Cyber risk models take cues from natural catastrophe toolsPosted On: Mar. 20, 2015 12:00 AM CST
CHICAGO — Slowly but surely, researchers are beginning to adapt the modeling tools that have helped insurers and policyholders quantify the risks arising from natural disasters for use on another vexing problem: cyber risk.
Scott Stransky, Boston-based manager and principal scientist in the research and modeling group of AIR Worldwide Corp. said his company expects to have a cyber risk model ready for general consumption within two to three years.
“We have a prototype cyber model available now, and we are looking at 2018 for a general release,” Mr. Stransky said Thursday, speaking at the 10th annual Symposium given by Minneapolis-based brokerage Hays Companies in Chicago.
One of the primary challenges in assembly a probabilistic model for cyber crime is the difficulty in amassing enough relevant data, Mr. Stransky said. “Unlike hurricanes, where there is publicly available storm track data, cyber data can be scarce because companies don't like to say they have been breached,” he said.
To surmount this challenge, AIR is partnering with third-party data sources, including those owned by its parent company, Verisk Inc., and with insurers, which can provide claims data via nondisclosure agreements.
“We are working with companies to get more proprietary data to build more robust models,” he said.
Another challenge involves modeling potential damages from a cyber attack, he said. While estimating first-party costs — such as the money a company will pay lawyers, forensic firms and public relations firms — in the wake of a breach is relatively straightforward, costs related to third-party liabilities can be tough to estimate. Indeed, disputes related to which coverages are triggered are likely to increase, especially if hackers move from just stealing data to damaging physical equipment in factories, Mr. Stransky said.
“Suppose hackers get into the computer system running a dam, causing the dam's spillway to malfunction and flood a neighborhood near the dam,” he said. “While the dam itself is not physically damaged, who pays for that? Until we know which insurance policies will pay for that, we will not be able to model damages for that.”
Modelers need to account for scenarios that are unprecedented, Mr. Stransky said, dubbing these events the “cyber equivalent of Hurricane Andrew.”
Potential “Cyber Andrews” include an attack on the power grid, the air traffic control system or a major cloud computing provider, he said. Another prime candidate would be an attack on one of the major credit card processors, such as MasterCard Inc. or Visa Inc.
“There's only handful of payment processors, so instead of attacking individual retailers, hackers could attack a single payment processor and perhaps get critical data from 20% of the retailers in North America all at once,” he said. “This is a keen example of the aggregation of risks.”