Suggested Academic Reading

Getting into the academic quantitative cyber risk literature can be a daunting task. To get into it, we advise the following five papers:

The best overview of the academic literature on the cyber risk and cyber insurance literature is . Besides a thorough breakdown of the definition of basic terms and central concepts and the history of the academic research, the paper provides a great summary of the current approaches and challenges that the academic and professional communities face. For interested parties that are new to cyber insurance and the accompanying research literature, is the perfect starting point.

In many regards one of the most influential academic papers, introduces a comprehensive framework for modeling cyber insurance and cyber damages that is based on five components. The (1) network environment, which encapsulates most of the aspects of cyber risk, is composed of nodes, the atomic elements of the model. The demand for cyber insurance stems from (2) agents, like corporations or the public entities, that can shape the network environment and draw utility from it but are also exposed to risk via the same avenue. The (3) insurance companies are willing to transfer the risk from the agents for an appropriate premium. The (4) information structure describes the distribution of knowledge between agents that are seeking insurance and usually possess more information about the potential hazards and their specific risk than the insurance company. The (5) organizational network refers to all entities that are not explicitly involved in the risk transfer, but whose actions might have an impact on the other parties, such as regulatory frameworks by governments prohibiting certain kinds of contracts.

Besides the theoretical framework, propose exemplary parameterizations for a cyber insurance market, dependant on factors like the global and intra-firm correlation of cyber damages, willingness to pay for cyber insurance by risk owners etc., and solve the resulting macroeconomic model for the feasible solution space where insurance carriers offer cyber insurance to for the risk owner acceptable conditions.

Even after 10 years, the framework of is still relevant, especially as it guided a lot of the subsequent literature.

While there are a ton of industry reports out there that throw out escalating estimates of the total costs that are caused by cyber incidents, many reports do not in detail, or at all, reveal their research methodology. In that regard,   and the accompanying cyber risk calculator , which allows users to tinker with the underlying assumptions and generate their own damage estimates, is an attempt to provide a microfoundation for the modelling of cyber damages, conceptually analogous to the microfoundation of macroeconomics in the 1970s.

determine the exposure and potential harm by cyber perils for  63 OECD countries, by modelling the damages of 15 industry sectors for each of them. The study differentiates between direct cyber damages, contained to the firm that is directly affected by a cyber incident, and the total, systematic cost of cyber risk. In addition to the direct costs, the total cost of cyber damages also take the costs of other participants of the economy besides the immediately affected entity into account, e.g. the damage a manufacturer suffers that is unable to produce the optimal output because one of its suppliers is unable to provide sufficient raw materials due to a cyber attack. The authors emphasize that the estimated global costs of cyber risk are sensitive towards the chosen input parameters. Based on three proposed models with plausible parameters, the estimates for the total costs of cyber risks in 2016 range from $800 Bn to $22.5 Trillion, representing from 1% to as much as 32.5% of the annual global GDP. While the authors provide two sets of exposure and four for peril estimates and encourage the user to parametrize the accompanying tool with their own data, they focus on three main models:

  1. The Dutch Exposure and Dutch Perils Estimate is based on a cyber risk study of the Netherlands conducted by Deloitte in 2016 . The direct costs of cyber risk for the Dutch economy are estimated at about $3.5 Bn, while the total costs slightly exceed $10 Bn. Based on the estimates for the Netherlands, extrapolate the global direct cost of cyber risk to amount to $275 Bn, and the total global cost to about $800 Bn, by applying the exposure and perils to the other 62 countries of the study. 
  2. The SEC Exposure and Dutch Perils Estimate is based on the perils calculated by Deloitte of the previous model, but the exposure is based on the income statements, cash flow statements, and balance sheets of about 4,500 publicly traded American companies between 2012 and 2016. conducted a regression on the collected data to estimate the exposure to a cyber incident of the company’s net income, RD and total assets. The model estimates the global direct costs of cyber risk at $3.2 Tn and the total cost at $10.1 Tn. 
  3. The Value at Risk direct estimates is based on the Advisen dataset which in 2018 consisted of 75,000 cyber incidents that predominantly affected American companies . Based on the incidents from 2005 to 2014, the authors fitted several distributions to the data, concluding that a beta distribution provides the best fit. In contrast to the other models, the focus is on the worst-case estimate of the currently possible damages. Using a large dataset of incidents is, however, not unproblematic, as the data is most likely skewed towards large and, therefore, more public and reported losses. By design, the model has the highest estimates for the damages caused by cyber risk: The direct global costs are estimated at $6.6 Tn, the total costs at $22.5 Tn. 

and are an invaluable source of knowledge and data for cyber researchers and practitioners alike. While on the first read through of the literature we advise to focus more on the research paper, the cyber risk calculator is a great starting point for your own research.

, a study conducted in cooperation with SwissRe, provide a great overview of the qualitative properties of cyber risks and additionally fit several distributions to cyber incidents filtered form the SAP OpRisk database and compare them to other insurable risk types like property, liability, catastrophe, and terror risks.

The authors conclude that cyber risks are best characterized by fundamentally differentiating between the so-called “cyber risks of daily life”, e.g. untargeted viruses that an unsuspecting employee might mistakenly download from the internet, and severe cyber incidents, such as the outage of servers and services of major tech companies like Amazon Web Services (AWS):

  • Small losses, e.g. data theft, are rather high frequency, while severe cyber incidents are low in frequency.
  • The cyber risks of daily life typically cause low damages, while incidents such as blackouts of critical infrastructure providers have a high severity. 
  • Small losses are rather independent, wide-spread and costly ransomware attacks, such as NotPetya or WannaCry, or the aforementioned blackouts of critical providers like AWS, are highly correlated and cause damages not only to the directly affected party but multiple organizations at the same time.
  • As the threat landscape of cyber risks is rapidly evolving and growing more complex, meaningful historical data is not only hard to come by, but is limited in its predictive value. The perceived cyber risks of 2016, for example, that disregarded or severely underestimated the harm ransomware might cause, were of little value to estimate the damages that NotPetya and WannaCry caused in 2017. 

The time horizon of cyber risk, i.e. the time between an incident occurring and its (final) loss fully materializing, is short compared to other risks. In the analyzed dataset, the average time horizon for cyber incidents was 4.04 years, compared to 6.06 years for operational risks.

also investigate the effect of reinsurance and capital market based reinsurance substitutes, so called cyber bonds, on the cyber insurance market. By defining incentive constraints for several market participants, like risk owners, primary insurers, reinsurers and capital market investors, for dozens of parameter constellations, including the number of market participants, the solution to a given model is the overlap between the feasible solutions of all market participants. In the “Conventional Model with Reinsurance”, for example, the solution consists of policies which a risk owner is willing to purchase, the primary insurer is willing to offer, and the reinsurer is willing to (partly) reinsure a given cyber insurance policy or portfolio. The model assumes that the cyber damages a single company faces are log-normal distributed, based on the data set analyzed in . By introducing new market participants and changing up some of the parameters, e.g. increasing the probability of a loss to 20% or 25%, the authors analyze in about two dozens setups the effect of various market structures on the total amount of risk transferred between the different layers. The main findings of  are that while the analyzed risk transfer mechanisms are often not capable to cover extreme losses, and correlated losses in the insurer’s portfolio have a negative effect on the insurance premiums, the introduction of higher risk transfers usually increase the total coverage, market size, and welfare of the model economy.

As the last piece for our suggested reading,   analyzes actual cyber policies from the US market from 2009 to 2016. The three main analysis focuses are on cyber insurance coverage, security questions posed by the insurer during the underwriting process, and which factors are involved in the pricing.

References

Advisen Ltd. “Cyber Loss Data.” Advisen Ltd. https://www.advisenltd.com/data/cyber-loss-data/ (February 3, 2020).
Biener, Christian, Martin Eling, and Jan Hendrik Wirfs. 2015. “Insurability of Cyber Risk: An Empirical Analysis.” The Geneva Papers on Risk and Insurance - Issues and Practice 40(1): 131–58. https://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/wps/wp151.pdf (January 26, 2020).
Böhme, Rainer, and Galina Schwartz. 2010. “Modeling Cyber-Insurance : Towards A Unifying Framework.” Workshop on the Economics of Information Security (June). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.4129.
Deloitte. 2016. “Cyber Value at Risk in the Netherlands.” https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-cyber-value-at-risk.pdf (February 7, 2020).
Dreyer, Paul. 2018. Estimating the Global Cost of Cyber Risk Calculator. RAND Corporation. https://www.rand.org/pubs/tools/TL281.html (February 2, 2020).
Dreyer, Paul et al. 2018. Estimating the Global Cost of Cyber Risk: Methodology and Examples. RAND Corporation. https://www.rand.org/pubs/research_reports/RR2299.html (December 18, 2019).
Eling, Martin, and Jan Hendrik Wirfs. 2016. Cyber Risk: Too Big to Insure? Risk Transfer Options for a Mercurial Risk Class. St. Gallen: Institute of Insurance Economics I.VW-HSG, University of St. Gallen. https://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/studien/cyberrisk2016.pdf.
Marotta, Angelica et al. 2017. “Cyber-Insurance Survey.” Computer Science Review 24: 35–61. https://www.researchgate.net/publication/313870926_Cyber_-_insurance_survey (January 26, 2020).
Romanosky, Sasha, Lillian Ablon, Andreas Kuehn, and Therese Jones. 2019. “Content Analysis of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?” Journal of Cybersecurity 5(1). https://academic.oup.com/cybersecurity/article/doi/10.1093/cybsec/tyz002/5366419 (December 16, 2019).