Although the industry is evolving in regards to cyber modelling, there is still a distinct lack of awareness. A 2016 Captive Cyber Survey showed that 60% of large businesses still do not have cyber insurance. Ms Kirstin McMullan of Aon Benfield explains the requirements needed for cyber risk modelling, the two approaches to it and the necessity for cyber risk profiling.
Cyber risk is one of the key issues driving today’s insurance industry, with the ability to affect companies of all business types. It can impact companies in many different ways from direct physical damage such as destroyed computer servers or numerous financial consequences brought about by aspects such as business interruption, reputational damage and response costs. As we are seeing an increase in the frequency of reported cyber breaches across the world, it is important to understand companies ’ exposure and how a cyber breach might impact them.
Due to its human-induced complexity, cyber risk cannot be modelled in the same way as a natural catastrophe risk. While geographic location is the predominant component of catastrophe risk analysis, cyber risk needs to shift the focus toward aspects such industry type, company revenue, motivations of threat actors, security protocols, cloud computing strategies and number of employees. The collection of this information will rely upon a cultural shift within the industry to obtain the most accurate data to begin establishing risk levels.
‘Silent’ and ‘affirmative’ exposures
There are two main types of cyber risk policies that are currently being modelled; those are based around ’silent’ and ’affirmative’ exposures.
Silent exposure is when an insurance policy does not specify that cover is offered but also does not exclude coverage. The main exposure with silent cyber is the unknown precedent, both for insurers and the insured. Affirmative exposure relates to polices which are specific to offering cyber cover such as data breach or liability type claims; in addition affirmative exposure traditionally covers both accidental and malicious losses.
Two approaches to cyber risk modelling are scenario-based models and statistical or probabilistic models. RMS is an example of the first, CyberMetrica of the second.
Scenario models are (relatively) easy to construct and have the advantage of breadth, but they lack the probabilistic sense that comes with estimating frequency. Aon Risk Solutions in Australia has also developed its own methodology to undertake cyber risk profiling for companies’ broader risk management.
RMS Cyber Model: Identifying key categories of cyber risk
RMS has developed its Cyber Model in collaboration with eight leading insurance partners (Amlin Plc, Aon Benfield, AXIS Capital, Barbican Insurance Group, Canopius Managing Agents Ltd, RenaissanceRe Holdings, Talbot Underwriting, and XL Catlin) and consists of three main modules:
Cyber Exposure Data Schema
RMS has developed a standardised data structure and content that is designed for both silent and affirmative exposures. It also facilitates risk transfer within the industry. The RMS schema captures five key categories of cyber risk (data exfiltration, denial of service, financial transaction compromise, cloud failure and extortion). The data schema also provides a common language and approach needed for understanding and measuring cyber accumulation risk.
Cyber Loss Process Model
RMS has created five loss process models to stress test a (re)insurer’s portfolio, reflecting five key IT-related cyber threats to represent severe but plausible examples of systemic cyber catastrophes. RMS is also in the process of adding operational risk scenarios, starting with power grid failures in the US and UK.
This is the framework for quantifying exposure concentrations across cyber policies. It encompasses capacity and capital requirement, whilst meeting rating or regulatory reporting requirements.
Aon’s CyberMetrica: Quantifying cyber exposures
Aon’s CyberMetrica model has taken a frequency-severity approach with a common industry shock effect. It is powered by Aon’s ReMetrica reinsurance and capital modelling platform.
Similarly to RMS, CyberMetrica is looking at affirmative cyber insurance cover whilst also looking at data breach risk. CyberMetrica is currently utilising data from three sources:
- Aon Benfield Global Insurance Market Opportunities study
- Aon Cyber Solutions Group
There are three modules which make up the cyber model: hazard, damage and insurance. Standard model inputs are the client’s industry, revenue and number of employees to determine frequency of risk and correlation.
Aon Risk Solutions’ Cyber Risk Profiling
Aon Risk Solution’s (Australia) Cyber Risk Profiling is a structured and auditable process which demonstrates good corporate governance and can easily be linked to an organisation’s broader risk management activities. The primary objective of cyber risk profiling is to contribute to the design of an insurance programme by:
- Identifying insurable risks – utilising Aon’s Cyber risk categorisation model to identify and describe risks in terms of their source, the types of events that may occur and the potential consequences these may have on the business.
- Assessing the financial impact of risks – facilitating a workshop with the key stakeholders to validate the risk map, discuss and agree risk rankings and select key risk exposures for more detailed quantitative analysis.
- Measuring the response of insurance – comprehensively reviewing and clearly translating how your current insurance programme responds to the risk profile developed.
- Creating an insurance programme blueprint – working closely with Aon’s cyber insurance team to design an insurance programme which provides your business with an optimal transfer of risk and balances the potential cost of retention versus the cost of transfer.
Next steps in cyber modelling
The development of these cyber models is a great step forward in the progression of cyber risk understanding in the industry, but the models, as do all models, have their limitations. One of the biggest limitations to this type of model approach is the quality and availability of data.
There is still an inherent lack of historical data for Australia to utilise in calibrating any model and for understanding the severity of potential cyber breaches. The Australian Government is pushing to pass the legislation for mandatory breach notification which will greatly benefit the industry and in turn the robustness of future cyber model development.
In addition to this, the industry needs to develop a common language to quantify cyber risk and help cyber security professionals work with the industry to understand the risk in a more comprehensive manner. The RMS Cyber Model is trying to establish a best practice for identifying, quantifying and reporting cyber exposure for the industry. It is an open standard data schema which will create a systematic and uniform approach to risk analysis.
Although the industry is evolving in regards to cyber modelling, there is still a distinct lack of awareness: the 2016 Captive Cyber Survey showed that 60% of large businesses still do not have cyber insurance. Communication is key to enable companies to better understand their exposure to cyber based risk, help them quantify their exposure and finally help them fully understand the expanding cyber market and the financial products currently available to them to mitigate their risk.
Cyber at Aon
Cyber is a key focus within Aon, with many advancements, initiatives and expertise being introduced across the business. In 2016, Aon acquired risk management firm Stroz Friedberg, creating a comprehensive cyber risk management advisory group with an integrated approach to cyber risk. In addition, Aon has continued to expand on its cyber expertise across the business by appointing James Trainor who previously led the Cyber Division at FBI Headquarters.
A global cyber practice group has also been established to bring together the best of Aon’s specialists to develop innovative modelling, risk understanding and modelling capabilities for clients.
Ms Kirstin McMullan is an Analyst at Aon Benfield.
Aon Benfield is the 2016 winner for Reinsurance Broker of the Year at the 20th Asia Insurance Industry Awards.