Upload
vodien
View
221
Download
0
Embed Size (px)
Citation preview
Cyber Risk and Cyber Risk Insurance:
What do we know? What can we
measure?
Martin Eling
OECD Expert Workshop, May 13, 2017
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 2
Management Summary
• Research Approach:
Overview of the main research topics in the fields of cyber risk and cyber risk
insurance (based on a dataset of 211 papers)
We also illustrate future research directions (from a practical and academic point
of view)
• Results:
Significant difficulties in insuring cyber risk, especially due to a lack of data and
modelling approaches, the risk of change and risk accumulation
We also discuss various ways to overcome these insurability limitations
(mandatory reporting requirements, pooling of data, public–private partnerships)
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 3
• How likely do you consider a several days lasting internet failure throughout
Switzerland over the next five years?
0% 20% 40% 60% 80% 100%
Motivating Example: p2.gg/fup
A few benchmarks for Switzerland:
- Cyber insurance experts: 42%
- Board members of SME’s: 38%
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 4
Research Approach: Three clusters and ten key questions
Derivation of Potential Future Work (Practical Perspective)
8. What should the insurance industry do to prevent cyber risks and to support cyber insurance?
9. What should the government do to prevent cyber risks and to support cyber insurance?
Derivation of Potential Future Research (Academic Perspective)
10.What are future research directions in the area of cyber risk and cyber insurance?
Summary of Existing Knowledge on Cyber Risk and Cyber Insurance
1. What is cyber risk? Definition and categorisation
2. What are the costs and detrimental effects caused by cyber risk?
3. Where do we find data on cyber risk?
4. How can we model cyber risks?
5. Micro perspective: How should cyber risk management be organised?
6. Macro perspective: Is cyber risk a threat to the global economy and society?
7. Cyber insurance market: What is the status quo and what are the insurability challenges?
The good news
The bad news
The consequences
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 5
What is cyber risk?
Causes
•Natural disasters
•Criminality
•War
•Terrorism
•Accidental
Information and communication technology (ICT)
•Compromise of
•Confidentiality
•Availability
•Integrity
Operational technology (OT)
•Business interruption
• Infrastructure breakdown
• Physical damage to humans and properties
Cyber Risk Characteristics
Interdependencies
Extreme events
Data Uncertainty Modelling
uncertainty
Risk of Change
Source: Advisen
Any risk emerging from the use of information and
communication technology (ICT) that compromises the
confidentiality, availability, or integrity of data or services
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 6
High costs and manifold detrimental effects of cyber risk
…113 b USD (Symantec, 2013)
…445 b USD (McAfee, 2014)
…up to 1’000 b USD (Kshetri, 2010)
…estimates vary substantially
and might be biased (Anderson et al., 2013)
… on companies (stock prices, ratings)
… on individuals (erosion of privacy)
… on economic growth (costs and benefits of ICT)
…major part of the
effects are indirect (reputational, loss of trust, …)
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 7
Where do we find data on cyber risk?
The good
news
Hackmageddon: Cyber Attacks Timeline
Ponemon: Cost of Data Breach Studies
NetDiligence: Cyber Claims
McAfee: Global Cost of Cybercrime
SAS OpRisk Data (Biener, Eling, Wirfs, 2015)
DataLossDB (Risk Based Security)
Chronology of Data Breaches (PRC)
Honeynet (Honeynet.org)
Internet Storm Center (ISC, SANS Institute)
Aggregated Data
Raw Data
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 8
How can we model cyber risks?
Elin
g &
Wirfs
(2016)
Global correlation
Internal correlation Low High
High Insider Attack Virus
Low Hardware
Failure Phishing
• Extreme value theory / peaks over
threshold approach; use of heavy tail
distributions (e.g. log-normal/GPD for
severity, negative binomial for frequency)
• Problem: Non-diversification trap for
heavy-tailed risks (Ibragimov et al., 2009)
Böhm
e a
nd K
ata
ria (
2006)
• Another problem: Nonlinear
dependence for aggregation of
cyber risk (typically applying
copulas).
The bad
news
Elin
g &
Schnell
(2016)
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 9
Cyber Insurance – Status Quo and Insurability
• Market is very small (U.S. vs. rest of world)
• Conventional policies (property and liability) are
frequently silent on whether cyber losses are
covered (the bigger problem today)
• Insurability of cyber risks:
“Cyber risk of daily life”: Not too big to insure;
within-industry collaboration useful (e.g.
pooling of data)
“Extreme Scenarios”: Difficult to insure;
integration of the government (e.g. backstop
for cat risk)
The main insurability problems are
• Lack of data
• Lack of modelling approaches
• Risk of change
• Accumulation risk
• Potential moral hazard problems
The conse-
quences
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 10
Cyber Insurance – Status Quo and Insurability
The development of a more reliable and comprehensive data set on digital
security incidents and digital risk management practice would likely require:
• (i) consensus on typology and taxonomy;
• (ii) a trusted public-private digital security incident repository;
• (iii) incentives (e.g., mandatory notification requirements) to promote
reporting of incidents and data sharing by organizations.
The conse-
quences
Local Global
• Direct costs
• Indirect costs (loss of trust)
• Awareness
• Representativeness
+ -
Mandatory?
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 11
Cyber Insurance – Outlook / Future Research
Micro perspective
• Demand side research (e.g. risk perception,
fatalism)
• Track technology and improve own IT; revise
existing policies and develop new ones
• Optimal risk management and regulation
(e.g. modelling; how much capital is needed
to cover cyber risks?)
Macro perspective
• More scenarios analyses for measurement
and management of accumulation risk
• Potential systemic risk from cyber risk
underwriting
• Become part of the global dialogue with
stakeholders (pooling, common
vocabulary,…)
Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 12
Thanks a lot for your attention!
…Questions?