OECD Expert Workshop, May 13, Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling

Size: px

Start display at page:

Download "OECD Expert Workshop, May 13, Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling"

Adam Hutchinson
6 years ago
Views:

1 OECD Expert Workshop, May 13, 2017 Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling

Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and cyber risk insurance (based on a dataset of 211

risk, especially due to a lack of data and modelling approaches, the risk of change and risk accumulation We also discuss various ways to overcome these

2 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and cyber risk insurance (based on a dataset of 211 papers) We also illustrate future research directions (from a practical and academic point of view) Results: Significant difficulties in insuring cyber risk, especially due to a lack of data and modelling approaches, the risk of change and risk accumulation We also discuss various ways to overcome these insurability limitations (mandatory reporting requirements, pooling of data, public private partnerships) Eling Cyber Risk and Cyber Risk Insurance May 13,

throughout Switzerland over the next five years?

3 Motivating Example: p2.gg/fup How likely do you consider a several days lasting internet failure throughout Switzerland over the next five years? 0% 20% 40% 60% 80% 100% A few benchmarks for Switzerland: - Cyber insurance experts: 42% - Board members of SME s: 38% Eling Cyber Risk and Cyber Risk Insurance May 13,

4 Research Approach: Three clusters and ten key questions Summary of Existing Knowledge on Cyber Risk and Cyber Insurance 1. What is cyber risk? Definition and categorisation 2. What are the costs and detrimental effects caused by cyber risk? The good news 3. Where do we find data on cyber risk? 4. How can we model cyber risks? The bad news 5. Micro perspective: How should cyber risk management be organised? 6. Macro perspective: Is cyber risk a threat to the global economy and society? 7. Cyber insurance market: What is the status quo and what are the insurability challenges? The consequences Derivation of Potential Future Work (Practical Perspective) 8. What should the insurance industry do to prevent cyber risks and to support cyber insurance? 9. What should the government do to prevent cyber risks and to support cyber insurance? Derivation of Potential Future Research (Academic Perspective) 10.What are future research directions in the area of cyber risk and cyber insurance? Eling Cyber Risk and Cyber Risk Insurance May 13,

Any risk emerging from the use of information and communication technology (ICT) that compromises the

Causes Natural disasters Criminality War Terrorism Accidental Information and communication technology (ICT)

Infrastructure breakdown Physical damage to humans and properties Risk of Change Modelling uncertainty Cyber

5 Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services What is cyber risk? Causes Natural disasters Criminality War Terrorism Accidental Information and communication technology (ICT) Compromise of Confidentiality Availability Integrity Operational technology (OT) Business interruption Infrastructure breakdown Physical damage to humans and properties Risk of Change Modelling uncertainty Cyber Risk Characteristics Extreme events Data Uncertainty Interdependencies Source: Advisen Eling Cyber Risk and Cyber Risk Insurance May 13,

6 High costs and manifold detrimental effects of cyber risk 113 b USD (Symantec, 2013) 445 b USD (McAfee, 2014) on companies (stock prices, ratings) on individuals (erosion of privacy) up to b USD (Kshetri, 2010) estimates vary substantially and might be biased (Anderson et al., 2013) on economic growth (costs and benefits of ICT) major part of the effects are indirect (reputational, loss of trust, ) Eling Cyber Risk and Cyber Risk Insurance May 13,

7 Where do we find data on cyber risk? The good news Hackmageddon: Cyber Attacks Timeline Ponemon: Cost of Data Breach Studies Aggregated Data NetDiligence: Cyber Claims McAfee: Global Cost of Cybercrime Raw Data SAS OpRisk Data (Biener, Eling, Wirfs, 2015) DataLossDB (Risk Based Security) Chronology of Data Breaches (PRC) Honeynet (Honeynet.org) Internet Storm Center (ISC, SANS Institute) Eling Cyber Risk and Cyber Risk Insurance May 13,

8 Böhme and Kataria (2006) Eling & Wirfs (2016) Eling & Schnell (2016) How can we model cyber risks? The bad news Extreme value theory / peaks over threshold approach; use of heavy tail distributions (e.g. log-normal/gpd for severity, negative binomial for frequency) Problem: Non-diversification trap for heavy-tailed risks (Ibragimov et al., 2009) Another problem: Nonlinear dependence for aggregation of cyber risk (typically applying copulas). Global correlation Internal correlation Low High High Insider Attack Virus Low Hardware Failure Phishing Eling Cyber Risk and Cyber Risk Insurance May 13,

9 Cyber Insurance Status Quo and Insurability The consequences Market is very small (U.S. vs. rest of world) Conventional policies (property and liability) are frequently silent on whether cyber losses are covered (the bigger problem today) The main insurability problems are Lack of data Lack of modelling approaches Risk of change Accumulation risk Potential moral hazard problems Insurability of cyber risks: Cyber risk of daily life : Not too big to insure; within-industry collaboration useful (e.g. pooling of data) Extreme Scenarios : Difficult to insure; integration of the government (e.g. backstop for cat risk) Eling Cyber Risk and Cyber Risk Insurance May 13,

10 Cyber Insurance Status Quo and Insurability The consequences The development of a more reliable and comprehensive data set on digital security incidents and digital risk management practice would likely require: (i) consensus on typology and taxonomy; (ii) a trusted public-private digital security incident repository; (iii) incentives (e.g., mandatory notification requirements) to promote reporting of incidents and data sharing by organizations. Local Global Mandatory? + - Awareness Representativeness Direct costs Indirect costs (loss of trust) Eling Cyber Risk and Cyber Risk Insurance May 13,

regulation (e.g. modelling; how much capital is needed to cover cyber risks?

11 Cyber Insurance Outlook / Future Research Micro perspective Demand side research (e.g. risk perception, fatalism) Track technology and improve own IT; revise existing policies and develop new ones Optimal risk management and regulation (e.g. modelling; how much capital is needed to cover cyber risks?) Macro perspective More scenarios analyses for measurement and management of accumulation risk Potential systemic risk from cyber risk underwriting Become part of the global dialogue with stakeholders (pooling, common vocabulary, ) Eling Cyber Risk and Cyber Risk Insurance May 13,

12 Thanks a lot for your attention! Questions? Eling Cyber Risk and Cyber Risk Insurance May 13,

EXTREME CYBER RISKS AND THE NON-DIVERSIFICATION TRAP

EXTREME CYBER RISKS AND THE NON-DIVERSIFICATION TRAP Martin Eling Werner Schnell 1 This Version: August 2017 Preliminary version Please do not cite or distribute ABSTRACT As research shows heavy tailedness