Recognition that cyber risk is a business risk that has multiple variables that impact upon overall impact has led to a realisation by insurers and risk managers of the complexity of trying to determine a financial cyber exposure. Unlike many other business risks however, cyber poses a set of challenges to attaining the goal of quantifiable potential economic impact arising from a successful attack. Actuarial valuations and data to feed highly developed underwriting models are not suited to the cyber environment for a number of reasons. These include:
- An asymmetrical ownership of cyber risk data between insurers and clients
- A lack of sectoral loss data and cyber insurance claims history
- The constant evolution of both cyber risks and actors
- Historic data may be irrelevant in predicting future risks and impacts but may still have relevance
- Technology change resulting in enterprise operational impacts as well as external users
Despite the above generic variables being widely accepted, the overriding variable for insurers and re-insurers is that every cyber insurance client has different business processes, technology infrastructures and topologies, as well as varying risk appetites and skill sets.
It is because of these differences (a retail bank may have up to 30 000 processes for example) that limits on the level of cover offered is lower than the market demands. For re-insurers in particular, aggregation risk from a cyber portfolio becomes unfeasible in calculation methods with the data presently available. Both insurer and re-insurer are exposed to retrocessional risk due to the hidden impact, present and future, that cyber risk embodies.
To overcome this major obstacle, Quantar’s patented CyCalc technology acquires proprietary cyber threat data per client and combines this with other related sets of data in order to arrive at a financial cyber risk value. This applies both to the present status and into future periods of up to one calendar year through using our patented methods.
The level of granularity an insurer may require may be lower than that needed for each enterprise’s corporate risk management, but CyCalc is customisable according to the needs of the user. ” What-if ” scenario modelling enables clients and insurers to determine which mitigation or security actions have the greatest effect upon financial exposure. For insurers, this capability can be used to assess every client differently, which clients can use this added benefit for their own internal risk and compliance purposes.