A lock screen from a cyberattack warns that data files have been encrypted on a laptop computer in this arranged photo in London, U.K., on Monday, May 15, 2017. Governments and companies around the world began to gain the upper hand against the first wave of an unrivaled global cyberattack, even as the assault was poised to continue claiming victims this week. (Simon Dawson/Bloomberg)

Cyber risk is a dynamic loss category. It may be defined as any risk of financial loss, business disruption or damage to the reputation of an organization resulting from vulnerabilities in its information technology systems and networks. Cyber risk insurance is thereby required to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach. Following a cyber network event, an organization can suffer breached data, disruption to normal operations and loss of revenue as networks are taken offline. Typically, remunerable expenses under cyber risk insurance cover costs relating to investigation, repair of systems, legal settlements and long-term expenses, which include mitigation costs and loss of reputation. Currently, only standalone insurance coverage is available for data breach, especially in the U.S. insurance market, which covers third-party liabilities and first-party costs due to breach of: |

• Personal Identifiable Information (PII);
• Payment Card Information (PCI); and
• Personal Heath Information (PHI) of customers.

On the other hand, business interruption (BI) is a relatively untested area of cyber insurance, particularly due to challenges in establishing the cause and quantification of loss, making it intangible beyond a point. The business loss estimation is further crippled by the lack of transparency and unwillingness in reporting of network breach incidences. |

Teachable moments

The cyber risk landscape is evolving rapidly and its potential economic fallout cannot be underestimated. Below are some of recent instances of costly cyber attacks: |

How cyber business risks are covered

Most of the claims reported for network interruption got often recorded as business interruption caused by property damage and therefore got insured under the property coverage. Claims that were cyber in nature or origin had missing cause of loss or were not being reported altogether. The potential reason for this being large businesses earlier denied such incidents owing to the reputational risk that the company can be exposed to. Later, they had systems and firewalls in place to protect company's networks to be vulnerable. On the other hand, smaller businesses and third party vendors did not realize that they were under cyber-attack till a certain point, hence the claims were either delayed, improperly gauged or went unreported. |

Modeling methodology

There are several models in place that help in the quantification of a cyber-network interruption loss. In this article, one of the methods has been discussed which helps in capturing the variability of a cyber BI loss using several inherent industry and actuarial assumptions with the help of Monte Carlo simulation. The model primarily categorizes the affected company based on the percentage of revenue that could be affected due to a network outage (i.e. the percentage of revenue that is network reliant) into: |

• High (more than 60%);
• Medium (20% - 60%); and
• Low (less than 20%).

Next, the model chooses the cause of cyberattack, which can broadly be classified into four different categories: |

• Action of People;
• Systems or Technology failures;
• Malicious or Criminal Attacks; and
• External Events.

Among these causes, malicious or criminal acts have been the leading cause of cyberattacks followed by human error based attacks. For this model, we are focusing on three of these causes: 'Actions of People', 'System Failures' and 'Malicious or Criminal Attacks'. BI losses due to external events like catastrophe, terrorism etc. are not considered here since they are being covered under traditional insurance policies.

Graphics provided by EXL Holdings, Inc.

Finally, the model defines the timeline of a typical cyber business interruption loss in the following three stages: |

1. Period of discovery and blackout: Once a cyber-network event occurs and the attack is detected, there is a system wide shutdown that impacts the entire revenue dependent on the cyber network. During this period, the only revenue generation is from the non-network dependent sources.
2. Partial recovery phase: During this period, there is a partial system restoration, so there is partial revenue earning from the affected cyber network
3. Restoration period: After the systems are fully restored, there is a possibility that the business has not yet recovered to the pre-event level of revenues. In some cases, the extended period of business recovery may be prolonged even with the full ramped up systems.

Assuming that a business interruption loss has occurred, the severity of the loss can be measured directly as a function of the revenue affected and the total duration of the loss. As the maximum daily revenue affected is fixed, the loss severity can be assumed to be proportional to the total duration of the loss. Hence, a high severity loss event will have the maximum days of business interruption, followed by medium and low severity events. In this model, events of various severities (i.e. outage periods) have been modeled. The number of such events that can occur in a year (i.e. the frequency) has been determined based on the count of historical occurrence of these events in the industry. The model then simulates losses for various scenarios. For a single simulation the overall event count is first calculated randomly from a Poisson distribution using the overall frequency parameter as the mean. Then for each of these events, a random event of a particular severity is generated from the above three loss causes. The event selection although random is dependent on the overall frequency of that particular event. Then based on the severity of that event, the total event duration is calculated and further divided into the three stages as outlined above. For each of these stages the revenue loss is calculated separately (using different distributions and different affected revenue percentage assumptions) and then finally summed up to come up with the total revenue impact from that event. The simulations are repeated for a large number of times so that all the loss scenarios are included in the model. The mean of the impact severity across the simulations can be considered to be projection of average BI revenue loss that the company can incur in the forecast year. |

Preparing your clients

A detailed quantification of BI using this methodology provides companies with an insight to the composition of their network interruption losses. This helps in systematic planning of a targeted mitigation strategy for network reliant companies against the fast growing business risk from cyberattacks. There remain challenges such as limited industry experience of network interruption and lack of universally accepted definition for measuring the same. However, the rising incidence of publicized cyber security breaches and government led global measures like General Data Protection Regulation (GDPR) are expected to bring the resolution for these challenges as companies become more inclined towards publicly acknowledging data breaches as part of planned response to manage reputational damage from cyber threats. Rituparna Datta is an assistant vice president of Services at EXL Analytics, a provider of data analytics solutions to financial organizations including P&C Insurance firms. To reach this contributor, send email to [email protected]. See also: 6 ways cybersecurity will impact insurers in 2018 6 common misconceptions about cybersecurity