Risk Modelers Working on Tools for Gauging Cyber Attack Risk
By: Luciana Lopez (Insurance Journal) December2014
Even as the Sony Corp. cyber attack laid bare the kinds of vulnerabilities that typically drive companies to buy insurance policies, the lack of a risk model for insurers means such protection is not always easy to get.
Unlike earthquakes, tornadoes or even terrorism, there are no existing models to calculate how much a so-called “cyber hurricane,” cutting across a swath of companies, could cost. Without that, insurers cannot be sure how much risk they can afford to underwrite.
At least two risk modeling companies, RMS and AIR Worldwide, are trying to solve that puzzle, building a model that can help gauge how much havoc – in dollars and cents – such cyber breaches can cause.
“Everybody’s being attacked at this point,” said Scott Stransky, manager and principal scientist at AIR Worldwide. “We’re hoping to change that game.”
Government Action, Insurance, Software Product Liability Urged for Cyber Security
While high-profile attacks at retailers such as Target Corp. and Home Depot Inc. this year have spooked consumers, the devastating cyber attack on Sony hammered home that plenty of damage can be done beyond stolen credit card numbers.
“Sony has become a watershed event,” said Kevin Kalinich, global practice leader for cyber/network risk at Aon, a consultancy and insurance brokerage.
The insurance industry has been banging the drum about the breadth of cyber risk for 10 to 15 years, Kalinich said. “Finally we’ve gotten their attention.”
In a 2014 study, the Ponemon Institute and IBM found that the average total cost of a breach in the United States was $5.9 million.
Major attacks can cost far more. The Sony attack could cost as much as $100 million, according to one estimate. In August retailer Target reported gross expenses of $148 million related to a December 2013 breach.
A 2014 McAfee study estimated cybercrime cost the global economy anywhere from $375 billion to $575 billion annually.
The United States is largely a mature insurance market, with coverage for cars, homes and other risks common. But cyber is a new frontier for insurance companies looking to grow. While estimates vary widely for how many U.S companies carry policies for such risks, the data suggests room for growth.
A 2013 survey from insurance industry data company Advisen and insurer Zurich found 52 percent of companies say they purchase at least some cyber liability coverage.
However, a Fortune 1000 survey that same year from insurance broker Willis found a far lower number, at only 6 percent, though Willis noted cyber coverage is likely under-reported.
Part of the problem with figuring out who’s protected against a breach is the same as figuring out how to protect them in the first place: No one wants to talk about having been hacked. It’s unlike, say, with typhoons, for which there is readily available data stretching back decades. There is no such record for cyber attacks, and data is the lifeblood of modeling.
“Getting the historical data for cyber is a huge challenge,” AIR’s Stransky said. The firm is developing a model that it hopes to bring to market within “much sooner” than five years, although he would not say how much sooner.
Another speed bump: The constantly evolving nature of cyber attacks. Because hackers are constantly devising new ways to get into systems – from basic social engineering like guessing simplistic passwords to sophisticated viruses – any risk model must be dynamic.
Insurers in Dash for Expertise to Master Cyber Risk Insurance
A completed model could potentially do something no one seems able to figure out: understand what a cyber event might look like across not just one company, but, as with a large-scale weather event, across many companies or industries.
That possibility comes ever closer to reality. A breach at a major cloud provider, for example, could sow disaster among hundreds or even thousands of companies.
RMS is talking to insurers with an eye to developing a model that can start gauging probabilities of widespread attacks as early as next year, said Andrew Coburn, a senior vice president with the firm.
A working model, he said, could help insurers feel more confident in underwriting more of this kind of risk.
“They’ve been writing relatively low limits,” he said. “It’s an issue that the insurance industry needs to grapple with.”
Categories
- Benefits Resources
- Bonding
- BOP
- Business Insurance
- Commercial Auto
- Commercial Property
- Company News
- Construction
- Crime Insurance
- Cyber Insurance
- Directors & Officers
- Employee Benefits
- Employment Practice Liability Insurance
- Entertainment
- General Liability
- Health Insurance
- Healthcare
- Healthcare Reform
- Homeowners Insurance
- Hospitality
- Manufacturing
- Medical Malpractice
- Mining & Energy
- Nightclubs
- Personal Auto
- Personal Insurance
- Professional
- Restaurants
- Retail & Wholesale
- Risk Management Resources
- Safety Topics
- SBA Bonds
- Security
- Seminars
- Technology
- Tourism
- Transportation
- Uncategorized
- Workers Compensation
Archives
- May 2021
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- November 2018
- September 2018
- August 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
- July 2017
- June 2017
- May 2017
- April 2017
- March 2017
- February 2017
- January 2017
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- November 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- October 2014
- September 2014
- August 2014
- July 2014
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- February 2013
- November 2011
- October 2011
- September 2011
- July 2011
- June 2011
- March 2011
- November 2010
- October 2010
- September 2010
- April 2010
- February 2010
- November 2009
- October 2009
- November 2008
- August 2008