Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017
Management Summary • Research Approach: Overview of the main research topics in the fields of cyber risk and cyber risk insurance (based on a dataset of 211 papers) We also illustrate future research directions (from a practical and academic point of view) • Results: Significant difficulties in insuring cyber risk, especially due to a lack of data and modelling approaches, the risk of change and risk accumulation We also discuss various ways to overcome these insurability limitations (mandatory reporting requirements, pooling of data, public – private partnerships) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 2
Motivating Example: p2.gg/fup • How likely do you consider a several days lasting internet failure throughout Switzerland over the next five years? 0% 20% 40% 60% 80% 100% A few benchmarks for Switzerland: - Cyber insurance experts: 42% Board members of SME’s : 38% - Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 3
Research Approach: Three clusters and ten key questions Summary of Existing Knowledge on Cyber Risk and Cyber Insurance 1. What is cyber risk? Definition and categorisation 2. What are the costs and detrimental effects caused by cyber risk? The good news 3. Where do we find data on cyber risk? The bad news 4. How can we model cyber risks? 5. Micro perspective: How should cyber risk management be organised? 6. Macro perspective: Is cyber risk a threat to the global economy and society? 7. Cyber insurance market: What is the status quo and what are the insurability challenges? The consequences Derivation of Potential Future Research Derivation of Potential Future Work (Academic Perspective) (Practical Perspective) 10.What are future research directions in the 8. What should the insurance industry do to area of cyber risk and cyber insurance? prevent cyber risks and to support cyber insurance? 9. What should the government do to prevent cyber risks and to support cyber insurance? Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 4
Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services What is cyber risk? Causes Operational Information and Extreme technology (OT) Risk of communication events Change technology (ICT) • Natural • Business disasters interruption Cyber Risk • Criminality • Infrastructure • Compromise of Characteristics breakdown • War • Confidentiality • Physical • Terrorism • Availability damage to Data • Accidental • Integrity Modelling humans and Uncertainty uncertainty properties Interdependencies Source: Advisen Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 5
High costs and manifold detrimental effects of cyber risk … on companies …113 b USD (stock prices, ratings) (Symantec, 2013) …445 b USD … on individuals (McAfee, 2014) (erosion of privacy) … up to 1’000 b USD … on economic growth (Kshetri, 2010) (costs and benefits of ICT) …estimates vary substantially … major part of the and might be biased effects are indirect (Anderson et al., 2013) (reputational, loss of trust, …) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 6
The good news Where do we find data on cyber risk? Hackmageddon: Cyber Attacks Timeline Ponemon: Cost of Data Breach Studies NetDiligence: Cyber Claims Aggregated Data McAfee: Global Cost of Cybercrime SAS OpRisk Data (Biener, Eling, Wirfs, 2015) Raw Data DataLossDB (Risk Based Security) Chronology of Data Breaches (PRC) Honeynet (Honeynet.org) Internet Storm Center (ISC, SANS Institute) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 7
The bad news How can we model cyber risks? • Extreme value theory / peaks over threshold approach; use of heavy tail distributions (e.g. log-normal/GPD for severity, negative binomial for frequency) Eling & Schnell (2016) • Eling & Wirfs (2016) Problem: Non-diversification trap for heavy-tailed risks (Ibragimov et al., 2009) • Another problem: Nonlinear Global correlation Böhme and Kataria (2006) dependence for aggregation of Internal correlation Low High cyber risk (typically applying High Insider Attack Virus copulas). Hardware Low Phishing Failure Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 8
The conse- quences Cyber Insurance – Status Quo and Insurability • Market is very small (U.S. vs. rest of world) The main insurability problems are • Lack of data • • Lack of modelling approaches Conventional policies (property and liability) are • Risk of change frequently silent on whether cyber losses are • Accumulation risk covered (the bigger problem today) • Potential moral hazard problems • Insurability of cyber risks: “Cyber risk of daily life”: Not too big to insure; within-industry collaboration useful (e.g. pooling of data) “Extreme Scenarios”: Difficult to insure; integration of the government (e.g. backstop for cat risk) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 9
The conse- quences Cyber Insurance – Status Quo and Insurability The development of a more reliable and comprehensive data set on digital Local Global security incidents and digital risk management practice would likely require: • (i) consensus on typology and taxonomy; • (ii) a trusted public-private digital security incident repository; • (iii) incentives (e.g., mandatory notification requirements) to promote reporting of incidents and data sharing by organizations. Mandatory? - + • • Awareness Direct costs • • Representativeness Indirect costs (loss of trust) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 10
Cyber Insurance – Outlook / Future Research Micro perspective Macro perspective • Demand side research (e.g. risk perception, • More scenarios analyses for measurement fatalism) and management of accumulation risk • Track technology and improve own IT; revise • Potential systemic risk from cyber risk existing policies and develop new ones underwriting • Optimal risk management and regulation • Become part of the global dialogue with (e.g. modelling; how much capital is needed stakeholders (pooling, common vocabulary,…) to cover cyber risks?) Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 11
Thanks a lot for your attention! … Questions? Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 12
Recommend
More recommend