4.3


Accumulation, Dependence and Extreme Scenario Building: Preconditions for Cyber Risk Insurability

Caroline Hillairet and Olivier Lopez

Caroline Hillairet

Caroline Hillairet is a Professor at ENSAE Paris, in charge of the actuarial program. She is a member of the Center for Research in Economics and Statistics (CREST) and the Finance and Actuarial Science Laboratory (LFA). She is a Board Member of the French Institute of Actuaries and co-director of the AXA Joint Research Initiative on the actuarial modelling of cyber risk.

Cyber-attacks have grown considerably in 2020 and 2021, in particular ransomware attacks, and this is not due to stop anytime soon. Today, most information systems are interconnected and have similar flaws, exacerbating the systemic aspect of cyber risks. In that context, the insurability of cyber risks depends on our capacity to model cyber-attacks in a way that integrates complex dependence effects. While traditional insurance models assume that claims arrive independently, this is inadequate to model cyber events, which now tend to cluster and are correlated. Newer alternative models can capture snowball effects of cyber events as well as their interactions. These models¹ can also parameterize the characteristics of the events, so that a variety of events and their frequency can be modelled and compared, and capture shocks and persistent aftershocks that constitute ‘attack contagion’.

Another major concern, aside from the frequency of cyber-attacks, is the systemic potential of a ‘cyber hurricane’. In 2017, the ransomware attack Wannacry² led to a contagion of more than 300,000 computers over more than 150 countries. Such massive attacks may lead to many claims and induce high costs, even if each claim itself is small, and this could break the mutualization principle at the core of the insurance sector. Indeed, in such an ‘accumulation’ scenario, many policyholders are simultaneously victims of an attack, and a saturation of the insurer response capacity may occur, since cyber contracts generally include fast intervention of expert teams to assist the policyholder during the crisis. This incapacity of the insurance company to intervene appropriately in a short amount of time induces additional losses (financial penalties, loss of reputation, but also increased damages for the policyholders). However, there are general methodologies³ to design accumulation scenarios, dimension insurers response capacity and help them build insurance strategies that can deal with cyber hurricanes.

Olivier Lopez

Olivier Lopez is Professor at Sorbonne University and Director of its Institute of Statistics (ISUP). He is a fully qualified member of the French Actuarial Association (Institut des Actuaires), member of its Scientific Committee, and representative member of the Education Committee of the European Actuarial Association. He is the co-director of the AXA Joint Research Initiative on the actuarial modelling of cyber risk.

1 Multivariate Hawkes Process for Cyber Insurance, Y. Bessy-Roland, A. Boumezoued, C. Hillairet, Annals of Actuarial Science, 2020

In addition, even single cyber claims can have disastrous consequences. Due to the strong dependence of the economic sector on information systems, malicious attacks can generate huge damages. What statisticians call an ‘extreme claim’ has a significant probability to occur — as shown in the case of data leak events.⁴ In such a situation, mutualization may fail, as defining the average value of a claim may not even be possible mathematically speaking, when this notion is at the c ore of insurance pricing.

2 What Is Wannacry Ransomware and Why Is It Attacking Global Computers? Alex Hern and Samuel Gibbs, The Guardian, May 12, 2017

Insurance is based on the forecast of future events. For a risk where the behavior of the actors is so important and changes so fast, only a careful analysis of cyber events data will allow us to anticipate rather than endure.

4 Heavy-Tailed Distribution of Cyber Risks, T. Maillart, D. Sornette, The European Physical Journal B, 2010

Consequently, to make cyber insurance contracts viable, the only solution is to redesign the perimeter of insurance contracts. By introducing limits and conditions in the financial reparations, one reduces the uncertainty of the outcome for the insurer, and risk management can be performed. As extreme scenario become more prevalent, more restrictions must be added: the quality of the coverage diminishes, which is of course an issue for policyholders, and the attractiveness of the contract declines, which is an issue for the insurer, who may not attract enough customers to ensure mutualization. Understanding which factors drive the occurrence of these ‘extreme’ cyber claims, including for example the victim’s behavior or their sector of activity, and the type of attack, is possible using data science techniques and advanced statistical tools from extreme value theory.⁵ These adaptable tools can be used to draw a line between what can be insured or not, hence allow to improve the coverage by adapting it to the profile of customers.

But methodologies, even if sharp, need to be fed with proper information. One of the main challenges for cyber risk modelling and insurability currently is the critical lack of a consistent database. Solving this issue is a collective task that requires attention from insurance companies, governments, private sector, and more generally all economic agents. In this perspective, the recent study ‘Lucy’⁶ is a promising initiative, since it is a first attempt to provide a rigorous statistical study through collecting data from insurance brokers in France.

Insurance is based on the forecast of future events. For a risk where the behavior of the actors is so important and changes so fast, only a careful analysis of cyber events data will allow us to anticipate rather than endure.