Cyber Risk and Cyber Risk Insurance:

What do we know? What can we

measure?

Martin Eling

OECD Expert Workshop, May 13, 2017

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 2

Management Summary

• Research Approach:

Overview of the main research topics in the fields of cyber risk and cyber risk

insurance (based on a dataset of 211 papers)

We also illustrate future research directions (from a practical and academic point

of view)

• Results:

Significant difficulties in insuring cyber risk, especially due to a lack of data and

modelling approaches, the risk of change and risk accumulation

We also discuss various ways to overcome these insurability limitations

(mandatory reporting requirements, pooling of data, public–private partnerships)

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 3

• How likely do you consider a several days lasting internet failure throughout

Switzerland over the next five years?

0% 20% 40% 60% 80% 100%

Motivating Example: p2.gg/fup

A few benchmarks for Switzerland:

- Cyber insurance experts: 42%

- Board members of SME’s: 38%

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 4

Research Approach: Three clusters and ten key questions

Derivation of Potential Future Work (Practical Perspective)

8. What should the insurance industry do to prevent cyber risks and to support cyber insurance?

9. What should the government do to prevent cyber risks and to support cyber insurance?

Derivation of Potential Future Research (Academic Perspective)

10.What are future research directions in the area of cyber risk and cyber insurance?

Summary of Existing Knowledge on Cyber Risk and Cyber Insurance

1. What is cyber risk? Definition and categorisation

2. What are the costs and detrimental effects caused by cyber risk?

3. Where do we find data on cyber risk?

4. How can we model cyber risks?

5. Micro perspective: How should cyber risk management be organised?

6. Macro perspective: Is cyber risk a threat to the global economy and society?

7. Cyber insurance market: What is the status quo and what are the insurability challenges?

The good news

The bad news

The consequences

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 5

What is cyber risk?

Causes

•Natural disasters

•Criminality

•War

•Terrorism

•Accidental

Information and communication technology (ICT)

•Compromise of

•Confidentiality

•Availability

•Integrity

Operational technology (OT)

•Business interruption

• Infrastructure breakdown

• Physical damage to humans and properties

Cyber Risk Characteristics

Interdependencies

Extreme events

Data Uncertainty Modelling

uncertainty

Risk of Change

Source: Advisen

Any risk emerging from the use of information and

communication technology (ICT) that compromises the

confidentiality, availability, or integrity of data or services

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 6

High costs and manifold detrimental effects of cyber risk

…113 b USD (Symantec, 2013)

…445 b USD (McAfee, 2014)

…up to 1’000 b USD (Kshetri, 2010)

…estimates vary substantially

and might be biased (Anderson et al., 2013)

… on companies (stock prices, ratings)

… on individuals (erosion of privacy)

… on economic growth (costs and benefits of ICT)

…major part of the

effects are indirect (reputational, loss of trust, …)

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 7

Where do we find data on cyber risk?

The good

news

Hackmageddon: Cyber Attacks Timeline

Ponemon: Cost of Data Breach Studies

NetDiligence: Cyber Claims

McAfee: Global Cost of Cybercrime

SAS OpRisk Data (Biener, Eling, Wirfs, 2015)

DataLossDB (Risk Based Security)

Chronology of Data Breaches (PRC)

Honeynet (Honeynet.org)

Internet Storm Center (ISC, SANS Institute)

Aggregated Data

Raw Data

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 8

How can we model cyber risks?

Elin

g &

Wirfs

(2016)

Global correlation

Internal correlation Low High

High Insider Attack Virus

Low Hardware

Failure Phishing

• Extreme value theory / peaks over

threshold approach; use of heavy tail

distributions (e.g. log-normal/GPD for

severity, negative binomial for frequency)

• Problem: Non-diversification trap for

heavy-tailed risks (Ibragimov et al., 2009)

Böhm

e a

nd K

ata

ria (

2006)

• Another problem: Nonlinear

dependence for aggregation of

cyber risk (typically applying

copulas).

The bad

news

Elin

g &

Schnell

(2016)

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 9

Cyber Insurance – Status Quo and Insurability

• Market is very small (U.S. vs. rest of world)

• Conventional policies (property and liability) are

frequently silent on whether cyber losses are

covered (the bigger problem today)

• Insurability of cyber risks:

“Cyber risk of daily life”: Not too big to insure;

within-industry collaboration useful (e.g.

pooling of data)

“Extreme Scenarios”: Difficult to insure;

integration of the government (e.g. backstop

for cat risk)

The main insurability problems are

• Lack of data

• Lack of modelling approaches

• Risk of change

• Accumulation risk

• Potential moral hazard problems

The conse-

quences

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 10

Cyber Insurance – Status Quo and Insurability

The development of a more reliable and comprehensive data set on digital

security incidents and digital risk management practice would likely require:

• (i) consensus on typology and taxonomy;

• (ii) a trusted public-private digital security incident repository;

• (iii) incentives (e.g., mandatory notification requirements) to promote

reporting of incidents and data sharing by organizations.

The conse-

quences

Local Global

• Direct costs

• Indirect costs (loss of trust)

• Awareness

• Representativeness

+ -

Mandatory?

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 11

Cyber Insurance – Outlook / Future Research

Micro perspective

• Demand side research (e.g. risk perception,

fatalism)

• Track technology and improve own IT; revise

existing policies and develop new ones

• Optimal risk management and regulation

(e.g. modelling; how much capital is needed

to cover cyber risks?)

Macro perspective

• More scenarios analyses for measurement

and management of accumulation risk

• Potential systemic risk from cyber risk

underwriting

• Become part of the global dialogue with

stakeholders (pooling, common

vocabulary,…)

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 12

Thanks a lot for your attention!

…Questions?