A comprehensive model for cyber risk based on marked point processes and its application to insurance

Bohme and Schwartz [16] studied a unifying framework for modelling cyber insurance and classified existing research approaches of cyber insurance market models. Until 2010, many academic papers were motivated by the study of interdependent security and primarily focused on questions of network security and its relation to the existence of an insurance market, often using game-theoretic approaches (e.g. Refs. [17‐22]). Other works concentrated on the correlation properties [23] and monoculture effects [24] of cyber risk and the existence of an insurance market under these conditions.

More recently, a very comprehensive overview of various aspects of cyber insurance was given in Ref. [25], including a classification of existing research approaches with interdependent security according to the underlying insurance market model. While the listed approaches differ in their assumptions, the research aims are quite similar. Most studies focus on the existence of a Nash Equilibrium for security investments (e.g. Ref. [26]) and the existence or efficiency of an insurance market (e.g. Refs. [17, 19, 20, 22, 27‐30]). Slightly different mathematical approaches include the use of Bayesian network games to design optimal cyber insurance contracts [31] or to study the effect of network externality on security adoption [32].

Under quite realistic assumptions, the socially optimal level of security investments cannot be attained in these models, as individuals are incentivised to underinvest [25]. Furthermore, given the availability of cyber insurance, individuals are even more reluctant to invest in self-protection and it is thus generally not possible to design insurance as a means to reach socially optimal levels of investment (e.g. Refs. [19, 20, 22, 27‐30]). Some studies thus test whether regulatory actions (e.g. fines or rebates, taxes for low self-protection, or risk pooling arrangements) might enable insurance to incentivise self-protection, reaching conflicting conclusions (e.g. Refs. [17, 19, 22, 28, 29, 33, 34]).

Given that an accepted terminology and framework for cyber risk does not yet exist, some authors concentrated on developing taxonomies and frameworks (e.g. Refs. [35‐37]) or on embedding cyber into the better-known context of operational risk management (e.g. Refs. [38, 39]).

One feature of cyber risk that is commonly regarded as particularly problematic is the lack of independence among the risks/claims, a problem that was addressed using copula approaches in Refs. [40, 41], linear correlations in Ref. [24], and a combination of both in Ref. [23]. More recently, Peng et al. [42] studied the multivariate dependence exhibited by real-world cyber attack data using a Copula-GARCH model. The latter works describe cyber attacks of different types or multivariate nature to be the source of dependence. Peng et al. [43] propose modelling and predicting extreme cyberattack rates by using marked point processes and similarly, studying an empirical data set of breach incidents [44] argue that stochastic processes rather than distributions should be used to model and predict hacking breach incident inter-arrival times and breach sizes. Baldwin et al. [45] find strong evidence of contagion in cyber attacks to different components of a firm’s information system using self- and mutually-exciting point processes.

Instead of considering underlying attack rates, studies concerned with cyber insurance seek to quantify the expected monetary losses of an insurer’s portfolio. To this end, dependencies between losses can also be captured by considering a model of epidemic spreading on the underlying network of firms. Fahrenwaldt et al. [46] use a (Markovian) SIS-process to model the infectuous spread of a cyber vulnerability and subsequently an adapted counting process for the occurrence of attacks. Xu and Hua [47] use Markovian and Non-Markovian processes for epidemic spreading and propose to use a copula approach to capture the dependence among time-to-infection distributions. Xu et al. [48] study a model of cyber epidemics over complex networks, additionally introducing copulas to capture dependencies between cyberattack events.

The lack of publicly available, reliable, and sufficiently large data sets for cyber incidents remains one of the obstacles for sound statistical investigations. Among the best-known data sources on data breaches are the continuously updated “Chronology of Data Breaches” dataset by the California-based nonprofit corporation Privacy Rights Clearinghouse (PRC)³ and the “Open security foundation data loss database”.⁴ The former data was e.g. studied by Edwards et al. [49], with the conclusion that the number of records exposed can be modeled by the log-normal law and the daily frequency can be described by a negative binomial distribution. Somewhat surprisingly, the study found neither size nor frequency of data breaches to exhibit a time trend. Eling and Loperfido [50] use multidimensional scaling and goodness-of-fit tests to analyze the distribution of the data breach information. They show that modelling severity using a log-skew-normal distribution seems adequate and find that different types of data breaches need to be modeled as distinct risk categories. Eling and Jung [51] study the cross-sectional dependence of the data breach losses and identify a significant asymmetric dependence of monthly cross-industry losses in four categories by breach types as well as cross-breach type losses in five categories by industries. Farkas et al. [52] analyze heterogeneity of the reported cyber claims through the use of regression trees.

The second database was examined in Ref. [53], who focus on the theft of personal information and report a stable power-law tail distribution of personal identity losses per event. Wheatley et al. [54] combined data from both databases to focus exclusively on large breaches and study maximum breach sizes as well as severity distributions. The best fit is obtained by using a doubly truncated Pareto (Power law) distribution with linearly decreasing shape parameter for breach sizes, with sub-linear growth for the maximum log breach size.

Romanosky [55] uses a (commercial) dataset from Advisen, a US-based consultant to the insurance industry, with the aim of examining the composition and costs of cyber events. They conclude that firms may lack a strong incentive to increase their investment in data security and privacy protection and the primary motivation may come from the cyber insurance industry through its use of incentive-based premium reductions.

While the aforementioned papers mostly concentrate on data breaches, Eling and Wirfs [56] has a wider focus: they define cyber risk as a subgroup of operational risk and analyze cyber data from a large operational risk database (SAS OpRisk Global data), including a global range of cyber incidents that have occurred over an around twenty-year period and considering actual costs instead of number of affected records only. The frequency of losses is found to be most adequately modelled by a Negative Binomial distribution in a static approach, and a Poisson process with covariate-dependent rate in a dynamic approach based on Ref. [57]. For the loss severity, none of the canonical candidates (exponential, Gamma, log-normal, log-logistic, generalized Pareto, Weibull) were found to accurately model the entire loss data. Promising alternatives were a non-parametric transformation kernel estimation and an extreme value approach, where excesses over a threshold were modelled by a generalized Pareto distribution. The study highlighted the importance of distinguishing between cyber risks of daily life and extreme cyber risks.

For the European market’s supply side, ENISA et al. [13] identified the lack of solid data on losses, the fast pace of technology evolution, and the lack of adequate reinsurance among the key factors. Regarding the demand side, companies’ most often mentioned reasons to refrain from purchasing cyber insurance include high prices [10, 11, 14, 58, 60], lack of availability of desired limits and coverage [14, 58, 60], concerns about numerous exclusions and restrictions [10], and lack of understanding about own exposure [61] or about policy offers [11].

A fundamental question is if, and under what circumstances, cyber risk is insurable at all, given its complex nature. ENISA et al. [13] first examined this question and concluded that cyber might well be an insurable type of risk fulfilling almost all of the considered desiderata. A more detailed analysis based on a dataset from an operational risk database was conducted in Ref. [62] and subsequently adressed in Ref. [63]. Their study identified the main problems to be lack of independence of loss occurrence, presence of information asymmetries, and lack of adequate cover limits. However, they remark that some problematic aspects might be alleviated in the future and thus advocate for systematic data collection, e.g. via platforms for data sharing organised by national regulators or international associations.

Ignoring the academic question “to be (insurable), or not to be,” in practice an immature cyber insurance market has developed and an increasing scope of cyber insurance products is available. The majority of coverage is offered as dedicated cyber coverage [11, 14], with customers frequently shifting from endorsement to stand-alone policies [58]. The most sought-after types of coverage include cyber-related business interruption, data breaches, cyber extortion, and fund transfer fraud/social engineering [14, 58]. Cyber policies typically cover the most common and costly incidents, including human error, mistakes, and negligence, external attacks by cyber criminals, system or business process failures, and malicious or criminal insiders. Rarely, however, attacks against business partners, vendors, or other third parties are included [10]. All policies generally distinguish between first and third party (liability) losses [15]. A systematic qualitative analysis of cyber insurance policies across the US [15] found a surprisingly strong similarity regarding covered losses, where the ten most commonly covered losses included costs of claims expenses (including legal expenses from penalties, defense, and settlement costs), public relations services, costs of notification of affected individuals, business income loss, data or system restoration, forensic investigation costs, and data extortion expenses. Romanosky et al. [15] points out that the top covered costs are cleanup costs, i.e. indirect costs in order to comply with laws, manage the firm’s reputation, and reduce further expenses following a breach. Other studies found similar results for the covered types of losses (e.g. Refs. [2, 10, 16, 25]).

Regarding exclusions, Romanosky et al. [15] found more variation between policies, where the most common exclusions stemmed from criminal, fraudulent, or dishonest acts, errors or omissions, intentional violation of a law, criminal investigations or proceedings, and payment of fines, penalties, or fees. Furthermore, hard-to-quantify costs like loss of employee productivity or brand damage are often excluded [10].

Lastly, an important issue to mention is non-affirmative or silent cyber cover, meaning that cover for cyber incidents may exist for example in traditional property and casualty policies, even though this was not the intention of the underwriter [12]. Misconceptions like this might lead to a dangerous perception gap for insureds [11] who suffer from an illusion of protection as well as insurers who might suffer from (unintentionally written) exposure to cyber risk.

In the US, carriers typically assess an applicant’s cyber risk through questionnaires, most of which emphasize the amount and type of data handled by the investigated company, whereas the technical infrastructure and IT security management receive less attention [15]. The sample questionnaire for risk assessment for cyber insurance by the German Insurance Association [64] differentiates between three risk categories primarily according to the annual turnover of a company and, secondarily, according to certain risky business units (e.g. e-commerce or handling of sensitive data), where the number of questions for a candidate increases with increasing risk category.

Regarding pricing, there seem to be large differences between carriers, while surprisingly, some of the recurring themes are reliance on external sources, estimation, comparison with competitors, using underwriter’s experience, and adaptation of prices from other insurance lines [15]. Similarly, respondents in Refs. [14, 58] stated that competition between carriers seemed to prevail over actuarial assessment of the cost of risk. Most examined policies in Ref. [15] multiply a base premium by variables relating to standard insurance factors and industry-related factors, where high hazard weightings are assigned to businesses that collect and store a high volume of sensitive data or operate in industries like retail, healthcare, and the financial industry. Finally, premium multipliers are commonly assigned according to the outcome of the questionnaire regarding IT security (e.g. privacy controls, network security controls, existence of an incident response plan). In conclusion, the impression manifests that while insurers are trying to get a better understanding of cyber risk and its drivers, due to the lack of ample reliable data to describe the problem with sufficient statistical precision, as of today pricing often happens on an ad-hoc basis and established quantitative models do not exist, yet.

While traditionally insurance is a means of risk transfer, cyber insurance can potentially offer more than compensation for monetary losses. Many insurers already advertise the services their cyber insurance policies include, e.g. prevention and incident response services or crisis communication support [65]. Moreover, ENISA et al. [13] highlights possible benefits of the development of a cyber insurance market such as the potential to incentivise firms to increase IT security through premium discrimination or the development of a market for security consulting firms that investigate security practices as part of the underwriting process.

Another future topic for insurers concerns arrangements and standards that facilitate sharing data and information about cyber incidents. In order to help corporations to overcome their resentments about sharing such data, it is the insurers’ task to demonstrate that pooling data enables them to improve their range of services and design adequate new and transparent products that meet companies’ needs [11].

Thus, despite most academic works concluding that in their theoretical frameworks cyber insurance cannot improve social welfare or network resilience, in practice the development of adequate, transparent cyber insurance products and services might entail a number of benefits transcending a mere possibility for companies’ cyber risk transfer. In summary, during the last few years research on cyber risk has considerably increased and various aspects have been considered (disjointly). Our work focuses on the viewpoint of actuarial science, but we aim at providing a holistic modelling approach, taking into account both IT security and economic factors.

In order to assign cyber incidents to a few distinct classes, we recall a quite concise definition of cyber risk originally motivated by the study of operational risk management, namely “operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.” [38].

We follow [37] in applying this definition to classify cyber incidents according to three classical information security protection goals: confidentiality, integrity, and availability of information assets [67]. Table 1 gives an overview of their definitions and the incident types that compromise each goal.

Of course, these categories are not mutually exclusive; an example combining features of fraud and business interruption is a Ransomware attack, i.e. extortion for temporarily withheld data. We nevertheless implement the above distinction, as it is known from data breaches that incidents of different kinds typically show a different statistical nature [68] and, moreover, the economic consequences vary across the incident categories [55]. An incident falling into more than one class could e.g. be assigned partially to both of them according to the losses it entails, e.g. for the Ransomware case, losses from the interruption of operations under BI and losses from ransom payments under FR. Furthermore, we can understand FR as a general class of incidents that cannot be distinctly classified as DB or BI.

Until a few years ago, data breaches have been the most observed type of incident, see Sect. 2.1. Recently, however, the potential impact from cyber-related BI has become a major concern [4] whose financial consequences could equal or surpass losses from a data breach. Vice versa, cyber incidents have become the most feared BI trigger [12]. Our classification is quite similar to the definition of a cyber attack used in Ref. [13] which, however, only focuses on malicious cyber attacks. In our view, to capture the whole scope of cyber incidents, a second distinction along another dimension, namely the root cause, should be made.⁵ Here, the following should be distinguished:Combining incident types and root causes yields the partition of cyber incidents as shown in Table 2.⁶ Note that we use terminology that is common in the natural catastrophe context and is applied in the cyber context in Ref. [70]: an incident refers to a single loss, whereas an event can cause many related incidents.⁷

One can further scrutinize motives of individuals or groups for targeting companies via cyber attacks. CRO Forum [69] defines five types of threat actors (with corresponding motivation): nation states (strategic), organised criminals (economic), hackers (reputational), hacktivists (political), and insiders. The last group includes unintentional insiders, emphasizing that, although malicious attacks are more publicly present, a large share of cyber incidents stems from human error or technical problems. This applies to cyber-related BI [4, 12], data breaches [5, 12], and general cyber incidents [3, 55, 56].

One peculiar type of targeted attacks not yet explicitly mentioned are so-called supplier attacks, where a company is not attacked directly but through attacks on supply-chain partners (with potentially weaker defenses). Although this so far only accounts for a minority of incidents, studies have identified a trend of attackers slowly shifting their attack patterns to exploit supply chain partner environments, particularly for industries with mature cybersecurity standards [3], and thus many companies will increasingly seek to extend insurance cover to their supply chains [4].

Threats only manifest as successful incidents if there exists an exploitable vulnerability in the target system [36]. We distinguish between symptomatic and systemic vulnerabilities (c.f. Ref. [36, 71]), where the former only affect single firms (e.g. via custom software), while the latter can affect many firms simultaneously (e.g. via a vulnerability in standard software). Especially the second kind is worrisome, as it exposes many potential targets to the same threat and thus could lead to highly correlated and simultaneous losses [36]. From the viewpoint of a company, a vulnerability can be mitigated by establishing adequate controls, both technical (e.g. anti-virus software) and non-technical (e.g. awareness campaigns [36]).

Investments in cyber security require strategic decisions and cannot be limited to the prevention of cyber incidents, but must also take into account the discovery, investigation, and containment of an attack and the fast recovery of systems to a working state [3]. Many academic works have studied the problem of finding an optimal security level, balancing the cost of controls against the benefits from reduced losses (see Sect. 2.1). We do not further study this problem here, but rather conclude that a firm’s IT security level must be a central parameter for an insurance company’s risk assessment (as it already is in practice [15]).

Besides opportunistic attacks that stem from the opportunity of exploiting an existing vulnerability, we also consider targeted attacks on a specific victim. Thus, further firm characteristics that incentivise such attacks need to be identified. Considering the list of threat actors in the previous section, the following characteristics arise:Eling and Wirfs [56] considered, among others, the company-specific covariates industry sector and size and found both of them to be highly significant for the frequency of all kinds of cyber incidents in their model.

Parallel to increasing occurrence rates, the economic consequences of various cyber incidents have recently become more severe, with BI and information loss having the highest monetary impact [3]. For data breach incidents, the average cost could be up to several million USD [5, 10], where the biggest financial consequence is found to be lost business. Quantifying the consequences of cyber incidents is difficult due to the scarcity of historical data and the various (intangible) types of costs. Nevertheless, earlier studies give some indications of cost drivers.

For data breaches, Ponemon Institute LLC [5] find the average cost per record to depend on the root cause (malicious attacks vs. system failures and human error) and the industry sector. The latter could be explained by the fact that the rate of lost customers and business depends on the industry, but also by considering the impact of regulation and litigation on breach cost causing highly regulated industries to suffer larger losses [12]. An effect of the company size on the breach cost was reported in Refs. [53] and [55], who developed a model for the log-cost of a data breach depending on the firm’s revenue (as a proxy for size) and the number of compromised records. This is more comprehensive than the well-known Jacob’s formula [72], which simply links the log-cost of a data breach to the (log-)number of compromised records. Another amendment was proposed in Ref. [52], who argue that [72] did not yet take into account the cost of mega data breaches observed in future years. Finally, adequate controls can not only decrease the probability of a breach, but also its potential consequences: Improvements in data governance programs, presence of incident response plans, and employee training all result in average cost savings in case of a breach [5, 60].

Concluding, there is evidence that for data breaches the cost of an incident depends on the industry sector, the size of the company, the amount of data affected, potentially the type of attack, and controls in place. The statistical findings and distributions used to model the severity of data breaches found in investigations of available databases have been summarized in Sect. 2.1. Note that these findings for data breaches might not necessarily translate to the other incident types, as different types of cyber incidents (e.g. data breaches and privacy violations) are found to display large median cost differences [55].

It is hard to find information on the economic impact of the other two types of incidents studied here, namely BI and fraud. For the former, some sources from the non-cyber domain are available [73‐77]. The only sources including indications of which distributions are useful to model economic loss from BI are [77], who finds that the size of yearly BI insurance claims follows a Pareto distribution with an extremely heavy tail and infinite expected claim size, and [75], who suggests modelling BI loss by a PERT distribution.

For fraud one might hope to find information in studies on the cost of cyber crime but, unfortunately, the data is usually either aggregated over all types of cyber incidents from malicious sources or focuses on information loss/theft. Thus, there is very little reliable evidence on the actual cost of cyber fraud. Despite indications that cyber risk is quite different from other types of operational risk [56], one way might be to draw on knowledge about the modelling of operational risk as, e.g. the Basel II framework [78] includes internal fraud and external fraud as event-type categories.

Another option is to refer to the recent work of [56], who study all kinds of cyber incidents (including data breaches as a subset) using a model where the parameters of the distribution of both frequency and severity of cyber incidents might depend on firm-specific and incident-specific covariates as well as time. They resort to an EVT approach to model the severity of events, using the generalized Pareto distribution (GPD) to model excesses over a high threshold (the tail of the distribution) and a series of simple parametric distributions (e.g. exponential, Gamma, log-normal) for the body. The GPD with shape parameter \(\xi\) and scale parameter \(\beta\) is of the formfor \(x \ge 0\) if \(\xi \ge 0\) and \(x \in [0,-\beta /\xi ]\) if \(\xi < 0\). They build on the work of [57] to fit a model where the parameters of the GPD may depend on covariates (including time). To the best of our knowledge, their work is the first to model the actual economic loss and to consider general types of cyber incidents instead of only data breaches, thus we incorporate their approach in our framework.

Idiosyncratic incidents are assumed to occur at each firm independently (from incidents at other firms as well as between types of incidents at the same firm). For these types of incidents, we assume that any incident is successful in the sense that it breaches the firms IT security measures and causes a loss. This is reasonable, given that targeted attacks are usually tailor-made against one company and furthermore, the majority of non-successful incidents (near misses) of this type might not be monitored or recognized.¹⁰

We assume the arrival of such incidents of each type {DB, BI, FR} at each firm \(j \in \{1,\ldots ,K\}\) to follow an inhomogeneous Poisson process with time- and covariate-dependent ratewhere the super-/subscript \({\cdot }\) stands for one of the incident types \(\cdot \in \{DB,FR,BI\}\), the functions \(f_{\cdot }\) additively map (a relevant subset of) the covariates, i.e. \(f_{\cdot }(x) = \alpha _{\lambda ,\cdot } + \sum _{k} f_{\lambda ,\cdot ,k}(x_{jk})\) for some constant \(\alpha _{\lambda ,\cdot }\) and \(g_{\cdot }: [0,T]\rightarrow \mathbb {R}\) is a measurable function describing the time dependence. The explicit form of the functions \(f_{\cdot }\) and \(g_{\cdot }\) is of course unknown but can be estimated from a suitable data set.¹¹ The dependence on covariates and time can differ for the three incident types. As an example, if one assumes the rate of data breaches to depend on the covariates \(x_{j3}\) (data; for targeted attacks), \(x_{j4}\) (IT security; for failures), and \(x_{j5}\) (number of suppliers; for supplier attacks) only, this would yieldwhere the functions \(f_{\lambda ,DB,k}\) map factor levels to constants for the ordinal covariates indexed \(k \in \{3,5\}\) (i.e. are naturally measurable) and \(f_{\lambda ,DB,4}\) is any measurable function of the numerical covariate \(x_{j4}\).

It is clear that for any interval \([\tau _1,\tau _2] \subseteq \left[ 0,\infty \right)\) (set for now \(\tau _1 := 0\) and \(\tau _2 =: T\)), given the covariate matrix \(\mathbf{X}\), the number of idiosyncratic incidents of each type arriving at firm j follows a Poisson distribution:where \(\Lambda ^{\cdot ,idio}_j(T) = \int _{0}^{T} \lambda ^{\cdot ,idio}_j(t)\mathrm {d}t\) is the mean measure of the inhomogeneous Poisson process.

As the processes are assumed independent between firms, it follows by superposition that the number of idiosyncratic incidents on the whole portfolio is also Poisson distributed:

Systemic events cause incidents at multiple firms at the same time and, if of malicious origin, are typically of an opportunistic nature, i.e. a set of firms is affected not because of their specific features or the economic gain attainable from attacking them, but rather due to the availability of an exploitable attack vector against them. This often stems from a common vulnerability, for example a list of bought e-mail-addresses that allows a threat actor to send ransomware to employees of certain firms. In many cases, a common vulnerability would likely affect firms within one industry sector (e.g. if custom software is vulnerable), but of course the common factor can also be unobservable. In any case, to model incidents from systemic events, an extension of the simple point process framework of the previous section is needed. We use the framework of marked point processes, where the process of locations (arrival timepoints of events), now called the ground process \(N^g(\cdot )\), is a simple¹² point process \(\{t_i\}_{i \in \mathbb {N}}\) on the non-negative real line as above, more specifically a non-homogeneous Poisson process with log-rate¹³where the super-/subscript \({\cdot }\) indicates the event type \(\cdot \in \{DB,FR,BI\}\), and again \(g_{\cdot }\) is a measurable function of time. Each arrival of the ground process \(\{t_i\}_{i \in \mathbb {N}}\) is then equipped with a mark \((m_i,S_i) \in \mathcal {M}\times \mathcal {S}\) consisting of realisations of components \(m_i \in \mathcal {M}:= [m_{\min },m_{\max }] \overset{\text {w.l.o.g.}}{=} [0,1]\) and \(S_i \in \mathcal {S}:= \mathcal {P}_K\), such that the resulting process is a marked point process \(\big \{t_i,(m_i,S_i)'\big \}_{i \in \mathbb {N}}\) on \(\left[ 0,\infty \right) \times (\mathcal {M}\times \mathcal {S})\), where \(\mathcal {M}\times \mathcal {S}\) is called the mark space (for a rigorous definition, see Definition 1 in Online Appendix A.1).

To characterize a marked point process completely, it remains to specify the conditional distribution of the marks, given the locations of the Poisson ground process \(N_g\) (see Proposition 6 in Online Appendix A.1). This is done in the following assumptions whose rationality will be detailed below:

A concrete distributional assumption for a model should ideally be backed by empirical evidence. As this is currently not possible due to data scarcity in the cyber domain, we stick to the principle of imposing as little (unknown) prior information as possible. This justifies (A1) and (A2), as we do not have any evidence that would suggest deviating from iid., to introduce any particular dependence, neither between locations and marks, nor between the components of the mark. Similarly, regarding (A3), one might intuitively rather assume the number of very weak attacks (such as easily recognizable spam e-mails) to be higher than the number of very sophisticated attacks. However, as we do not have statistical evidence that would allow to choose a particular distribution, we use a Uniform distribution (maximum entropy distribution among all continuous distributions on a bounded interval [82]). Considering (A4), several industry experts have highlighted in conversations with us the importance of industry sector-specific systemic events. Thus, we incorporate this idea in our model, while again leaving the distribution as simplistic as possible (conditionally iid. Bernoulli draws). Furthermore, note that due to the modular structure of the model, each assumption can be altered or replaced individually if suitable data indicates the necessity, without compromising the general model structure.

In the following, we detail properties of the model and their interpretation in the cyber insurance context. As proofs mostly rely on standard techniques, they are given in Online Appendix A.3.

Notice that the distribution of \(\{|S^*_i|\}_{i \in \mathbb {N}}\) implies the distribution of \(\{|S_i|\}_{i \in \mathbb {N}}\) as the special case where \(c_{[k]} = 0, \forall k \in \{1,\ldots ,K\}\), i.e. the worst-case scenario where no firm has any IT security measures in place and thus the number of incidents and losses is equivalent.

The above results are interesting from a practical viewpoint: If an insurer is notified about a cyber incident by one of its policyholders (many policies include mandatory immediate notification or even the provision of an immediate-response-team by the insurer), it is worthwhile to find (and warn!) firms with a high conditional probability of having been affected by the same event, thus potentially giving them the chance to avert the actual manifestation in their firm (e.g. by warning employees about a phishing threat or updating vulnerable software). The information about an incident in one firm always has a non-negative effect on the incident probabilities for other firms of the same sector ((7a) vs. (8); a formal proof of this statement is given in Online Appendix A.3), while the effect can go in either direction for firms of different sectors ((7b) vs. (8)). For a detailed illustration, see Fig. 1. The same holds for the information of a suffered loss, i.e. the probability of suffering a loss increases with the knowledge that another firm of the same sector has suffered a loss, and the increase is larger if the harmed firm’s IT security level exceeds the one of the firm under consideration.

Analogously to the notation in the previous section, for any interval \([0,T] \subseteq \left[ 0,\infty \right)\), given the arrival process \(\big \{t_i,(m_i,S_i)'\big \}_{i \in \mathbb {N}}\) and the covariate matrix \(\mathbf {X}\), the number of incidents \(\bar{N}_j^{\cdot ,syst}\) resp. losses \(N_j^{\cdot ,syst}\) at each firm follows a Poisson process, where the rate can be obtained by thinning the ground process \(N^{\cdot ,g}\) of arrivals \(\{t_i\}_{i \in \mathbb {N}}\) appropriately (see Ref. [83] and Proposition 5 in Online Appendix A.1). In particularContrary to the previous section, we cannot transition to the portfolio level by simple superposition due to lack of independence between firms. Instead, we express the cumulative number of incidents \(\bar{N}^{\cdot ,syst}(T)\) resp. losses \(N^{\cdot ,syst}(T)\) across the entire portfolio for fixed \(T > 0\) as a compound Poisson distributed r.v.where \(N^{\cdot ,g}(T) \sim Poi\Big (\int _{0}^{T}\lambda ^{\cdot ,g}(t)\mathrm {d}t\Big )\) and \(\{|S_i|\}_{i \in \mathbb {N}}\) resp. \(\{|S_i^*|\}_{i \in \mathbb {N}}\) are iid. mixed Binomial and independent from \(N^{\cdot ,g}(T)\).¹⁵ Using well-known results for the calculation of the expectation and variance of a compound Poisson r.v. (details in Refs. [84, 85] and Online Appendix A.2), this yields:

It is well-known that the Poisson distribution exhibits equidispersion (\(DI = 1\)), while empirical studies in non-life insurance often report overdispersed claim count data and therefore recommend to use alternative distributions (e.g. negative Binomial) to model claim counts. Proposition 3 shows that our construction using a marked Poisson process to allow simultaneous arrivals of several incidents (resp. losses) due to one systemic event likewise is able to introduce overdispersion.

Recall that idiosyncratic incidents arrive to each firm \(j \in \{1,\ldots ,K\}\) independently as inhomogeneous Poisson processes with rates \(\lambda ^{\cdot ,idio}_j(t)\), \(\cdot \in \{DB, FR, BI\}\). Each incident is assumed to cause a loss. For a fixed time \(T > 0\), the overall number of losses caused by idiosyncratic incidents up to this time \(N^{\cdot ,idio}(T)\) follows a Poisson distribution with rate \(\Lambda ^{\cdot ,idio}(T) = \int _{0}^T \Big (\sum _{j = 1}^K \lambda ^{\cdot ,idio}_j(t)\Big )\mathrm {d}t\).

Systemic events arrive to the portfolio with overall rates \(\lambda ^{\cdot ,g}(t)\). Each arrival \(t_i\) carries a mark including the strength of the event \(m_i\) and the affected subset \(S_i\). An event at time \(t_i\) thus causes incidents in all firms in the set \(\{j \in S_i\}\) and causes losses in its subset \(\{j \in S^*_i\} = \big \{j \in S_i, c_j < m_i\big \}\). The total number of incidents and losses from systemic events up to time \(T > 0\), \(\bar{N}^{\cdot ,syst}(T)\) resp. \(N^{\cdot ,syst}(T)\), follow a compound Poisson distribution with mixed Binomial jump sizes.

Aggregating the number of incidents and losses from both root causes on the level of each individual firm translates to aggregating two independent Poisson r.v.On the portfolio level, we aggregate two independent compound Poisson r.v. (one with jumps of constant size 1 and one with mixed Binomial jump sizes), which yields (see Proposition 7 in Online Appendix A.2):where \(N(T) \sim Poi\big (\Lambda ^{\cdot ,idio}(T) + \Lambda ^{\cdot ,g}(T)\big )\) and \(\{Y_i\}_{i \in \mathbb {N}}\) are iid., independent of N(T), with mixture distributionNote that so far, we have kept the numbers of losses of different types {DB, FR, BI} separate. In general, assuming independence between them, they could be aggregated into one arrival process, but this may not be desirable as also the loss severity distributions might be different (see Sect. 3.2.3), and therefore for the determination of the portfolio loss their numbers have to be taken into account separately.

First, we examine the number of incidents/losses and the distribution of cumulative losses in the full portfolio (\(K = 500\)) in Fig. 2a and b. We compare the case where only actual losses are counted with the case where all incidents are counted (i.e. the worst case where all incidents cause a loss). At first glance, the two cases appear to be surprisingly similar. Notice, however, that due to the assumptions above, for most firms the rate of idiosyncratic incidents outweighs the rate of incidents from systemic events. Furthermore, the lower the security level for a given firm, the higher its contribution to the overall number of incidents, and simultaneously the lower the effect of distinguishing losses and incidents. Conversely, the higher the security level of a given firm, the less likely it is to be affected at all. Therefore, when only few cases are registered at all, these cases are likely to have occurred at firms with low security and are therefore unlikely to be filtered. The cases where most filtering occurs are large systemic events whose effect is clearly reduced (consider the range around [45, 65] on the x-axis of Fig. 2b). Of course, this translates analogously to Fig. 2a, where particularly the tail of the distribution is altered (x-axis-range around [2500, 4000] in Fig. 2a). In this case, it additionally has to be kept in mind that incidents at well-protected firms—which are mostly filtered—are assumed to typically cause below-average losses. In both figures, one observes the difference in mean between counting losses and incidents, and that the mean is shifted clearly to the right from the mode of the body of the distribution. As expected from the assumptions above, we observe a shift of the cumulative loss distribution to the right as time progresses. To corroborate the simulation results, we generate 50.000 samples of incident/loss numbers following Proposition 1 and Eq. (12) and compare them in Fig. 2d. The simulation via Eq. (12) is much faster, but cannot be directly used to generate the cumulative loss distribution, as only samples of the total number of incidents/losses are drawn without information as to which firms they affect (and severity differs between firms).

Furthermore, we compare the cumulative loss distribution for selected sub-portfolios in Fig. 2c, taking into account only simulation runs where a non-zero loss has been observed. As to be expected, we observe a shift of the body and tail of the loss distribution to the left as the security level increases. Understanding the cumulative loss distribution—especially in the tail—is particularly interesting in the context of reinsurance, where common contract design involves so-called excess-of-loss reinsurance, meaning that (portfolio) losses exceeding a pre-specified limit are ceded. For this case, an accurate understanding of the portfolio loss distribution and its tail is clearly essential. Apart from these considerations, insurers are mostly concerned with the pricing of individual policies. This is addressed next.

Based on the distribution of individual losses, we calculate the first-year premium based on the expected value principle given in Sect. 4.4.²¹ Table 7 compares the following exemplary firms: The results show that the IT security level dominates the covariate-effect on the premium, which is in line with the assumptions. As in practice, the calculation of expected losses is typically based on historically recorded (rare!) losses, only very few firms with the exact same covariate combinations might be in the portfolio and therefore, the premium is rather calculated based on all losses within a class of firms considered homogeneous. New firms falling into the same class are then assigned the same premium. The quite difficult task is to find an appropriate way of partitioning firms into homogeneous groups. If we partition firms according to their IT security level and calculate their premium by taking into account all firms with the same level, we obtain the results shown in Fig. 3.²² As to be expected, the premium decreases with increasing security level, while the difference between incidents and losses increases. As an alternative to (and validation for) the Monte Carlo simulation, we have furthermore implemented a Panjer recursion scheme using a discretized version of the severity distribution; the results are given in Online Appendix A.5 and corroborate the ones given here.

We compare VaR and AVaR for the three firms described above and two sub-portfolios in Table 8, as well as for all sub-portfolios in Fig. 4a and b. The historical estimate refers to the sample quantile from the simulation data, i.e. for a realisation of losses \(\mathbf{L} = (L_1,\ldots ,L_n)\), let \(L_{(1)}< L_{(2)}< \ldots < L_{(n)}\) denote the order statistics, then for a chosen level \((1-\alpha ) \in \left( \frac{i-1}{n},\frac{i}{n}\right]\), \(VaR_{1-\alpha }\) and \(AVaR_{1-\alpha }\) are estimated as their empirical counterpartsThe POT estimate assumes that for a large threshold u, the excesses are distributed according to a generalized Pareto distribution \(GPD(u,\xi ,\beta )\), and thus \(VaR_{1-\alpha }\) and \(AVaR_{1-\alpha }\) can be estimated as (see, e.g. Ref. [57])where \(\hat{\beta }\) and \(\hat{\xi }\) are the parameter estimates of the scale and shape of the GPD given the data \(\mathbf{L}\) and \(n'\) is the number of threshold exceedances. As to be expected, both VaR and AVaR decrease with increasing security level, while the reduction when considering only losses instead of all incidents is more substantial. Note again that for individual firms, the numbers are based on their own loss history only and should be interpreted with care.