As new probabilistic cyber models are launched, EXPOSURE explores how probabilistic modeling will facilitate the growth of the cyber (re)insurance market and potentially open up the transfer of catastrophic risks to the capital markets 

The potential for cyberattacks to cause global, systemic disruption continues to ratchet up, and to confuse matters further, it is state actors that are increasingly involved in sponsoring these major attacks. Last year’s major global ransomware attacks — WannaCry and NotPetya — were a wake-up call for many businesses, in terms of highlighting the potential scale and source of cyber incidents. The widespread disruption caused by these incidents — widely suspected of being state-sponsored attacks — confirmed that cyber risk is now in the realm of catastrophe exposures.

The introduction of probabilistic catastrophe modeling for cyber therefore comes at an opportune time. In terms of modeling, although a cyberattack is human-made and very different from a Florida hurricane or Japanese earthquake, for instance, there are some parallels with natural catastrophe perils. Most notable is the potential for sizable, systemic loss.

“Catastrophe modeling exists because of the potential correlation of losses across multiple locations and policies all from the same event,” explains Robert Muir-Wood, chief research officer at RMS. “This concentration is what insurers most fear. The whole function of insurance is to diversify risk.

“Anything that concentrates risk is moving in the opposite direction to diversification,” he continues. “So, insurers need to find every way possible to limit the concentration of losses. And cyber clearly has the potential, as demonstrated by the NotPetya and WannaCry attacks last year, to impact many separate businesses in a single attack.”

“What’s the equivalent of a cyber hurricane? None of the insurers are quite sure about that” — Tom Harvey, RMS

Cyberattacks can easily make a loss go global. Whereas a Florida hurricane can damage multiple properties across a small geographical area, a ransomware attack can interrupt the day-to-day running of thousands of businesses on an unprecedented geographical scale. “When I think of systemic risk I think of an attack that can target many thousands of organizations, causing disruption of digital assets using technology as a vector for disruption,” says Tom Harvey, senior product manager at RMS cyber solutions.

“What’s the equivalent of a cyber hurricane? None of the insurers are quite sure about that. When you write a cyber insurance policy you’re inherently taking a bet on the probability of that policy paying out. Most people recognize there are systemic risks out there, which increases the probability of their policy paying out, but until models have been developed there’s no way to really quantify that,” he adds. “Which is why we do what we do.”

RMS estimates a substantial outage at a leading cloud service provider could generate an insurable economic loss of US$63 billion — and that is just for the U.S. In economic loss terms, this is roughly equivalent to a catastrophic natural disaster such as Superstorm Sandy in 2012.

To estimate these losses, the RMS model takes into account the inherent resiliency of cloud service providers, which capitalizes on extensive research into how corporations use the cloud for their revenue generating processes, and how cloud providers have adopted resilient IT architectures to mitigate the impact of an outage on their customers.

The majority of the loss would come from contingent business income (CBI), a coverage that typically has an 8-12 hour waiting period and is heavily sublimited. Coupled with the still relatively low cyber insurance penetration, a significant proportion of this loss will fall on the corporates themselves rather than the insurance industry.

The evolution of cyber modeling

In the early days of cyber insurance, when businesses and insurers were grappling with an esoteric and rapidly evolving threat landscape, cyber was initially underwritten using various scenarios to determine probable maximum losses for a portfolio of risks.

RMS launched its Cyber Accumulation Management System (CAMS) in 2015, initially focused on five key cyber exposures: data exfiltration, ransomware, denial of service, cloud failure and extortion. “Within each of those classes of cyberattack we asked, ‘What is the most systemic type of incident that we would expect to see?’” explains Harvey. “Then you can understand the constraints that determine the potential scale of these events.

“We have always conducted a great deal of historical event analysis to understand the technical constraints that are in place, and then we put all that together. So, for example, with data exfiltration there are only so many threat actors that have the capability to carry out this type of activity,” he continues. “And it’s quite a resource intensive activity. So even if you made it very easy for hackers to steal data there’s only so many actors in the world (even state actors) that would want to.

“From an insurance point of view, if you are insuring 5,000 companies and providing cyber coverage for them, you could run the model and say if one of these catastrophes impacts our book we can be confident our losses are not going to exceed, say US$100 million. That’s starting to provide some comfort to those insurers about what their PML [probable maximum loss] scenarios would be.”

The affirmative cyber insurance market is now four times the size it was when RMS developed its first-generation cyber risk model, and as the market diversifies and grows, clients need new tools to manage profitable growth.

Harvey adds: “The biggest request from our clients was to assess the return periods of cyber loss and to link probabilities with accumulation scenarios, and help them allocate capital to cyber as a line of insurance.  In the release of RMS Cyber Solutions Version 3, which includes the first probabilistic model for cyber loss, we estimate the scalability of the various loss processes that make up the drivers of cyber claims.

“Stochastic modeling helps explore the systemic potential for catastrophe loss estimates resulting from each cyber loss process: incorporating the statistical volatility of claims patterns from these in recent years, the technical constraints on scaling factors and attack modes of each process, and the parallels with loss exceedance distributions from other perils that RMS has modeled extensively.

“From this, we now provide loss exceedance probability (EP) distributions for each cyber loss process, with reference accumulation scenarios benchmarked to key return periods from the EP curve. These are combined into a total loss EP curve from all causes. RMS has been expanding on these scenarios in recent years, coming up with new situations that could occur in the future and incorporating a rapidly growing wealth of data on cyberattacks that have occurred. Knowing how these real-life incidents have played out helps our cyber modeling team to assign probabilities to those scenarios so insurers can more confidently assign their capital and price the business.”

With the ability to model cyber on a probabilistic basis to enable insurers to more accurately assign capital to their portfolio of risks, it is hoped this will facilitate the growth of both the cyber insurance and reinsurance market.

Taking out the peaks

As the cyber (re)insurance market develops, the need for mechanisms to transfer extreme risks will grow. This is where the capital markets could potentially play a role. There are plenty of challenges in structuring an instrument such as a catastrophe bond to cover cyber risk, however, the existence of probabilistic cyber models takes that one step closer to becoming a reality.

In 2016, Credit Suisse was able to transfer its operational risk exposures to the capital markets via the Operational Re catastrophe bond, which was fronted by insurer Zurich. Among the perils covered was a cyberattack and rogue trading scenarios. Certainly, investors in insurance-linked securities (ILS) have the appetite to diversify away from peak zone natural catastrophe perils.

ILS investors have the appetite to diversify away from peak zone natural catastrophe perils

“On a high level, absolutely you could transfer cyber risk to the capital markets,” thinks Ben Brookes, managing director of capital and resilience solutions at RMS. “All the dynamics you would expect are there. It’s a potentially large systemic risk and potentially challenging to hold that risk in concentration as an insurance company. There is the opportunity to cede that risk into a much broader pool of investment risk where you could argue there is much more diversification.

“One question is how much diversification there is across mainstream asset classes?” he continues. “What would the impact be on the mainstream financial markets if a major cloud provider went down for a period of time, for instance? For cyber ILS to be successful, some work would need to be put into that to understand the diversification benefit, and you’d need to be able to demonstrate that to ILS funds in order to get them comfortable.

“It could be an insured, for example, a business highly dependent on the cloud, rather than an insurance or reinsurance company, looking to cede the risk. Particularly a large organization, with a sizable exposure that cannot secure the capacity it needs in the traditional market as it is at present,” says Brookes.

“The isolation and packaging of that cause of loss could enable you to design something that seems a little bit like a parametric cyber bond, and to do that relatively soon,” he believes.

“We’re at a point where we’ve got a good handle on the risk of cloud provider failure or data exfiltration at various different levels. You could envisage building an index around that, for instance the aggregate number of records leaked across the Fortune 500 in the U.S. And then we can model that — and that’s something that can be done in relatively short order.”

Getting physical

There are only a handful of examples of instances where a cyber intrusion has caused substantial physical damage. These are well-known and include a German steel mill attack and the Stuxnet virus, which attacked a nuclear plant. However, in spite of this, many experts believe the potential for physical damage resulting from a cyberattack is growing.

“There are three instances globally where cyber has been used to cause physical damage,” says Julian Enoizi, CEO of Pool Re. “The damage caused was quite significant, but there was no attribution toward those being terrorist events. But that doesn’t mean that if the physical ISIL caliphate gets squeezed they wouldn’t resort to cyber as a weapon in the future.”

In our previous article in EXPOSURE last year about the vulnerabilities inherent in the Internet of Things, following the Mirai DDoS Attack in 2016, we explored how similar viruses could be used to compromise smart thermostats causing them to overheat and start a fire. Because there is so little data and significant potential for systemic risk, (re)insurers have been reluctant to offer meaningful coverage for cyber physical exposures.

They are also concerned that the traditional “air-gapping” defense used to protect supervisory control and data acquisition systems (SCADA) by energy and utilities firms could more easily be overcome in a world where everything has an Internet connection.

Until now. In March this year, the U.K.’s terrorism insurance backstop Pool Re announced it had secured £2.1 billion of retrocession cover, which included — for the first time — cyber terrorism. “We identified the gap in our cover about two-and-a-half years ago that led us to start working with academia and government departments to find out whether there was an exposure to a cyber terrorism event that could cause physical damage,” says Enoizi.

“While it was clear there was no imminent threat, we wanted to be able to future-proof the product and make sure there were no gaps in it,” he continues. “So, we did the studies and have been working hard on getting the insurance and reinsurance market comfortable with that.”

Even after two years of research and discussions with reinsurers and brokers, it was a challenge to secure capacity from all the usual sources, reveals Enoizi. “Pool Re buys the largest reinsurance program for terrorism in the world. And there are certain reinsurance markets who would not participate in this placement because of the addition of a cyber trigger. Some markets withdrew their participation.”

This does suggest the capital markets could be the natural home for such an exposure in the future. “It is clear that state-based actors are increasingly mounting some of the largest cyberattacks,” says RMS’s Muir-Wood. “It would be interesting to test the capital markets just to see what their appetite is for taking on this kind of risk. They have definitely got a bit bolder than they were five years ago, but this remains a frontier area of the risk landscape.”