New technologies

Cyber insurance risks: evaluating the cyber costs of cyber risks

Caroline Hillairet / olivier lopez

Nationality French

Year of selection 2018

Institution Ensae-ParisTech / Sorbonne Université

Country France

Risk New technologies

Joint Research Initiative

3 years

250000 €

Giving insurers the keys to meet one of today’s biggest challenges

With new opportunities come new challenges. The digital economy is transforming the way we live, work, communicate, at an amazing, yet slightly alarming rate. Today, we not only use technological tools in our everyday lives, we often rely on them. This relationship of dependency opens the way for new and unprecedented risks, from the simple bug to hacktivism and cyber terrorism, the impact of which can be catastrophic: data stolen, corruption or encryption, business interruption, reputational damages, physical damages, etc. "Insurers are intended to play a crucial role in providing financial protection. However, the current assessment of cyber vulnerabilities for individuals, companies and administrations is largely inadequate and inappropriately tailored to the specificities of cyber risk", reports Olivier Lopez, professor at Sorbonne Université (Paris, France). Director of the actuarial department (the discipline that applies mathematical and statistical methods to assess risk in insurance, finance and other industries and professions), he is the co-investigator, alongside prof. Caroline Hillairet, in charge of the actuarial science program at ENSAE- ParisTech, of a joint research initiative (JRI) with the Group Risk Management teams at AXA. Combining both scientific and operational skill sets, the objective of the project is to adequately investigate the financial costs of cyber risks, as prof. Lopez puts it. In more specific terms, the aim is to evaluate the consequences of cyber-attacks from an insurance point of view in order to lay the grounds for proper cyber risk insurance solutions. The JRI fits in the framework of 'the Cyber project', a global initiative launched by AXA to rethink its cyber insurance strategy and thus define its new value proposition.

To adequately price a risk – or in other words, to set the premium (the amount to be paid for a contract of insurance) – insurers must accurately quantify the risks to which their clients are exposed. In the case of cybersecurity, this process is exceptionally complicated. Cyber risks arise in a complex ecosystem of interlinked vulnerabilities, security threats, and potential associated impacts. "One of the biggest challenges confronting the cybersecurity domain is the lack of historical data", explains prof. Olivier Lopez. Indeed, conventional premium generation employs modeling techniques that incorporate data from past events. When it comes to cyber threats, the resource is scarce. As the phenomena is quite new, it has only become recently mandatory for breached entities to disclose information about their cybersecurity breaches. Previously, companies were reluctant to disclose breaches due to potential reputational damage. Another specific challenge of cybersecurity is the behavior of the policy holders themselves, who might be tempted to retain information from the insurance, or change behavior once the contract is signed. "For instance, one of the reverse effects of cyber insurance is the fact that enterprises may perform an economical optimization. Since insurance contracts offer a form of protection against potential losses, one may fear that the companies reduce their efforts to fully develop the physical strategies required to prevent the claims (such as installing or updating security softwares). Another difficulty stands in the fact that a company may be easily able to hide from the insurer some weaknesses in its network, due to its complexity and opacity".

Using advanced statistical techniques to overcome the inherent challenges of cyber insurance

"These types of behaviors have been identified, and roughly modeled from an economical point of view. However, the question of how to estimate and calibrate the parameters of such models has not been properly addressed until now", prof. Lopez specifies. This is where the academic team of mathematicians, data scientists and econometricians comes in. To capture the specificities of this market into models that are reflective of reality, and compensate for the scarcity and truncation of the information available, they aim to innovate by using and combining advanced statistical techniques. The team will notably combine tools coming from 'Hawkes processes' theory - because it can capture inter-dependent events, and is therefore adapted to cyber attacks and their potential aftershocks and contagion - and from 'Extreme value theory', a branch of statistics dealing with, as its name may suggest, extreme deviations from central scenarios. The research objective is twofold: to model present cyber risks, but also to project them in the future. "In interaction with the modeling part of the project, we aim to build numerical tools to simulate the evolution of the risk. The idea is to determine scenarios in order to evaluate the amount of reserves required to cover the guarantees (new ones and old ones), and to anticipate their trends", the lead investigators explain, insisting that "close collaboration with practitioners from AXA will ensure the academic developments of the project are efficient and consistent with an operational vision and cartography of the cyber-risk that only a worldwide insurance company can provide".

According to a report published by the Organization for Economic Cooperation and Development (OECD) following their 2018 conference on the cyber insurance market: "A number of challenges impede the extension of (cyber) insurance coverage, including low risk awareness, lack of data on cyber incidents, the changing nature of cyber threats and the potential for accumulated losses". By addressing three out of the four obstacles identified, the present JRI’s research approach holds great promise towards improving cyber risk management and reducing the eventuality of significant economic losses. In helping insurers develop better, more accurate, modeling methods for these highly complex and unprecedented risks, the outputs will not only contribute to a huge growth opportunity for the insurance sector, but also, and above all, enable the mitigation of cyber breaches, and their potentially devastating impact.