Building a cyber model mousetrap for the newest catastrophe

By Erin Ayers on January 9, 2015

?????????????????????????????????????????????????? The economic impact and myriad frustrations of persistent cyber attacks in recent years appear to have a silver lining of sorts – catastrophe modelers now feel they have enough data on security breaches to effectively model cyber risk, which could lead to better risk management and more accurate insurance premiums.

For those familiar with catastrophe modeling for hurricanes, earthquakes, tornadoes, and terrorism, cyber insurance models bear more of a resemblance to those for hurricanes or tornadoes – relatively frequent events – than terrorism, another human-made, but fortunately less frequent event. Cyber events, as businesses, government, and the public have come to realize, occur with a degree of regularity – and attempted attacks happen even more often.

At Boston-based AIR Worldwide, major retailer breaches and the burgeoning cyber insurance market prompted a closer look at the modeling of the risk. AIR principal scientist Scott Stransky told Advisen the company is in the development stages of a model and it’s one that the insurance industry is eagerly awaiting. Cyber insurance take-up rates may currently only stand at 20 percent, but that number is expected to grow.

“It’s the largest growing area of insurance,” said Stransky. “With the soft market, people are very excited about expanding. But they’re hesitant to expand without a good model, and that’s where we come in.”

Working with several as-yet-unnamed partner companies and drawing data from public sources, AIR has developed a stochastic catalog with information from existing cyber events for its prototype model, similar to the database used for modeling natural disasters. The model then produces theoretical events – events that could involve no damage, minimal damage or “a Hurricane Andrew type of breach,” Stransky explained, citing a massive event that hasn’t occurred but remains within the realm of possibility. He used the example of a major cloud provider being hacked, an event that could potentially affect many organizations all at once.

“That would include lots of different policies being triggered at once, if you’re insuring 12 different companies and they all use this cloud,” Stransky said.

A functional cyber insurance model offers the chance not only to analyze the wide range of possible events, but also the chance to match the price of insurance to the risk. Sources say cyber insurance currently offers lower premiums and low limits. Lower limits means insured organizations run through their available insurance funds relatively quickly following a data breach.

“If they know how to price the risk better, they can charge the appropriate premiums,” said AIR’s Stransky. “It’s better for everyone, not just the insurance companies and the reinsurance companies.”

While cyber insurance may be growing in popularity for the business world, it’s still not a sure sell. From the broker perspective, modeling the risk means arming clients with the awareness of how much data they hold and the processes for safeguarding it. Marsh launched its Cyber IDEAL model in July, according to Matthew McCabe, senior vice president and cyber modeling expert for the insurance broker.

“The credo is that better data leads to better decisions,” McCabe told Advisen. “For several years, there was just not enough claims data for frequency and severity for a robust statistical model.

Marsh employed internal claims data, publicly available information, and purchased data from other sources to create its model, which McCabe said has been well-received.

“It gives our insureds something to put their teeth into when deciding whether to purchase cyber insurance,” he said. “It really paints the picture of how data breach costs can rack up. We like to inject a little more smarts in the process and enable the insured.”

The Marsh model relies on “some very basic inputs” – industry, revenues, strength of information security protection, as well as the records held by a company, to project the likelihood of data breaches and their “realizable costs.” The model can also highlight data retention for organizations that may not be necessary.

“How much data are you holding? If it’s several million records, or whatever their number might be, it might be a good time internally to question what their policy is for purging data,” said McCabe. “What’s great about the cyber insurance process is that it’s a moment in time in which companies can not only consider the benefit of insurance but that companies can look at their processes and the controls they have in place.”

McCabe reported that Marsh’s model has helped risk managers and insurance buyers bolster their argument for buying cyber insurance.

“They need data. They can’t just stand up in front of the people they report to and say, ‘I’ve got a real strong feeling about this,’” he said. “It helps the decision-making on the internal side.”

No risk model can afford to remain static. As cyber events continue, new information can be added to models, improving accuracy and encompassing all probabilities.

“One of the interesting things is that it’s a growing, breathing model,” said McCabe. “We’re in an era where we’re discovering more incidents and the costs about the incidents.”

Cyber insurance modeling has for several years been of interest to the academic actuarial world. Hemantha S.B. Herath, professor of managerial accounting at the Goodman School of Business at Brock University in Canada, developed a model to show the damaging effects on a company’s computer systems in 2011. He based it on existing insurance models and modified it to include cybersecurity and penned an academic paper that illustrates the long-term interest in cyber insurance models.

“It’s a complicated problem, but the key is that we do have some insurance-based models that are a starting point,” Herath told Advisen. “Insurance is a good way to transfer the risk, but the actual pricing of it was premature.”

Herath’s model examined the potential downtime for organizations hit by email-borne viruses by taking the number of computers at a company and determining loss distribution if any one of the computers – or all of them – were affected. While it doesn’t address all forms of cyber attacks or legal actions stemming from breaches, it offers a “ballpark range” estimate of damage, particularly for smaller businesses that may not realize their exposure.

Shaun Crawford, global practice leader at Ernst & Young, told Advisen he sees the opportunity for better risk mitigation through cyber models that give insurers a better shot at determining which risks to cover and what the ultimate costs might be.

“When insurance first started, it was all ships being sunk. People would evaluate the risk and actually price the insurance based on the ship, the cargo lost. When you’re talking about cyber risk, it could interconnect the whole supply chain,” Crawford said. The cyber risk involves “so many different ways” to lose data, shut down a company or website, or do “phenomenal” damage to a brand.

Insurers should be using models to identify companies that have put in place the right security mechanisms to protect themselves, as well as to develop new products to introduce in the market, he added.

Insurers should be encouraging modeling to look for the companies that have put in place the right mechanisms to protect themselves via modeling, as well as find the right products to take to the market – the exclusions those products should include, he added.

“If I was an insurer, I would ensure that the proper, professional systems are in place. You wouldn’t issue life insurance without a full medical report from a doctor,” Crawford noted. “There’s a lot to be done to see what can be prevented, to see what controls, audits, and defenses are in place. With the complexity and smarts of some of these [hackers], it’s getting harder.”

Crawford as well as Marsh’s McCabe predicted that the next logical and necessary step for cyber modeling must be to model reputational risk and business interruption.

“We’re in that point of history that we were for data breaches,” said McCabe. “The question of how we can really put reliable numbers behind business interruption is an ongoing work in progress.”

erin.ayers@zywave.com'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].