Insurers are struggling to model cyber risk. Â In this first of two posts, I suggest that because of the dynamism and complexity of cyber risk, insurers should reconnect with the original purpose of models and then re-think their design. Â The result could be cyber risk models primarily designed to understand cyber risk rather than the risk insurers accept, which is not the same thing at all. Â The way cyber risk is understood also points to how it will then be managed.
In a second post, I will describe some of the elements I expect will form part of cyber risk models.
These ideas came out of reading a LinkedIn Groups (Privacy Risk ManagementÂ specifically) response toÂ thisÂ post. Â The response was:
The challenge for an insurer to provide DDoS cover is to find a model with which to assess the exposure, and thus ascertain the cover and risk exposure. This requires an assessment model of sorts to score the potential client (and maybe a form of compliance statement to ensure a minimum standard of care before cover can be provided). Developing that model is not impossible, but it will take some time before that model can be tuned as there are no histories to work with.
It made me read the original post, which turned out to be one of those well-researched but slightly generic descriptions of cyber insurance written by a law firm advertising for coverage counsel work; i.e. interesting if deliberately not very specific.
Back to the response, it is a straightforward, high-level route map to underwriting cyber risk and so it is difficult to argue with some of it. Â Like most commentaries on cyber risk however, it discusses cyber risk models without offering very much in the way of how such models might actually be designed. Â It also makes two common but I believe fundamental mistakes. Â It assumes cyber risk models will be like traditional models and that time alone will make cyber risk models effective.
On the contrary, I donâ€™t believe cyber risk models will resemble anything traditional â€“ i.e. loss based and tuned to emerging portfolio characteristics.Â In fact, I think that if we pursue traditional modelling approaches, we will never effectively model cyber risk.
One reason traditional models canâ€™t cope with cyber risk is, perhaps curiously, because of their reliance on portfolio theory. Â Portfolio theory is the core underpinning of risk acceptance, allowing insurers to safely assume that not all risks are going to have losses every year, even if they don’t know how many will have losses. Â But in relation to the amount and detail of risk information captured by insurers, and the frequency with which risk information is up-dated, portfolio theory also means insurers only capture enough information on each risk to verify that the risk falls broadly within the range of risks they want in a particular portfolio. Â This is because, while the portfolio gradually changes all the time – for example as new risks enter and non-renewals leave it – the insurer operates under the reasonably safe assumption that neitherÂ individual risks nor other elements of the portfolio (the environment in which the risks exist for example) will usually change so quickly that the insurer canâ€™t react to them.
The problem is that cyber risk isnâ€™t like that; it changes a lot and quickly.Â Â There are risks that potentially effect far more people, like pandemic risk and risks with far greaterÂ severityÂ potential, like quake.Â But there is no other risk that combines the number of potentially effected people and systems with so much severity potential, that is also in so constant a state of change, that is so complex and which, hardly surprisingly, crystallises into big losses so frequently.
Cyber risk is so different in fact that I donâ€™t think cyber risk models will be designed to serve insurers in the way traditional models are. Â Rather, I imagine cyber risk models will take a back to basics approach and be designed simply to understand cyber risk. Â Risk management, with risk transfer as an integral part of the overall process, will flow from understanding the risk – at least as well as that is possible with a risk that changes so much and so quickly. Â I believe in this idea of an independent model for two reasons.
First, because of cyber riskâ€™s complexity I doubt that any one entity (insurer or otherwise) will be able to build an effective model on their own. Â A model that is effective at understanding cyber risk will necessarily therefore be a collaborative process, first to collect sufficient data and second, so appropriate expertise is available to understand the data collected.
Second (and reinforcing the idea that collaboration can be a valid profit optimising strategy), in order to benefit from a collaborative modelling process, collaborators must have good reason to invest the time, money and effort needed to make an effective model. Â I therefore expect that potential collaborators -Â system owners,Â insurers and the many experts needed to analyse cyber risk – will each want to be free (probably within a creative commons framework) to make decisions about how they choose to address cyber risk in their own interests.
A further purpose of the model will then be to allow for and to accommodate those decisions within the model â€“ up to a point of course; ignoring cyber risk not being one of the options! Â System owners will be able to decide how much to spend (on security for example) and what to prioritise based on model outputs of the latest threats or new legal concepts. Â Insurers will be able to make similarly based decisions on the kind and amount of exposure they wish to accept. Â Experts will be able to offer their services to system owners, insurers and others based on what they learn from the model, as long as the service is attributed to the model.
The sum of these issues suggests to me that it will make more sense for insurers and system owners to work together with relevant experts to design a model; an alternative would be to leave the design to an independent third party. Â In either case, there are a few implications that flow from this suggestionâ€¦
One is that, by designing a full risk management model that fully integrates risk transfer, the model would put insurance (at least for cyber risk) back into its proper relationship with the rest of risk management, as opposed to it being the afterthought it often seems today. Â Another would be that the almost impossible problem of both insurers and their customers maintaining â€˜utmost good faithâ€˜ towards each other, in the face of a constantly changing risk, would be eliminated. Â Yet another however, is that the insurance value chain, as we know it today, would cease to exist. Â But Iâ€™ll stick with the model discussion for nowâ€¦
In this first post, I have indicated why I donâ€™t think traditional modelling approaches will be effective for cyber risk and that insurers arenâ€™t going to have enough resource or expertise to build the new kinds of models needed on their own. Â Equally however, risk owners and experts arenâ€™t going to invest time, money, data or expertise into a model that doesnâ€™t directly help them otherwise address cyber risk in their own interests.
In part two, I will try to describe some of the main ingredients of such a cyber risk model.