastrophes, and so reduce catastrophe “surprises.”

The statistical foundation of typical disaster risk analysis is actual loss experience. The past cannot be changed and is therefore traditionally treated by insurers as fixed. The general consensus is why consider varying what happened in the past? From a scientific perspective, however, actual history is just one realization of what might have happened, given the randomness and chaotic dynamics of nature. The stochastic analysis of the past, used by catastrophe models, is an exploratory exercise in counterfactual history, considering alternative possible scenarios.

Using a stochastic approach to modeling can reveal major surprises that may be lurking in alternative realizations of historical experience. To quote Philip Roth, the eminent American writer: “History, harmless history, where everything unexpected in its own time is chronicled on the page as inevitable. The terror of the unforeseen is what the science of history hides.”  All manner of unforeseen surprising catastrophes have been close to occurring, but ultimately did not materialize, and hence are completely absent from the historical record.

Examples can be drawn from all natural and man-made hazards, covering insurance risks on land, sea, and air. A new domain of application is cyber risk: new surprise cyber attack scenarios can be envisaged with previous accidental causes of instrumentation failure being substituted by control system hacking.

The past cannot be changed—but I firmly believe that counterfactual disaster analysis can change the future and be a very useful analytical tool for underwriting management. I’d be interested to hear your thoughts on the subject.

New Risks in Our Interconnected World

Heraclitus taught us more than 2,500 years ago that the only constant is change. And one of the biggest changes in our lifetime is that everything is interconnected. Today, global business is about networks of connections continents apart.

In the past, insurers were called on to protect discrete things: homes, buildings and belongings. While that’s still very much the case, globalization and the rise of the information economy means we are also being called upon to protect things like trading relationships, digital assets, and intellectual property.

Technological progress has led to a seismic change in how we do business. There are many factors driving this change: the rise of new powers like China and India, individual attitudes and even the climate. However, globalization and technology aren’t just symbiotic bedfellows; they are the factor stimulating the greatest change in our societies and economies.

The number, size, and types of networks are growing and will continue to do so. Understanding globalization and modeling interconnectedness is, in my opinion, the key challenge for the next era of risk modeling. I will discuss examples that merit particular attention in future blogs, including:

  • Marine risks: More than 90% of the world’s trade is carried by sea. Seaborne trade has quadrupled in my lifetime and shows no sign of relenting. To manage cargo, hull, and the related marine sublines well, the industry needs to better understand the architecture and the behavior of the global shipping network.
  • Corporate and Government risks: Corporations and public entities are increasingly exposed to networked risks: physical, virtual or in between. The global supply chain, for example, is vulnerable to shocks and disruptions. There are no local events anymore. What can corporations and government entities do to better understand the risks presented by their relationships with critical third parties? What can the insurance industry and the capital markets do to provide CBI coverage responsibly?
  • Cyber risks: This is an area where interconnectedness is crucial.  More of the world’s GDP is tied up in digital networks than in cargo. As Dr. Gordon Woo often says, the cyber threat is persistent and universal. There are a million cyber attacks every minute. How can insurers awash with capital deploy it more confidently to meet a strong demand for cyber coverage?

Globalization is real, extreme, and relentless. Until the Industrial Revolution, the pace of change was very slow. Sure, empires rose and fell. Yes, natural disasters redefined the terrain.

But until relatively recently, virtually all the world’s population worked in agriculture—and only a tiny fraction of the global population were rulers, religious leaders or merchants. So, while the world may actually be less globalized than we perceive it to be, it is undeniable that it is much flatter than it was.

As the world continues to evolve and the megacities in Asia modernize, the risk transfer market could grow tenfold. As emerging economies shift away from a reliance on a government backstops towards a culture of looking to private market solutions, the amount of risk transferred will increase significantly. The question for the insurance industry is whether it is ready to seize the opportunity.

The number, size, and types of networks are growing and will only continue to do so. Protecting this new interconnected world is our biggest challenge—and the biggest opportunity to lead.

Managing Cyber Catastrophes With Catastrophe Models

My colleague Andrew Coburn recently co-authored an article on Cyber Risk with Simon Ruffle and Sarah Pryor, both researchers at Cambridge University Centre of Risk Studies.

This is a timely article considering the cyber attacks in the past year on big U.S. corporations. TargetHome DepotJPMorgan and, most recently, Sony Pictures have all had to deal with unauthorized security breaches.

This isn’t the first time Sony has experienced a virtual assault. In 2011, the PlayStation Network suffered one of the biggest security breaches in recent memory, which is reported to have cost the company in excess of $171 million.

Image source

Cyber attacks can be costly and insurers are hesitant to offer commercial cyber attack coverage because the risk is not well understood.

Andrew and his co-authors contend that insurers are not concerned with individual loss events, such as the targeted security penetrations we’ve seen recently on Sony and JP Morgan. It’s whether individual loss events are manageable across a whole portfolio of policies.

The biggest challenge in evaluating cyber risk is its inherent systemic complexity and interconnectivity. The internet, the technology companies that run on it, and the enterprises they serve are inextricably intertwined; shocks to one part of a network can quickly cascade and affect the rest of the whole system.

Can catastrophe-modelling methodologies provide the solution? Read the full article in The Actuary here.