3 Key Takeaways About Aggregated Cyber Risk
- Identifying potential sources of aggregation and establishing a formula for aggregation scenarios allows insurers to minimize unknowns and identify areas of focus.
- Cyber aggregation risk is a dynamic topic with a lot of uncertainty, making greater cooperation between leading cyber (re)insurers, risk model vendors, researchers, and major technology companies essential.
- Models are not the only part of aggregated cyber risk management; although they are necessary to use, they are still improving and developing.
Given the influx of major supply chain attacks and cyber war events, insurers must take on the exceedingly challenging task of quantifying aggregation risk, supply chain attacks, and risk modeling catastrophic cyber risk. We talked to Rory Egan, Senior Cyber Actuary at Munich Re, about current models and scenario generation.
Rory Egan has deep experience as an insurance underwriter, cyber consultant, and insurance risk manager. He continues to support clients with solutions to grow their cyber portfolios while reducing their risk as much as possible.
Keep reading to learn about cyber risk aggregation and how insurers can manage their risk.
Identify Sources of Aggregation
NetD: How should cyber insurers go about understanding aggregation risk?
RE: They should start by attempting to identify “sources of aggregation” which, if exploited or disrupted, have the potential to negatively impact many organizations, endpoint devices, or individual persons. Sources of aggregation include widely relied-upon technologies, services, companies, and the paths of interconnectivity between them. From there, the aggregated loss potential in a cyber insurance portfolio from various plausible but extreme cyber events can be further investigated.
There’s a potentially limitless number of different aggregation scenarios that could be imagined, and these constantly evolve as technology and threat actor capabilities progress. Therefore, a repeatable and structured “scenario generating process” can be helpful to create a representation of the universe of knowable potential scenarios and to minimize “unknown unknowns.” The scenarios generated in such a process can then be ranked by importance from the point of view of the insurer in order to determine areas of focus for its risk management and modeling efforts.
Understanding Aggregation Loss Potential
NetD: What does the aggregation loss potential really look like for cyber? Is this a completely overblown topic, is it too large to even be insured, or are we kidding ourselves if we think we can begin to understand this?
RE: If we look at the major cyber aggregation events we’ve seen thus far, such as WannaCry, NotPetya, and more recently, SolarWinds and the Microsoft Exchange server hack, it’s easy to reimagine more extreme (but still plausible) variants of these scenarios. For example, imagine if the espionage campaign carried out via SolarWinds was instead used to deliver a data-destroying payload. The cyber business interruption losses that would be suffered, if covered, would represent a catastrophic event for the cyber insurance market.
So I don’t think it is overblown as a topic, but we are indeed working in a highly dynamic area and dealing with a lot of uncertainty. Regarding how bad it could get: This is the focus area of the cyber risk management and modeling community. There is a case for greater cooperation between leading cyber (re)insurers, risk model vendors, researchers, and major technology companies to continually improve our collective understanding as an industry. Making progress together will be a crucial factor for the continued growth and sustainability of the cyber insurance market.
Aggregate Models: Can Cyber Insurers Rely on Them?
NetD: What about models? How mature are they, and to what extent can cyber insurers rely on them?
RE: Models are an important part of aggregation risk management, but not the only part. We need to recognize that certain types of risk could be potentially ruinous for insurers and that we’ll struggle to be able to quantify or model with the necessary level of robustness.
So far, the market has identified “infrastructure failure” (e.g., failure of power and telecommunication networks including the Internet) and “cyber war” (e.g., an escalation towards repeated retaliatory massive cyber-attacks between nation-states) as areas of “unmanageable aggregation risk,” which are dealt with by excluding the risk altogether, rather than by using models.
For the “in-scope” aggregation risk, models are used with a certain level of confidence for the specific use case of determining the magnitude of the worst-case loss in a portfolio from a given set of scenarios.
But where there is not yet adequate trust in models is in the use case of “pricing” the catastrophe risk, due to the difficulty in 1) determining the occurrence probabilities of the modeled scenarios and 2) the difficulty in understanding the extent of “non-modeled risk” not captured by the chosen modeled scenarios. This lack of trust in probabilistic aggregation models is evidenced by the lack of a meaningfully sized retro or capital market for cyber catastrophe risk so far.
Fortunately, the models developed both internally by market leaders and available externally from model vendors have improved measurably over the past few years. Continued investment of resources, innovation, and collaboration is needed to get to the “next level.” One example is the pioneering Munich Re partnership with Google Cloud and Allianz, which will allow for an improved understanding of cloud-based aggregation risk.
Summarizing Cyber Risk Aggregation
We want to thank Mr. Egan for his terrific insights here. This topic can be truly mind-boggling. Cyber risk aggregation forecasting, in my opinion, is one of the most difficult aspects of managing cyber risk for any insurer or reinsurer.
Rory concisely summarized exactly why this is the case with a “limitless number of different aggregation scenarios that could be imagined, and these constantly [evolving] as technology and threat actor capabilities progress.” Rarely does a large-scale scenario that was already predicted at a granular level actually happen. But we still need to try because even if we don’t get it right, we learn from each modeling exercise and each real-life event.
Finally, Rory’s comment about the collective need for “greater cooperation between leading cyber (re)insurers, risk model vendors, researchers, and major technology companies to continually improve our collective understanding” is spot on. This collaboration will be paramount going forward, and it is our hope that NetDiligence can play a quarterbacking role here to help bring together these diverse industry experts for the collective good.
Effective Cyber Risk Management
Understanding cyber risk management, including aggregated risk, is an integral part of any company for a sufficient approach to risk management. Are you interested in learning more about how you can manage your risk with the right incident response plan? Find out about NetDiligence’s Breach Plan Connect® today.