A challenge currently facing insurers is the difficulty in modelling the risk of cyber catastrophes. I found one article that quotes an insurer as saying that cyber risks are just too systematic and large to insure, and that government intervention is required to make it feasible. Cyber catastrophe risks are different from conventional catastrophes such as natural disasters because the effects of cyber attacks can be global.
I wasn’t entirely satisfied – after all, there are insurers currently offering cyber insurance – so I searched further to find out more about the challenges involved in cyber insurance and possible ways to overcome them. This article explains in greater detail some of the difficulties in modelling cyber risk, and also outlines some techniques that might help insurers better understand cyber risk.
This second article agrees that the main problem with cyber risk is that individual policies cannot be considered to be independent, since cyber attacks could potentially affect a wide portfolio of policies and result in enormous losses. It explains why this is so: IT systems are highly interconnected, so that attacks on one part can affect many others; and it also describes the ‘geography’ of cyber risk to arise from the use of common platforms that share the same vulnerabilities, so that many businesses across industries could all be affected if a single platform’s vulnerability is discovered.
A further problem is that, because cyber threats have only existed for a few decades, there is not a large amount of data available – particularly for extreme events. This problem could be compounded by companies being unwilling to disclose security breaches to their IT systems, so the available data may be incomplete. A further problem is that it can be difficult to determine the actual loss that arose from events – it is difficult to quantify in monetary terms, for example, exactly how much damage a virus causes. I think these issues with data may not be specific to cyber insurance, and we may have to confront similar issues with data one day should we find ourselves designing innovative products.
Large, correlated events are not new to insurers, and catastrophe modelling techniques have been developed for other incidents, such as extreme weather events. The authors describe the framework of catastrophe models as follows:
“The framework of the models is made up of a large taxonomy of both historical and simulated scenarios of varying magnitudes and frequencies, a hazard model that provides the footprint of each scenario, and the vulnerability of the assets at risk, which together generates an estimate of the potential financial loss.”
It could be possible to model cyber catastrophe risk using the same framework.
The existence of IT systems that service many businesses is also not an entirely new problem; the situation is analogous to major banks that service a huge number of businesses. If these banks fail, the entire economy would be affected, so there has been work to better understand the interdependent risks resulting from bank failure. One technique that could be borrowed from this work to model cyber risk would be to map out the relationships between producers of these important IT systems and users of the systems in a network model, in order to better understand which risks are correlated.
The authors conclude by proposing that if businesses themselves diversified cyber risks – for example, by avoiding industry standard software – and if insurers could better identify interconnected risks and place limits on losses arising from them, insurers would have the capacity to provide the protection that businesses are seeking.
I think this view is more reasonable than the claim that cyber risks cannot possibly be profitably be insured, although it does acknowledge that there is still work to be done.