What do we know? What can we measure? Martin Eling OECD Expert - - PowerPoint PPT Presentation

what do we know what can we
SMART_READER_LITE
LIVE PREVIEW

What do we know? What can we measure? Martin Eling OECD Expert - - PowerPoint PPT Presentation

Apr 05, 2024 438 likes •585 views

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

slide-1
SLIDE 1

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling

OECD Expert Workshop, May 13, 2017

slide-2
SLIDE 2

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 2

Management Summary

  • Research Approach:

 Overview of the main research topics in the fields of cyber risk and cyber risk insurance (based on a dataset of 211 papers)  We also illustrate future research directions (from a practical and academic point

  • f view)
  • Results:

 Significant difficulties in insuring cyber risk, especially due to a lack of data and modelling approaches, the risk of change and risk accumulation  We also discuss various ways to overcome these insurability limitations (mandatory reporting requirements, pooling of data, public–private partnerships)

slide-3
SLIDE 3

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 3

  • How likely do you consider a several days lasting internet failure throughout

Switzerland over the next five years? 0% 20% 40% 60% 80% 100%

Motivating Example: p2.gg/fup

A few benchmarks for Switzerland:

  • Cyber insurance experts: 42%
  • Board members of SME’s: 38%
slide-4
SLIDE 4

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 4

Research Approach: Three clusters and ten key questions

Derivation of Potential Future Work (Practical Perspective)

  • 8. What should the insurance industry do to

prevent cyber risks and to support cyber insurance?

  • 9. What should the government do to prevent

cyber risks and to support cyber insurance? Derivation of Potential Future Research (Academic Perspective) 10.What are future research directions in the area of cyber risk and cyber insurance? Summary of Existing Knowledge on Cyber Risk and Cyber Insurance

  • 1. What is cyber risk? Definition and categorisation
  • 2. What are the costs and detrimental effects caused by cyber risk?
  • 3. Where do we find data on cyber risk?
  • 4. How can we model cyber risks?
  • 5. Micro perspective: How should cyber risk management be organised?
  • 6. Macro perspective: Is cyber risk a threat to the global economy and society?
  • 7. Cyber insurance market: What is the status quo and what are the insurability challenges?

The good news  The bad news  The consequences

slide-5
SLIDE 5

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 5

What is cyber risk?

Causes

  • Natural

disasters

  • Criminality
  • War
  • Terrorism
  • Accidental

Information and communication technology (ICT)

  • Compromise of
  • Confidentiality
  • Availability
  • Integrity

Operational technology (OT)

  • Business

interruption

  • Infrastructure

breakdown

  • Physical

damage to humans and properties

Cyber Risk Characteristics Interdependencies Extreme events Data Uncertainty Modelling uncertainty Risk of Change

Source: Advisen

Any risk emerging from the use of information and communication technology (ICT) that compromises the confidentiality, availability, or integrity of data or services

slide-6
SLIDE 6

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 6

High costs and manifold detrimental effects of cyber risk

…113 b USD

(Symantec, 2013)

…445 b USD

(McAfee, 2014)

…up to 1’000 b USD

(Kshetri, 2010)

…estimates vary substantially and might be biased

(Anderson et al., 2013)

… on companies

(stock prices, ratings)

… on individuals

(erosion of privacy)

… on economic growth

(costs and benefits of ICT)

…major part of the effects are indirect

(reputational, loss of trust, …)

slide-7
SLIDE 7

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 7

Where do we find data on cyber risk?

The good news

Hackmageddon: Cyber Attacks Timeline Ponemon: Cost of Data Breach Studies NetDiligence: Cyber Claims McAfee: Global Cost of Cybercrime SAS OpRisk Data (Biener, Eling, Wirfs, 2015) DataLossDB (Risk Based Security) Chronology of Data Breaches (PRC) Honeynet (Honeynet.org) Internet Storm Center (ISC, SANS Institute)

Aggregated Data Raw Data

slide-8
SLIDE 8

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 8

How can we model cyber risks?

Eling & Wirfs (2016)

Global correlation Internal correlation Low High High Insider Attack Virus Low Hardware Failure Phishing

  • Extreme value theory / peaks over

threshold approach; use of heavy tail distributions (e.g. log-normal/GPD for severity, negative binomial for frequency)

  • Problem: Non-diversification trap for

heavy-tailed risks (Ibragimov et al., 2009)

Böhme and Kataria (2006)

  • Another problem: Nonlinear

dependence for aggregation of cyber risk (typically applying copulas). The bad news

Eling & Schnell (2016)

slide-9
SLIDE 9

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 9

Cyber Insurance – Status Quo and Insurability

  • Market is very small (U.S. vs. rest of world)
  • Conventional policies (property and liability) are

frequently silent on whether cyber losses are covered (the bigger problem today)

  • Insurability of cyber risks:

 “Cyber risk of daily life”: Not too big to insure; within-industry collaboration useful (e.g. pooling of data)  “Extreme Scenarios”: Difficult to insure; integration of the government (e.g. backstop for cat risk)

The main insurability problems are

  • Lack of data
  • Lack of modelling approaches
  • Risk of change
  • Accumulation risk
  • Potential moral hazard problems

The conse- quences

slide-10
SLIDE 10

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 10

Cyber Insurance – Status Quo and Insurability

The development of a more reliable and comprehensive data set on digital security incidents and digital risk management practice would likely require:

  • (i) consensus on typology and taxonomy;
  • (ii) a trusted public-private digital security incident repository;
  • (iii) incentives (e.g., mandatory notification requirements) to promote

reporting of incidents and data sharing by organizations. The conse- quences

Local Global

  • Direct costs
  • Indirect costs (loss of trust)
  • Awareness
  • Representativeness

+

  • Mandatory?
slide-11
SLIDE 11

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 11

Cyber Insurance – Outlook / Future Research

Micro perspective

  • Demand side research (e.g. risk perception,

fatalism)

  • Track technology and improve own IT; revise

existing policies and develop new ones

  • Optimal risk management and regulation

(e.g. modelling; how much capital is needed to cover cyber risks?)

Macro perspective

  • More scenarios analyses for measurement

and management of accumulation risk

  • Potential systemic risk from cyber risk

underwriting

  • Become part of the global dialogue with

stakeholders (pooling, common vocabulary,…)

slide-12
SLIDE 12

Eling | Cyber Risk and Cyber Risk Insurance | May 13, 2017 12

Thanks a lot for your attention!

…Questions?