Harness mature cyber catastrophe models to make critical business decisions
Developing an understanding of cyber risk, what it means to your organisation and how to define best practice can seem like standing on shifting sands. Matt Harrison from RMS explains how uncovering models that can guide your decision-making is a big step towards quantifying your organisation’s approach to cyber risk.
It is something of an understatement to say that cyber risk is complex. Cyber threats come at companies in a range of guises and have wide-ranging impacts. For example, the implications of supply chain risk are only just being understood, with organisations increasingly demanding assurances from their partners that they have a robust plan against cyber threat.
“Using models to question your thoughts and develop new ones will result in far better business outcomes.”
Carriers find they have to evolve how they approach cyber risk on a regular basis as new perils emerge. Understanding the extent of their potential exposure is a significant proportion of the task, and even though cyber models are barely five or six years old, they are maturing to a point where organisations can make solid business decisions on the back of them.
To find out how best to integrate existing modelling insight into your organisation’s cyber preparedness, Intelligent Insurer talked to Matt Harrison, director of product management for cyber at RMS. He reveals the changing customer trends and how the digital claims journey has had to evolve. This article is published ahead of the Intelligent Insurer webinar “Harness Mature Cyber Catastrophe Models to Make Critical Business Decisions” on June 10, 2021.
What do carriers need in cyber modelling?
We’ve observed this in natural catastrophe modelling and now in cyber: people start off saying they don’t need a model but when they find out you have one, they think it’s fantastic. But after a while, they find corner cases where a model is not 100 percent accurate and start to question it.
This is about understanding what models are useful for. Running them on a single small risk is ill-advised, whereas running a model on a portfolio is much more effective.
Is the concept of ‘cyber’ risk well understood in terms of what the coverage means to the customer?
The trouble is that it is more than one thing. There’s the classic cyber policy, which is naturally evolving as our awareness of the risk changes. Then, it’s the peril—for example, ransomware that can cause directors and officers loss or business interruption.
Finally, there’s proximate cause. Here, for example in an oil and gas pipeline closure issue, some of the things people worry about are much less about cyber and more about the line going down. It’s not an issue that is unique to cyber, just that cyber has made the loss different.
Viewing the whole category as ‘cyber’ makes it harder to understand. Put things in boxes to make them smaller, then it’s easier.
The insurer’s problem is not necessarily about building a model to optimise a portfolio. In some cases it’s simply a question of ‘is this a risk I want to insure?’ and ‘do I need to buy reinsurance?’.
When looking at cyber as a proximate cause, an inordinate number of things could happen so we’re best asking these higher level questions. However, looking at the peril/product, we can limit the things that need to be modelled and therefore make more subtle decisions.
How do models help manage the uncertainty in this sector?
As a former client who purchased cyber risk models, I would probably have been slightly concerned by people talking about the motivations and capabilities of different threat actors, because you can’t measure all those things to the finest details. But when you’re building a model, if you don’t do that you completely overstate the risk.
The 2020 SolarWinds widespread cyber attack was initially terrifying but within a few days, we looked at the threat actor and their motivations and, while they had access to a potentially vast number of companies, what they were really looking for was political interference. Unless the target was supplying government-level data or access to another technology company that could have supplied it, they weren’t interested in anything else. You need to think broadly about all threats.
What should attendees take away from this session?
We are now at the point in cyber modelling maturity where business decisions can be made on the basis of them. Models have come a long way but they will continue to evolve, and calibrations will be made.
You can frame the risk and understand where the drivers will be, which part of your portfolio is driving the risk and build a robust strategy against it. Models are there to help you think about risk in a more structured way.
Using models to question your thoughts and develop new ones will result in far better business outcomes than just sticking your head in the sand. The change has been so huge that it’s sensible to re-engage and keep learning. We’re all learning and striving to get closer to the truth.
Join RMS, AXA XL, Guy Carpenter, and Liberty Specialty Markets for the live webinar “Harness Mature Cyber Catastrophe Models to Make Critical Business Decisions” (Thursday, June 10 at 2pm BST/9am EST). Register here now to join the discussion.
