Why pandemic models can learn much from cyber risk—and the insurance industry can help
The COVID-19 pandemic has exposed many vulnerabilities in the global economies and changed how we think about systemic risk. But there are other scenarios potentially worse than COVID-19 to consider—and risk models aim to understand and articulate the potential of systemic risk to build economic resilience.
That is the core finding of a new report by CyberCube, a leader in cyber risk analytics for the insurance industry, with comments from experts by Munich Re and pandemic modeling firm Metabiota, which examined the parallels between pandemic and cyber risk modelling to understand common lessons in one field that might be applied to the other.
“In both cyber risk and pandemics, there is a need to consider accumulation risk.” Dr Hjalmar Böhm, Munich Re
The report, called “Viruses, contagion and tail risk: modeling cyber risk in the age of pandemics”, notes that in the last few decades a number of pandemics ranging from Asian ’flu back in 1957 to swine ’flu in 2009 have prompted parts of the insurance industry to use pandemic models in order to understand a range of extreme scenarios which can be planned for and ultimately support the solvency of the industry.
Firstly, life insurers have wanted to understand the scope and scale of significant mortality events in order to set reserves accurately and understand tail exposures. Secondly, there has been increased attention on the potential economic consequences of pandemics, and how these might manifest in property/casualty insurance policies, such as event cancellation, business interruption (BI) and related losses.
Meanwhile, the industry has been investing heavily in recent years in better understanding cyber risks and the impact of this exposure on various types of insurance policy. There has been a growing understanding that cyber risk can impact many forms of policy and the industry is increasingly grappling with the concept of “silent” cyber—where policies have unintended exposure to cyber risk.
As the CyberCube report suggests, there is now a growing realisation that pandemic risk and cyber risk have many similarities. Perhaps the biggest common ground is that understanding and predicting human behaviour is one of the biggest challenges facing modellers of both risks.
Modelling factors
Hjalmar Böhm, senior actuary, epidemic risk solutions, a dedicated business unit at Munich Re which has existed for several years and offers life and non-life insurance solutions, states in the report: “In both cyber risk and pandemics, there is a need to consider accumulation risk. For example, a pandemic is a key consideration for life insurers and a high mortality event could create significant economic loss.
“A solid approach to controlling accumulation risk exposure needs to be the basis for every business model for epidemic risk insurance.”
The report notes another common theme: cyber risk and pandemics can both be unencumbered by geographic boundaries. Some pandemics have remained regional, as have cyber events, although they both have the potential to become global.
When developing methodologies for a pandemic model, there are two established models: actuarial and stochastic. Böhm works with historic data as a useful basis for pricing epidemics with a high mortality rate or economic impact.
“There are parallels with modelling the global spread of a disease and how cyber systems are connected—both are network issues.” Nita Madhav, Metabiota
“When modelling assumptions for future risk, we work on the basis that a pandemic can arise out of something new,” he explains.
“We cluster all the possible new viruses or pathogens into groups which have similar behaviour. We look at some of the most important factors, notably fatality rates and transmissibility.”
Identifying the key assumptions which have the biggest influence on modelled output is essential.
Similarly, in the world of cyber risk modelling, key assumptions such as the digital footprint (the network of technologies that a company relies on to operate) of impacted companies within a portfolio and, for example, the way downtime caused by a cloud service outage will manifest, are very consequential in model outputs.
There are parallels in how new cyber threats develop. They may be based on combining and building on other existing techniques. Assessing the threat actors, their motivations, resources and capabilities helps draw realistic inferences about the potential threat vectors and targets identified which could create a systemic event.
Stephan Brunner, cyber actuary at Munich Re, comments: “The biggest challenges in modelling cyber risk are the fast-changing nature of the cyber threat landscape, together with there being only a few data points for accumulation losses.
“Our approach is based on understanding risks, assessing them adequately and thus making them insurable. We continually review our approaches and are in close cooperation with cybersecurity experts in order to ensure a common understanding of how cyber risks should be dealt with.”
Oli Brew, CyberCube’s head of client success, agrees that there is much to learn from each branch of these risk models. “It’s clear that lessons can be learned and applied to cyber risk modelling from understanding how pandemic models have evolved,” he says.
“As the COVID-19 pandemic continues, even though there are differences between computer and human viruses, parallels are emerging in the modelling, the methodologies and the data challenges.
“There is real value in learning from interdisciplinary teams in how to balance the needs of accuracy and precision in developing models to meet the market needs. At a minimum, the need for a creative, but reality-based imagination to represent forward-looking risks is vital.”
Data limitations for cyber
The report found that a lack of data hinders the progress for both types of modellers and noted that addressing current limitations in data collection will improve the value and insight these models can provide to the property/casualty insurance and life insurance markets.
Cyber models examine a technological single point of failure (SPoF), used to represent a high dependency node which could create an accumulation event. Examples include a cloud service provider, computer operating system or payment provider. The parallel in a pandemic is what happens when a new pathogen is transmitted across a human population.
The report notes that when assessing the frequency and severity of a specific combination of realistic disaster scenarios, the category of a SPoF must be assessed across the multiple methodologies as well as understanding the nature of the footprint of that particular dependent variable.
Unlike pandemics, where the susceptible population can be assessed with some confidence, there are endless possibilities of impact even within a category of SPoF and how it manifests.
This means that the accuracy of the footprint of a given event has huge significance for the confidence and credibility in models.
The quality of the data relating to the companies in a given portfolio, as well as the technological dependencies for those businesses, are central to understanding how a given event may play out.
For systemic cyber events, the intensity of events is represented by different outcomes based on a specific scenario. This technique is a way to represent uncertainty in modeled outputs. For example, intensity factors for a cloud outage could be the number of hours of downtime, whereas a data breach event may be represented by a range of the percentage of records exfiltrated. The probabilistic simulations of outcomes include a number of variable intensities to show how different consequences are possible based on the parameters input.
Nita Madhav, chief executive officer of Metabiota, sums up the core of the report: “There are parallels with modelling the global spread of a disease and how cyber systems are connected—both are network issues. The impact of mitigation risk and early action can potentially make a difference.
“You can be asymptomatic with COVID-19; similarly, you may not know if a cyber intruder has already infiltrated your network.”
In a video interview with Brew that can be found on YouTube, Madhav adds that the key challenge for both models will be collecting accurate and meaningful data. While COVID-19 will have enhanced the industry’s ability to do this—and given it a great deal more data to leverage—there is also a real risk that other types of pandemic events that are worse than this one could emerge in the future.
She stated pandemic and cyber risks modelling tools can be helpful to developing public-private partnerships by determining which types of events might be suitable for the private sector to manage versus those that should be helped by the public sector.
“While the COVID pandemic has been very significant, it’s only one representative of what could occur,” Madhav said. “There are many things that modelling can help with when it comes to the insurance industry.”
To read the full report click here.
To view the video click here.
