Cyber insurance risks: evaluating the cyber costs of cyber risks

To adequately price a risk – or in other words, to set the premium (the amount to be paid for a contract of insurance) – insurers must accurately quantify the risks to which their clients are exposed. In the case of cybersecurity, this process is exceptionally complicated. Cyber risks arise in a complex ecosystem of interlinked vulnerabilities, security threats, and potential associated impacts. "One of the biggest challenges confronting the cybersecurity domain is the lack of historical data", explains prof. Olivier Lopez. Indeed, conventional premium generation employs modeling techniques that incorporate data from past events. When it comes to cyber threats, the resource is scarce. As the phenomena is quite new, it has only become recently mandatory for breached entities to disclose information about their cybersecurity breaches. Previously, companies were reluctant to disclose breaches due to potential reputational damage. Another specific challenge of cybersecurity is the behavior of the policy holders themselves, who might be tempted to retain information from the insurance, or change behavior once the contract is signed. "For instance, one of the reverse effects of cyber insurance is the fact that enterprises may perform an economical optimization. Since insurance contracts offer a form of protection against potential losses, one may fear that the companies reduce their efforts to fully develop the physical strategies required to prevent the claims (such as installing or updating security softwares). Another difficulty stands in the fact that a company may be easily able to hide from the insurer some weaknesses in its network, due to its complexity and opacity".

Using advanced statistical techniques to overcome the inherent challenges of cyber insurance

"These types of behaviors have been identified, and roughly modeled from an economical point of view. However, the question of how to estimate and calibrate the parameters of such models has not been properly addressed until now", prof. Lopez specifies. This is where the academic team of mathematicians, data scientists and econometricians comes in. To capture the specificities of this market into models that are reflective of reality, and compensate for the scarcity and truncation of the information available, they aim to innovate by using and combining advanced statistical techniques. The team will notably combine tools coming from 'Hawkes processes' theory - because it can capture inter-dependent events, and is therefore adapted to cyber attacks and their potential aftershocks and contagion - and from 'Extreme value theory', a branch of statistics dealing with, as its name may suggest, extreme deviations from central scenarios. The research objective is twofold: to model present cyber risks, but also to project them in the future. "In interaction with the modeling part of the project, we aim to build numerical tools to simulate the evolution of the risk. The idea is to determine scenarios in order to evaluate the amount of reserves required to cover the guarantees (new ones and old ones), and to anticipate their trends", the lead investigators explain, insisting that "close collaboration with practitioners from AXA will ensure the academic developments of the project are efficient and consistent with an operational vision and cartography of the cyber-risk that only a worldwide insurance company can provide".

According to a report published by the Organization for Economic Cooperation and Development (OECD) following their 2018 conference on the cyber insurance market: "A number of challenges impede the extension of (cyber) insurance coverage, including low risk awareness, lack of data on cyber incidents, the changing nature of cyber threats and the potential for accumulated losses". By addressing three out of the four obstacles identified, the present JRI’s research approach holds great promise towards improving cyber risk management and reducing the eventuality of significant economic losses. In helping insurers develop better, more accurate, modeling methods for these highly complex and unprecedented risks, the outputs will not only contribute to a huge growth opportunity for the insurance sector, but also, and above all, enable the mitigation of cyber breaches, and their potentially devastating impact.