Don’t be naïve: Model cyber risk probabilistically
Here's how cyber insurers can make informed decisions on how to continuously evolve the cyber line of business.
The profitability and growth potential of cyber insurance is attracting more insurers and reinsurers to the market, and because of increased competition, pricing is set by supply-and-demand dynamics rather than risk-based assessments.
Any insurer’s worst nightmare is experiencing a major loss event that puts the viability of the business in jeopardy. To avoid being labeled as “naïve capital” in this market, insurers must understand how deep in the red their business could become and how they can select the best risks to continue growing while maintaining their overall profitability.
Most cyber insurance claims are related to either security breach incidents — which include phishing/social engineering scams, malware and other computer hacks, accidental issues, and unauthorized data disclosures — or business interruption incidents (for example, from cloud service downtime).
But because cyber insurers mostly rely on limited data or broad assumptions to inform their cyber risk management decisions, they can struggle to determine the largest losses that they can expect and how likely these are to occur. Probabilistic modeling of cyber risk can provide insights to help insurers and reinsurers manage the risk from both security breach incidents and business interruption.
Related: Examining cyber risks and coverage options
Modeling security breach incidents probabilistically
To determine the likelihood of an organization experiencing a security breach and the factors that drive risk, a probabilistic cyber model should leverage machine learning techniques. These techniques are best suited to identify signals in the data that reveal what is driving a company’s cyber risk and the true predictors of loss that underwriters should be collecting data on.
Cyber modeling approaches that do not utilize machine learning techniques would likely miss these drivers of risk and the nonlinear interactions between them. An organization’s revenue and industry provide enough information to determine a very rough probability of breach, but additional rating variables can be used by a probabilistic cyber model to further differentiate the risk.
Related: Three surplus lines execs identify industry’s biggest challenges, opportunities
For example, several technographic features related to an organization’s security policies, level of malware, and filesharing activity have a meaningful impact on the probability of a breach. Insurers can focus on collecting information on these attributes at the point of underwriting or rely on a probabilistic cyber model’s industry exposure database — a must-have for any probabilistic cyber model — to backfill their data.
A data-driven probabilistic cyber model that leverages machine learning and stochastic simulations can help insurers understand their loss potential to both attritional and extreme events before they occur and deliver insights about the likelihood of cyber incidents and their financial impact on individual risks or books of business.
Figure 1 illustrates how a probabilistic model can help a cyber insurance writer understand and differentiate the risk to individual accounts and improve cyber insurance pricing decisions because it reveals that some accounts out of the 6,000 were riskier than anticipated, while others were less risky. This information allows model users to optimize their portfolios toward the most profitable risks.
Accounting for potential additional risk due to GDPR
The implications of the European Union’s General Data Protection Regulation (GDPR), which came into effect in mid-2018, for organizations conducting business in Europe are that if they experience a data breach, they are now potentially subject to paying a maximum fine of EUR 20 million or 4% of global annual revenue (turnover), whichever is higher.
The incorporation of functionality that gives insurers the option of including potential fines related to GDPR as part of a probabilistic cyber model’s output due to the security breach cause of loss is therefore vital.
Related: 5 questions answered about GDPR’s impact on insurance
Managing portfolio tail risk of cloud service providers
As mentioned earlier, business interruption incidents, or cloud downtime, along with security breach incidents, constitute the majority of cyber-related claims to date. The widespread adoption of cloud services has made providers of these services a major source of systemic risk that could cost the global economy billions in business interruption losses if a major downtime incident were to occur.
Given that each cloud service provider in the market is a uniquely architected and independently managed business, insurers must go beyond simply tracking limits associated with each provider to understand the losses that can be expected from each.
A probabilistic cyber model’s stochastic modeling techniques can simulate downtime events for many different cloud service providers; each event can be made unique by describing which cloud provider went down, the cause of the downtime, downtime length, and how many of the cloud provider’s data centers were affected. Thus, utilizing a probabilistic cyber model that employs these stochastic modeling techniques makes quantifying how some cloud providers are riskier than others and how systemic incidents can impact an insurance portfolio a straightforward exercise.
Stay ahead of risk with transparent and flexible analytics
A probabilistic cyber model with a transparent and flexible modeling framework enables insurers to keep up with the evolving cyber risk landscape and to confidently justify their decisions to stakeholders because they are able to study the drivers of modeled loss and test their own views of risk.
Whether an insurer’s view of risk changes based on newly discovered vulnerabilities, updated claims or input data, or the need to adjust underwriting strategies to differentiate their products, transparent and flexible analytics can help cyber insurers make informed decisions on how to continuously evolve the cyber line of business.
Related: How to respond and recover quickly from a cyber event
Scott Stransky is assistant vice president and director of emerging risk modeling at catastrophe modeling firm AIR Worldwide. He can be reached at sstransky@air-worldwide.com.