- CyVaR reports the VaR, or value at risk, as a dollar amount for the enterprise as a whole and for each individual business application (i.e., corporate email, SAP, etc.).
- CyVaR also reports the average expected loss (or 50th percentile amount) for the enterprise as a whole and for each individual business application.
- VaR and average expected loss are further broken down by loss type (which have some relationship to various insurance coverages). Loss types include such things as lost revenue, data recovery, extortion payments, compliance costs, etc.
- Costs related to recovering from a data breach such as data recovery, notification, monitoring services, business interruption losses, penalties and fines, etc., are included but are not necessarily called out individually.
- VaR includes the financial impact of the loss or compromise of IP.
- CyVaR also identifies mitigations or actions that can be taken to reduce VaR and estimates the percentage by which VaR would be reduced through those actions.
- AIR Worldwide is developing a number of deterministic cyber risk scenarios, which provide insurance company costs as outputs—one of which has already been released.
- AIR is also in the process of developing a probabilistic model, which will provide metrics like “average annual loss” and exceedance probability curves for losses, similar to natural catastrophe models.
- The first version of AIR’s cyber model looks specifically at security breach costs, security breach liability and business interruption.
- As later versions are developed, AIR may consider other coverages, but to date, these have been the ones that cause the greatest loss to insurers, Stransky said.