Visualize: Insights that power innovation

Modeling today’s cyber aggregation risk

By John Elbl and Gian Calvesbert April 10, 2017

From AIR Worldwide

AIR Worldwide’s John Elbl and Gian Calvesbert explain why using a market share approach to estimate malicious or accidental cyber risk and to approximate potential loss due to disruption of service as a result of a cloud service outage may be an inferior model. They argue that a detailed accumulation approach will offer insurers a much more confident view of the risk.

Cyber risk modeling
Photo courtesy of the Joint Cyber Reserve/MOD.

Managing cyber risk accumulations represents one of the top concerns for the insurance industry today. Unlike natural disaster risk, which can be aggregated using easily verifiable information such as geographic location, cyber risk aggregates itself around sources of risk such as third-party IT providers. These sources of risk are more challenging to identify by insurers.

Dyn attack a serious reminder

Accurate assessments of a portfolio's cyber accumulations are critical for modeling the catastrophic impact of cyber risk because financial losses for multiple organizations can be triggered by the malicious or accidental exploitation of a weakness within just one source of aggregated cyber risk. The recent distributed denial of service (DDoS) attack on Dyn, a domain name system provider whose inability to provide service resulted in downtime for some of the world’s top websites, is a serious reminder of this reality.

But what if you don't have a complete understanding of the interconnectedness of companies within your portfolio? How do you estimate the accumulation risk to deterministically model an aggregation scenario such as cloud provider downtime?

The current state of cyber exposure data within a typical insurance organization is incomplete—information beyond an insured’s industry, revenue, or even company name are unknown. As a result, a market share approach is used to estimate cyber risk accumulations and to approximate the potential loss.

Market share approach

Using a market share approach, if Cloud Vendor X has a 30 percent market share, then you could assume that same share exists within your portfolio and that 30 percent of companies would be at risk of experiencing a loss if that cloud provider experiences some downtime. In this situation insurers would not be aware of the correlation between exposures; instead, they would need to make assumptions when trying to determine which companies would be impacted.

Figure 1 portrays a portfolio, with each bubble representing an individual company of a specific industry (each color signifies a different industry type) and insured value (bubble size depends on the total value). The region shaded in red defines the companies that can experience a loss during a cloud vendor downtime event, for example, when using a market share approach. (Source: AIR)

portfolio
Figure 1: Portfolio. (Source: AIR).

Risk managers have several options to deal with the uncertainty inherent in the market share approach. For example, they can repeat this process with different segments of the portfolio to obtain a distribution of modeled losses. But because the specific providers aren’t known, any modeling analysis will not accurately reflect the risk to that portfolio.

Risk managers have several options to deal with the uncertainty inherent in the market share approach. For example, they can repeat this process with different segments of the portfolio to obtain a distribution of modeled losses. But because the specific providers aren’t known, any modeling analysis will not accurately reflect the risk to that portfolio.

The usage of market share approaches results in additional uncertainty and leaves the insurer pondering several questions:

  • Do I really write substantially more or less business with companies that rely on one particular third-party vendor?
  • Would the disruption of a third-party provider’s service cause contingent business interruption (CBI) loss that I haven’t considered?
  • If my company was actively writing cyber insurance during the Dyn disruption, would taking a 4% estimated loss (Dyn’s market share) be sufficient?

Detailed accumulation approach

Fortunately data on third-party IT providers and other important information for modeling cyber risk can be obtained—even without directly working with the insureds. With that in mind AIR has developed a modeling approach that leverages all this information.

A detailed accumulation approach can be used to perform the same type of scenario modeling analysis as market share methods, but it distinguishes itself by relying on detailed exposure data about each company in the portfolio. Instead of basing assumptions on broad industry statistics to determine the portion of the portfolio that will be impacted, specific data on each company’s suppliers is used to organize the portfolio around the source of risk being considered for analysis.

Figure 2 portrays the same portfolio as in Figure 1, but by using a detailed accumulation approach previously unknown sources of aggregation are revealed. Only the companies known to be reliant on a specific cloud vendor can be affected by a downtime event, and these are shaded in red. (Source: AIR)

Accumulation approach.png
Figure 2: Accumulation approach. (Source: AIR).

For example, using a detailed accumulation approach, risk managers identify the cloud provider that each insured company relies on for their operations. A cloud outage scenario analysis using a detailed accumulation approach provides a more confident view of the risk because this approach identifies the exposures that are actually affected by the event and omits those that should not be considered. This approach is important because AIR has determined that most portfolios do not mirror the industry as a whole. Making decisions based on market share can lead insurers to over- or underestimate the risk their business is exposed to.

A path to improved risk management

Clearly the use of market share approaches has a place when the industry lacks detailed risk information. In the case of managing cyber risk, the challenge for insurers has been collecting the data needed to employ better risk management practices, such as the detailed accumulation approach.

A promising reality is that most, if not all, insurers are aware of the importance of gathering detailed exposure data at the point of underwriting, and new technologies are being developed that can identify the detailed data needed for more accurate risk modeling, which should encourage the continuous collection of that data. Therefore, now is the time for the insurance industry to begin investing in processes that can leverage detailed cyber risk data and improve a decision-maker’s view of risk.


John Elbl is a vice president, and Gian Calvesbert is a manager at catastrophe modeling firm AIR Worldwide.