Catastrophe modelers developing cyber risk technologies to assess exposuresReprints
In the wake of major cyber breaches that defined 2014, technologies to help risk managers, brokers and insurers better assess and model cyber risks are in their infancy.
While insurers and risk managers have long had detailed third-party models to help them gauge probable maximum losses for perils such as hurricanes and earthquakes, functional models for cyber crime are in their building stages.
“What we will see more of in 2015 is cyber risk modeling more similar to the catastrophe modeling done for property insurance,” said John Farley, New York-based vice president and cyber risk practice leader at broker Hub International Ltd.
Andrew Coburn, Cambridge, England-based vice president of catastrophe research at Risk Management Solutions Inc., said the catastrophe modeler is working with clients in a development capacity rather than releasing a general model. RMS is helping those clients standardize the manner in which they capture cyber insurance exposure data and better assess their probable maximum losses from cyber events.
“The principles of cyber catastrophe modeling are similar to other catastrophe models, such as hurricane, but they are not spatial or geographical in impact,” Mr. Coburn said in referring to cyber crimes' potential global effects.
Scott Stransky, Boston-based manager and principal scientist at AIR Worldwide Corp, said the modeler is developing one for cyber risks.
Finding enough relevant data to populate a model can be a challenge, Mr. Stransky said. While much of the historical data used in storm models is publicly available through governmental agencies, much of the most useful data on cyber risks is held by private companies that do not divulge it or bury it in financial filings, he said.
“One issue with cyber is collecting historical data,” he said.
Moreover, determining what information to collect is a challenge for modelers.
“If we are going to insure a home for hurricane, we need to know where it is and what it is made out of, as well as secondary features such as whether they have storm shutters,” Mr. Stransky said. “We are now trying to figure out what the analogies are for cyber.”
Another challenge is the rapidly evolving nature of cyber threats that makes using historical data alone problematic, said Alex Krutov, New York-based president of Navigation Advisors L.L.C. and a fellow of the Casualty Actuarial Society.
“Scarcity and unreliability of historical data are often seen as the main problem in pricing cyber insurance,” he said. “However, even if there were a large volume of cyber loss data collected over a number of years, it is unlikely that this data, by itself and used in the traditional way, would have significant predictive value.”
Aside from comprehensive catastrophe models, other firms are working to help companies and their insurers better understand specific aspects of cyber risks.
Steven Tabacek, Spokane, Washington-based CEO and co-founder of CXOWare Inc., said the quantitative risk software provider's cloud-based offering, RiskCalibrator, helps quantify cyber security risk in financial terms. The tool is intended to help risk managers and other buyers determine how much cyber insurance to buy as well as where to focus cyber risk mitigation efforts, he said.
“Before you put a risk mitigation budget in place, you have to figure out which corporate assets have the highest loss exposure, understand the threats and realize where you have control deficiencies,” Mr. Tabacek said. “You also have to prioritize effectively to choose the most cost-effective solutions; so without a quantitative analysis, you really can't begin to optimize your risk management efforts.”
Matthew McCabe, New York-based senior vice president of the network and privacy practice at Marsh USA Inc., said the brokerage unveiled a cyber breach modeling tool last June that uses historical breach information paired with a company's internal data to predict the probability and financial outcomes of cyber crimes and better calculate how much insurance is necessary.
“There's always a need for better data when quantifying risk,” he said. “With cyber being a relatively new exposure, it just took a number of years of these events occurring for there to be a statistical basis to provide this analysis.”
While Marsh's offering, Cyber IDEAL, is currently focused solely on data privacy exposure, Mr. McCabe said it is to be adapted to address a broader range of cyber exposures, including business interruption costs.
“Everybody would love to see better modeling around business interruption,” Mr. McCabe said.