The Intelligent Quarterly from the publishers of The Insurance Insider

Winter 2017 / 2018

Search archive


A Herculean task

Catrin Shi

In Greek mythology, the Hydra was a multi-headed serpentine monster, which struck fear into the hearts of all who knew of its existence.

Guardian to the underworld, it was a formidable foe - each snake-like head contained hundreds of sharp teeth and omitted poisonous breath, and were one to be severed, two would grow in its place.

Its blood was described as so virulent that even its scent was deadly - and many unwitting mortals were said to have fallen victim to this silent killer.

They say there are always lessons that can be drawn from Greek legends, but Hercules' valiant efforts to slay the Hydra are not too dissimilar to those currently being made to quantify the (re)insurance industry's exposure to cyber risk.

The industry is struggling to get its head around cyber risk and its multiple mutations. With the class of business still in its formative years, carriers are yet to fully understand how far a large-scale cyber insurance loss could silently creep into other unassuming areas of portfolios.

In the case of the Hydra, Hercules needed a helping hand from his nephew, Iolaus, to eventually defeat the beast.

And similarly, the industry is looking to risk modellers to help get a handle on this constantly evolving peril.

A handful of brave candidates have stepped up to the mark and developed new models, which they believe are the first step in providing assurance to carriers on their cyber risk exposure.

Both AIR Worldwide and RMS have now launched second generation cyber models, while the major reinsurance brokers have all either developed their own cyber models or done so in conjunction with cyber security experts.

However, the industry acknowledges it is still early days.

"If cat modelling is in its mature adulthood, I would say casualty modelling is in its adolescence and cyber modelling is still in its infancy," says Mark Synnott, executive vice president at Willis Re. "Not only is cyber a newer phenomenon, we still don't know where all the threats are coming from, and they are changing all the time."

There are two facets to cyber modelling that are of benefit to the (re)insurance industry, adds Andrew Newman, global head of casualty at Willis Re.

The first is a mechanism to aid accurate risk selection, he explains, suggesting that the industry is getting better at scoring risks, through a variety of different cyber modelling vendors.

He continues: "The second is that at the enterprise level, the industry needs to know the magnitude of the bet they are taking on cyber.

"There is a concern that the interconnectivity of risk [in this class] can lead to a loss at a systemic level, which is in theory more significant than in property cat."

While carriers can largely limit their accumulation risk to cat perils by simply avoiding certain cat zones, there is a concern over the interconnectedness of loss in cyber, especially when it comes to business interruption (BI), Newman adds.

Synnott believes that the inability to get a handle on accumulation risk and find a true probable maximum loss for cyber is acting as a block to any deepening of the cyber market.

"This uncertainty and lack of confidence is hampering (re)insurers' intuitive appetite to sell new insurances to new customers. I would not underestimate the importance of accumulation management as a real, de facto braking mechanism on insurers' willingness to throw out big [cyber] limits across the world."

Deterministic scenarios
So far, available cyber models have focused on assessing exposures by running a series of deterministic scenarios across proprietary databases of claims and cyber security data.

Both RMS and AIR claim to be able to assess the aggregation of cyber risk across a portfolio, even for the much-feared "silent" exposures, through this method.

Scott Stransky, assistant vice president and principal scientist at AIR Worldwide, explains how his firm's latest model extended real-life attacks for longer periods of downtime to calculate economic loss estimates.

In March this year, a single typo took down the servers at Amazon Web Services for five hours, triggering outages or service disruption at the hundreds of websites and apps that use the platform.

In reality, the limited amount of downtime would likely have been insufficient to break through a BI deductible. But by taking this same scenario and running it against the Fortune 1000 companies for a day's worth of downtime, AIR estimated an economic loss of $3bn.

"That is a decent amount of loss and insurers need to be aware and prepared for these things," says Stransky. "We want to make the insurance industry more resilient to cyber-attacks, and at the moment the insurance industry has a tough time grasping these points of aggregation."

The latest version of the RMS cyber risk model also aims to provide a view of what the worst-case scenario would be based on extensive cyber security research.

RMS used a range of data points, from studies of systems and their vulnerability to instances of data breaches, cloud service failures and changing hacker behaviours, explains senior cyber product manager Tom Harvey.

He adds that while cyber is an extremely dynamic peril in terms of threat and exposure, the outcome of a worst-case scenario only changes relatively little.

"When you are looking at the worst-case scenario, you can fairly confidently look at the technical and motivational limitations in place in order to draw a line in the sand," he says.

When RMS asked its clients what they needed from a cyber model, most said they had a handle on the risk selection, because at the moment loss ratios are relatively low, according to Harvey.

"They also said the market was taking care of the pricing element. What worried them was the risk accumulation," he explains. "Since we have had a model out there we have had a lot of feedback which said the type of analytics we use in our accumulation model actually has a place in the pricing and underwriting of cyber risk."

1,000% differentials
However, from an underwriters' perspective, the jury is still out on the effectiveness of available cyber models.

"In summary I personally don't yet feel that any one of the industry models out there are compelling enough to be solely relied upon, even though as a group we do purchase from, and engage and talk to these modelling providers," explains Scott Bailey, senior underwriter and head of emerging risks at Markel International.

As a result, the firm has developed an in-house realistic cyber disaster scenario and loss projection model.

The team at Markel International has seen significant discrepancies between the commercial offerings in the marketplace. Sometimes there are thousands of percent differentials in terms of the modelling outcomes from different commercial providers, Bailey continues.

"Seeing significant variations in the commercial model outcomes does unfortunately undermine confidence in any accuracy takeaway from those models," he adds.

But there is a greater awareness that this is uncharted territory for cyber risk modellers.

"It is easy to sit and criticise the discrepancies, but there are lots of different opinions on what a cyber-catastrophe will look like, and in reality no one is right or wrong, because no one has actually witnessed one," says Bailey.

"The reality is until we see a cyber-cat or a cyber 'doomsday', nobody will really know what accurate modelling actually is."

Data mining challenge
The lack of reliable data is a major hurdle in the progression of cyber modelling. Although cyber insurance as a product has been around for some 15 years in various guises, the losses of a decade ago are often irrelevant in assessing cyber exposures today.

So with scant claims data to hand, cyber risk modellers are having to start from scratch to try to map out the risk landscape.

"There are lessons that we can learn from property and casualty modelling, absolutely, but fundamentally cyber is a new peril. It is a new risk that we need to model," says Harvey.

"Beyond the 30,000-foot view, when you start getting into how you build out a cyber model, it does fundamentally differ from the natural catastrophe modelling which RMS and the industry have been comfortable with."

However, even with the seemingly unpredictable human element to cyber risk, risk modellers are confident in their ability to find solutions.

"There are people who say you can't possibly model cyber risk because of the human element and the adversarial situation," says Alice Underwood, head of the analytics team for Willis Re North America.

"To which I say, the (re)insurance industry has been modelling risks which have a human element and adversarial situations forever and ever - any professional liability claim has an adversarial situation. So that doesn't worry me so much - those types of things are difficult but not impossible."

RMS is utilising "hackernomics" - the supply-demand dynamic of hacking services and data record sales available on the darkweb - to try to predict hacker behaviour, while AIR records human behaviour and companies' HR practices in its data collection to try to factor in the human element for cyber models.

However, the ultimate goal for cyber modellers is to layer probability into their models, so it can be more on a par with that of property catastrophe modelling.

"We can do that in two stages," explains Stransky. "One, adding probabilities to the individual scenarios, and then two, building a full, truly probabilistic model. That is our goal." Bailey agrees that the "perfect modelling solution" would give insurers the ability to assess their exposure for a 1-in-25-year event versus a 1-in-200-year event, for example - although it would take a Herculean effort from a vendor.

"It would take a very, very bold modelling company to offer their own probabilistic suggestions, as no one yet knows the frequency of these events," he says.

Having confidence in the frequency of cyber loss events would go a long way to stabilising pricing in the market, according to Bailey.

He says there is an element of "caution pricing" from underwriters at the moment to account for this uncertainty.

"As soon as the industry can remove that uncertainty and the industry can decide what a profit point looks like, then I think they can get more aggressive on pricing.

"There are a lot of comments from potential policyholders that cyber insurance is too expensive; the reality may be that it's not expensive enough."

The consensus is that the (re)insurance industry still has a long way to go before it can truly rely on a cyber model. But in tackling this emerging peril, arguably two heads are better than one.

This article was published as part of issue Summer 2017

Euromoney Trading Limited - 3rd Floor, 41 Eastcheap, London, EC3M 1DT, United Kingdom. The content of this website is copyright of Euromoney Trading Limited 2018. All rights reserved Euromoney Trading Limited actively monitors usage of our website and products and reserves the right to terminate accounts if abuse occurs.