1 Introduction
2 Background and literature review
2.1 Literature review
2.1.1 Game-theoretic studies
2.1.2 Interdependence and network models
2.1.3 Data-driven studies
2.2 Background on cyber insurance
2.2.1 Challenges and insurability of cyber risk
2.2.2 Cyber insurance policies: coverage and exclusions
2.2.3 Cyber insurance: risk assessment and pricing in practice
2.2.4 The potential of cyber insurance: insurance as a service
3 Cyber risk: a holistic view
3.1 Definition and key characteristics
Interpreted from the actuarial perspective, the traditional approach of quantifying risk by frequency and severity of incidents, and combining them (potentially using an appropriate dependence structure) to obtain an aggregated loss distribution is complicated for cyber risk. We follow [25, 63] in summarizing the central properties of cyber risk:“Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services. [...] Cyber risk is either caused naturally or is man-made, where the latter can emerge from human failure, cyber criminality (e.g. extortion, fraud), cyberwar, and cyber terrorism. It is characterised by interdependencies, potential extreme events, high uncertainty with respect to data and modelling approach, and risk of change.”
-
Absence of historical data: The novelty of this risk and the absence of an established terminology for cyber incidents makes it difficult for insurers to create a reliable database with information on losses. This is exacerbated by a reporting bias, i.e. companies are often reluctant to reveal incidents in order to avoid reputation damages.
-
Dynamic risk type: Cyber risk is as non-stationary as the underlying technology and legal framework, which makes the usability of past data for modelling future losses difficult. Among the main features that underscore the dynamic nature of cyber risk are the growing speed and scope of digital transformation, widening sources of vulnerability from hyperconnectivity, and the evolution of threat actors [2].
-
Strategic threat actors: Cyber losses do not occur in a completely random fashion, as they are often caused by malicious actors with strategic (economic) motives and attack patterns. In 2018, Lewis [6] even described the trend of cybercrime as a service (CaaS) encompassing a large diversity and volume of cybercrime offerings, including products (e.g. exploit kits, custom malware) and services (e.g. botnet rentals). Around this, a thriving cybercrime economy has emerged from the related communities, offering for instance product development and technical support.
-
Interdependence/Accumulation risk: The interconnectedness of IT-systems and the often systemic nature of vulnerabilities induce a dependence structure within and across company networks and the potential for loss accumulation.
-
Interdependence of security: Another result of the network interdependence are negative externalities regarding security, which within a game-theoretical context might lead to an equilibrium in which all companies underinvest in security and, therefore, the overall network is not sufficiently protected.
-
Difficult impact determination: Due to the intangible nature of information assets, it is often difficult to quantify the economic consequences of a cyber incident.
-
Information asymmetry: Cyber insurance exhibits two sorts of information asymmetry: Adverse selection and moral hazard. The former refers to the challenge for an insurer to reliably determine a company’s risk exposure, the latter refers to the difficulty of ensuring the risk exposure to be maintained throughout the entire contract period.
3.2 Cyber risk factors
3.2.1 Threats
Type of cyber incident | Abbreviation | Information security goal compromised by this incident type | Definition of information security goal [67] |
---|---|---|---|
Data breach or data loss | DB | Confidentiality | Prevention of unauthorized disclosure of information |
Business interruption | BI | Availability | Prevention of unauthorized withholding of information or service |
Fraud (or general incident) | FR | Integrity | Prevention/detection of unauthorized modification or deletion of information |
-
Targeted attacks: Malicious attacks that target one firm specifically due to its characteristics and assets. Usually, the attack vector is tailor-made to circumvent the company’s defense strategies.
-
Individual failures: Non-malicious incidents at single firms that happen due to internal or external machine or system malfunction or human error.
-
Untargeted attacks: Malicious attacks (from an external source) that do not target one firm specifically because of its characteristics, but are opportunistic in the sense that they attack many available targets—usually simultaneously.
-
Mass failures: Non-malicious events that affect multiple entities simultaneously, such as the failure of a cloud service provider.
Idiosyncratic incidents | Systemic events | |||
---|---|---|---|---|
Targeted attack | Individual failure | Untargeted attack | Mass failure | |
Data breach (DB) | Targeted data theft | Individual unintended data disclosure | Data theft through widespread malware/phishing | Unintended data disclosure at cloud service provider |
Business interruption (BI) | Targeted (D)DoS/ransomware attack | Disruption of IT system or process through accidental malfunction | Widespread ransomware attack | Cloud service outage disrupting business services |
Fraud/general (FR) | CEO fraud through targeted (spear-)phishing attack | Accidental compromise of database by employee | Widespread ransomware attack or social engineering fraud | Accidental compromise of data stored at cloud service provider |
3.2.2 Vulnerabilities and controls
-
Industry sector: Previous studies indicate that both the number and cost of cyber incidents depend on the industry [3, 5, 51, 52, 54, 55], with regulated industries such as healthcare and financial services suffering most. Wheatley et al. [54] mention that the industrial sector as a risk factor may serve as a proxy to identify relatively homogeneous subgroups of companies with respect to their frequency of interaction with consumers and the total volume of personal data they guard.
-
Data: It is intuitive that indeed the amount and sensitivity of data handled by the company is a factor, as especially actors with economic motives will target companies with a high amount of valuable data in order to maximize their economic gain. In practice, this is already incorporated into insurance pricing via hazard weightings [15].
-
Company size: Regarding the size of a company, there are different aspects to be considered: Large, publicly known companies are prime targets for threat actors with reputational motives, whereas SMEs are often worse protected due to budget constraints or their smaller awareness for cyber risks.
3.2.3 Impact
3.3 Properties of a cyber risk model
-
Different types of incidents (DB, BI, and FR/general incidents) should be distinguished.
-
The model should include idiosyncratic incidents and systemic events, where both categories can include malicious and non-malicious causes. Systemic events stemming from common vulnerabilities are particularly worrisome as they entail accumulation risk.
-
Companies should be viewed as heterogeneous, as their exposure and resilience to cyber threats depends on their characteristics. The most relevant such characteristics are the industry sector, the company size, the data handled by the company, and its IT security level.
-
The model should be able to capture the dynamic nature of cyber risk, as occurrence rates as well as impact of cyber incidents may change over time.
4 Actuarial model
4.1 Insurance portfolio
Covariate | Abbreviation | Type | Scope | Information availability | Comment |
---|---|---|---|---|---|
Industry sector | b | Categorical | FI: finance and insurance BR: businesses (retail) HC: healthcare EDU: education GOV: government and military MAN: manufacturing | Public data | |
Size | s | Ordinal | 1 Small 2 Medium 3 Large | Public data or questionnaire | |
Data | d | Ordinal | 1 Low risk 2 Medium risk 3 High risk | Self-report via questionnaire, otherwise approximate using public data about industry sector and size | |
IT security level | c | Numerical | \([c_{min},c_{max}] \overset{\text {w.l.o.g.}}{=} [0,1]\) | Self-report via questionnaire or e.g. scrutiny by a service provider hired by the insurer | |
Number of suppliers | nsup | Ordinal | 1 Low 2 Medium 3 High | Hard to elicit, could be estimated from industry sector and size, or via questionnaire | Depends on sector and number of employees. For details, see Table 13 in Online Appendix A.7. Relevant for exposure to supplier attacks. |
4.2 Loss frequency
4.2.1 Idiosyncratic incidents
4.2.2 Systemic events
-
arrives at time \(t_i\),
-
reaches exactly the firms \(\big \{j \in S_i\big \}\), and
-
causes a loss in exactly the firms \(\big \{j \in S^*_i\big \} := \big \{j \in S_i, c_j < m_i\big \}\).
4.2.3 Properties of the model
4.2.4 Summary: loss frequency model
4.3 Loss severity
4.4 Insurance pricing and risk measurement
-
Expected value principle: \(\Pi _j(T) = (1 + \rho ) \mathbb {E}\big [L_j(T)\big ]\), with safety loading \(\rho > 0\).
-
Standard deviation principle: \(\Pi _j(T) = \mathbb {E}\big [L_j(T)\big ] + \rho \sqrt{\mathbb {V}ar\big (L_j(T)\big )}\), where \(\rho > 0\).
-
Exponential principle: \(\Pi _j(T) = \frac{1}{\gamma } \log \big (\mathbb {E}[e^{\gamma L_j(T)}]\big )\), with risk aversion \(\gamma > 0\).
5 An example of an actuarial application via a simulation study
5.1 Portfolio composition and company covariates
Covariate | Scope | Frequency |
---|---|---|
Sector \(b_j\) | FI: finance and insurance | 0.30 (15) |
HC: healthcare | 0.30 (15) | |
BR: businesses (retail) | 0.10 (5) | |
EDU: education | 0.10 (5) | |
GOV: government and military | 0.10 (5) | |
MAN: manufacturing | 0.10 (5) | |
Size \(s_j\) | 1 Small | 0.60 (30) |
2 Medium | 0.30 (15) | |
3 Large | 0.10 (5) | |
Data \(d_j\) | 1 Low risk | 0.20 (10) |
2 Medium risk | 0.28 (14) | |
3 High risk | 0.52 (26) | |
Number of suppliers \(nsup_j\) | 1 Low | 0.74 (37) |
2 Medium | 0.20 (10) | |
3 High | 0.06 (3) |
5.2 Frequency distribution
Idiosyncratic incidents | ||
Intercept | \((\alpha _{DB},\alpha _{FR},\alpha _{BI})\) | \((-6,-5.3,-6)\) |
Data factor levels | \(f_{DB,3}(x_{j3})\) | (0, 0.095, 0.18) |
Size factor levels | \(f_{FR,2}(x_{j2}), f_{BI,2}(x_{j2})\) | (0, 0.095, 0.18) |
Supplier factor levels | \(f_{DB,5}(x_{j5}), f_{FR,5}(x_{j5}), f_{BI,5}(x_{j5})\) | (0, 0.095, 0.18) |
IT security dependence | \(f_{DB,4}(x_{j4}), f_{BI,4}(x_{j4})\) | \(1.39 \; (0.5 - x_{j4})\) |
Time dependence | \(g_{\lambda ^{DB,idio}}(t), g_{\lambda ^{FR,idio}}(t),g_{\lambda ^{BI,idio}}(t)\) | \(0.128 \; \lfloor t \rfloor\) |
Ground process of systemic events | ||
\(\lambda ^{DB,g}(t) = \exp (g_{\lambda ^{DB,g}}(t))\) | \(\exp (-3.28 + 0.128 \; \lfloor t \rfloor )\) | |
\(\lambda ^{FR,g}(t) = \exp (g_{\lambda ^{FR,g}}(t))\) | \(\exp (-2.59 + 0.128 \; \lfloor t \rfloor )\) | |
\(\lambda ^{BI,g}(t) = \exp (g_{\lambda ^{BI,g}}(t))\) | \(\exp (-3.28 + 0.128 \; \lfloor t \rfloor )\) | |
Distribution of \(S_i\) | ||
\((p_G,p_{gen},p_{sec})\) | (0.5, 0.1, 0.2) | |
Sector distribution | \(B_i \sim Unif\{1,\ldots ,6\}\), i.e. \(p_b = \frac{1}{6}\; \forall b \in \{1,\ldots ,B\}\) |
5.3 Severity distribution
\({\mu }\) | ||
Intercept | \(\alpha _{\mu ,\cdot }\) | 3.91 |
Data factor levels | \(f_{\mu ,DB,3}(x_{j3})\) | (0, 0.095, 0.18) |
Size factor levels | \(f_{\mu ,FR,2}(x_{j2}),f_{\mu ,BI,2}(x_{j2})\) | (0, 0.095, 0.18) |
IT security dependence | \(f_{\mu ,\cdot ,4}(x_{j4})\) | \(1.39 \; (0.5 - x_{j4})\) |
Time dependence | \(g_{\mu ,\cdot }(t)\) | \(0.1175 \; \lfloor t \rfloor\) |
\({\sigma }\) | \(\sigma ^{\cdot }\) | 0.076 |
\({\xi }\) | \(\alpha _{\xi ,\cdot }\) | 0.9 |
\({\beta }\) | ||
Intercept | \(\alpha _{\beta ,\cdot }\) | 0.5 |
Data factor levels | \(f_{\beta ,DB,3}(x_{j3})\) | (0, 0.05, 0.1) |
Size factor levels | \(f_{\beta ,FR,2}(x_{j2}), f_{\beta ,BI,2}(x_{j2})\) | (0, 0.05, 0.1) |
IT security dependence | \(f_{\beta ,\cdot ,4}(x_{j4})\) | \(0.5 \; (0.5 - x_{j4})\) |
Time dependence | \(g_{\beta ,\cdot }(t)\) | \((0,0.063,0.133,0.211,0.3) \; \mathbb {1}_{\{\lfloor t \rfloor = i\}},\; i \in \{0,\ldots ,4\}\) |
5.4 Results of the simulation study
5.4.1 Cumulative loss distribution
5.4.2 Premium calculation
Premium based on expected value principle (\(\rho = 0.2\)) | ||||
---|---|---|---|---|
Based on losses | Based on incidents | |||
Theoretical | Simulated | Theoretical | Simulated | |
Firm 1 | 2.1665 | 2.0814 | 2.3174 | 2.2338 |
Firm 2 | 0.4610 | 0.4451 | 0.8107 | 0.7746 |
Firm 3 | 1.1777 | 1.1732 | 1.5557 | 1.5164 |
5.4.3 Risk measurement on individual and portfolio level
Risk measures | \(VaR_{0.995}\) | \(AVaR_{0.995}\) | ||||||
---|---|---|---|---|---|---|---|---|
Losses | Incidents | Losses | Incidents | |||||
Hist | POT | Hist | POT | Hist | POT | Hist | POT | |
Firm 1 | 86.46 | 85.86 | 86.73 | 86.27 | 97.18 | 95.73 | 99.40 | 97.57 |
Firm 2 | 34.01 | 33.31 | 35.54 | 35.23 | 36.97 | 37.74 | 39.13 | 39.06 |
Firm 3 | 58.28 | 57.68 | 59.01 | 58.81 | 64.61 | 64.23 | 66.96 | 66.22 |
Portfolio 1 | 1056.01 | 1041.18 | 1067.52 | 1054.67 | 1408.11 | 1379.91 | 1423.35 | 1397.02 |
Portfolio 6 | 409.87 | 407.52 | 496.96 | 493.88 | 532.67 | 528.27 | 637.25 | 629.33 |
5.5 How relevant is accumulation risk?
-
The visible heavy tails for both incident numbers and cumulative losses have vanished; thus it can be assumed they have been caused by systemic events with many firms affected simultaneously.
-
In particular, the highest observed number of losses has decreased to around \(17\%\) of its previous value in both considered years, while mean losses and mean numbers of incidents/losses have stayed unaffected.
-
The difference between incidents and losses is more directly visible, as in the independence case the body of the cumulative loss distribution is directly affected. This is because individual incidents are now filtered instead of the filtering impacting only systemic events, whose occurrence mostly alters the tail of the distribution.
5.6 Cyber policy design: the effect of cover limits
Cover limit | Low risk | Baseline | High risk |
---|---|---|---|
\(\bar{M}_1 = 500\) | 0.0977 | 0.4055 | 5.9530 |
\(\bar{M}_2 = 1.000\) | 0.0437 | 0.1760 | 2.1016 |
\(\bar{M}_3 = 10.000\) | 0.0033 | 0.0129 | 0.1335 |