Modeling Cyber Exposure
The two most common questions I’m asked when assessing a client’s cyber risk are:
- What’s my loss exposure?
- How much insurance should I buy?
These are great questions, and up until now we’ve had to rely on limited historic data that only provided a general idea of exposure, limits and cost. But as we know, every company is different, and it’s hard to develop specific loss projections using very general data until now.
Catastrophic researchers are working on the development of cyber risk modeling based on the same principles as catastrophic modeling for property insurance. This new modeling may help insurers and risk managers gauge probable maximum losses for cybercrime. The model is still in the development phase and there are a couple of issues that developers first need to overcome.
One major issue is finding enough relevant data, which can be challenging. A substantial amount of historical data used in storm modeling is publicly available through government agencies, but cyber data is much harder to obtain. A big reason is this data is held by private companies who often don’t want to divulge it, or it’s hidden in the financials. Also, there are some critics that feel even if there was a large volume of data collected over several years, it’s unlikely that this data, by itself, and used in a traditional way, would have any significant predictively value.
In addition to traditional catastrophic modeling applied to cybercrimes, there’s another area of modeling that’s financially based and focused on helping insurers and companies understand the specific aspects of cyber risk. These types of tools are geared to help risk managers and other buyers determine how much cyber insurance to buy, as well as where to focus their cyber risk mitigation. This starts with a business assessing their specific exposure to cyber threats, system deficiencies and determining the highest loss exposure they could face.
There’s obviously much more development needed before any of these models can accurately predict ultimate losses unique to every company. However, the fact that insurers and business are focused on development, only confirms that cybercrime and data breaches are here to stay and the risk exposure will continue to grow.
- Cyber & Privacy Liability Series: Part 1
- Cyber & Privacy Liability Series: Part 2
- Cyber Liability: Target’s $19M Breach and Counting
- It’s Not About the Money: Sony’s Cyber Attack
- Cyber Liability E-Book
ABOUT THE AUTHOR