The world’s companies are increasingly realizing that cybersecurity is not just a technical problem but a business risk. It has to be managed like other business risks, not only through a combination of risk prevention and mitigation (technology products and services), but also through risk transfer (insurance). According to Marsh, the world’s leading insurance broker, the market for cyber insurance covering network security incidents and privacy breaches is over $3 billion and expected to double in the next few years.
But building a cyber risk model involves three different challenges.
The first challenge in building a cyber risk model is data. The insurance industry has traditionally built risk models that rely on authoritative providers of data, such as the United States Geological Society (USGS) for earthquake risk, or the National Oceanic and Atmospheric Administration (NOAA) for hurricanes and tropical storms. For such natural events, the hazards are relatively stable, and the same risk models can be used over a span of a few years.
The difficulty with cyber risk is that there is no authoritative source of data that can supply a large, rich dataset for model creation. The Internet is distributed by nature and is increasingly becoming more complex as new technologies emerge. The threat landscape is continuously changing and evolving. So not only does data need to be collected, but it needs to be collected in a dynamic, near real-time fashion to appropriately keep pace with ever-changing threat vectors.
Data collection and risk modeling are closely intertwined, as they iteratively inform and feed into each other. Given the rapidly changing environment, a cyber risk model requires a continuous loop between the two, which is a challenge when the data collection and the risk modeling are performed in silos.
The second challenge in building a cyber risk model is analyzing people and processes in addition to technology. In cybersecurity, there is an obvious and immediate focus on technology and technical indicators. However, most cyber events have a human element associated with them.
A good percentage of all cyber events are caused or aided by insiders, such as the disgruntled employee or contractor, people who often have legitimate access to the data being affected. Another major source of cyber events are accidents or errors – someone leaving a laptop unattended, clicking on a malicious link, or naively providing information that can lead to unauthorized access. Technology itself is not the main culprit in any of these.
A cyber risk model needs to look beyond pure technology and extend the problem to people and processes as well – a holistic data-driven approach is necessary to get a complete view of the multi-faceted cyber risk of companies.
The cybersecurity industry is awash in a variety of metrics, benchmarks, scores and ratings based on all sorts of technical indicators, including botnets, spam, vulnerabilities and misconfigurations, to name a few. However, these are somewhat orthogonal to the critical question: what is the probability of a cyber event?
The insurance industry requires an economic model around cyber risk, which not only addresses the question on frequency (probability), but also answers questions on severity (how bad is the event going to be?), financial loss (how much is it going to cost?), and recurrence (if a company had an event, what is their probability of having a follow-on event?).
In addition, since the insurance industry is focused on the performance across their portfolio instead of just any one company, a cyber risk model also needs to cover the economic impact of risk accumulations, aggregate events, disaster scenarios and translate all this into probabilistic loss curves – enabling insurers to deploy capital and to economically justify their decisions to shareholders, regulators, and rating agencies.