The rapidly emerging and evolving world of cyber risk poses a paradox for property/casualty insurers, according to two panelists addressing “Risk Selection in Cyber Insurance” at the Casualty Actuarial Society’s 2018 Ratemaking and Product Management seminar, March 19-21 in Chicago.

On the one hand, there are “mountains” of data regarding cyber assets and risks, according to Raveem Ismail, director for insurance/reinsurance at Fractal Industries. On the other hand, he said, there is a dearth of technical research for applying that data to the underwriting and pricing of cyber coverage.

That’s a problem, he said, when you consider that humans in almost any capacity—including insurance providers and buyers—like to have a single number as the measure of a risk relative to other risks.

“Analysts can get frustrated when decision-makers don’t consider the context and nuances that go into calculating a number. It is clear they still value having a single number as an indicator,” he added.

To that end, Ismail and his co-panelist, Ari Chatterjee, incoming chief underwriting officer for Envelop Risk, have developed a single number to help insurers writing cyber coverage identify the relative level of cyber risk posed by individual companies or industry sectors.

The cyber risk score developed by Ismail and Chatterjee is a number between 0 and 1 called the “PTBA,” for “propensity to be attacked.” An index of 0 would indicate virtually no likelihood of a successful cyber attack; an index of 1 would indicate that such an attack would be virtually certain to occur.

Components

A PTBA is derived from one of four “attacker profit functions,” equations developed by Ismail and Chatterjee to estimate the cost-benefit analysis for each of four types of operators undertaking an attack:

  • A nation-state actor, the most serious threat, which has the motivation and funding to sustain sophisticated attacks against any target deemed to be strategically important.
  • An independent criminal, who will be very sensitive to “monetary profit” considerations and chooses targets according to the rewards available relative to the cost and effort needed.
  • A “hacktivist,” an independent group or individual that is motivated to do some sort of damage but may not have the funding and sophistication to sustain an effective campaign.
  • An “insider,” who may have pecuniary motives (financial distress) or emotional ones (seeking retaliation) and already knows the strengths and vulnerabilities of his or her data targets, at least temporarily.

The attacker profit function essentially subtracts the cost and time required for a successful attack from the direct and indirect rewards gained by a successful attacker. In this way, the calculation of a PTBA reflects the effectiveness of cyber defenses to the extent they increase the time and cost for an attacker.

While large organizations commonly find their data systems being probed by would-be hackers, Chatterjee noted that “annual revenue does not always correlate to a higher PTBA.” Smaller organizations may be easier targets that are nonetheless more lucrative if they hold data of an import disproportionate to their revenue (e.g., data brokers).

So far, Ismail and Chatterjee have demonstrated that PTBAs can be calculated for various commercial sectors from publicly available data, making scores available for selecting risks and managing risk correlations in a book of cyber insurance.

As the scores become more refined with data availability, Ismail and Chatterjee project that PTBAs can be used to refine pricing metrics for individual cyber policies.