3.1. Underwriting Risk

Cyber underwriting risk refers to the risk that premiums collected on policies that include cyber exposures are not adequate to cover the potential losses. In this section, we consider each of the four main types of typical parameterisation methods that are currently employed for parameterising cyber underwriting risk: experience based, exposure based, scenario modelling and the use of third-party vendor modelling. In reality, firms will use a blend of multiple approaches depending on loss and risk type being modelled, the firm’s exposure and materiality of that risk, how long they have been writing that book of business/had exposure to that risk as well as their modelling capabilities, etc.

Generally speaking, now that non-affirmative Cyber Risks are being mandated out of contracts and insurance companies are explicitly pricing for them in contracts (Cartagena & Grewal, Reference Cartagena and Grewal2021), non-affirmative Cyber Risk exposures should be now reducing. However, given that these will typically fall under different classes of business, some companies may choose to model these in aggregate (or separately from) other cyber exposures. Non-affirmative Cyber Risk parameterisation methods will be similar to those employed for affirmative Cyber Risk parameterisation, although there will likely be further lack of data available for the former even relative to the latter. The key will be to understand the potential interconnectivities between losses from cyber underwriting losses – affirmative or non-affirmative – coming from different classes of business which may be triggered at the same time to provide significant aggregated losses; this will be discussed further in the dependency section.

A key consideration of parameterising underwriting risk is whether the historic data is a good guide to the future for modelling future exposure. It could be reasonably argued that the market understands the severity of the losses relatively well and that wordings have evolved so that there is much more certainty in this area. However, there is still a clear and difficult task to understand the frequency and scale of future events where the past is not likely to be a strong predictor for the future (Sophos (2022)). Recent events such as the Ukraine and Russian war further heighten this uncertainty and the challenge to parameterise the class of business. A clear view of the threat actor landscape and potential for future attacks is crucial to the estimation of loss and volatility inherent in the business. Hence it may be that models either need to re-parameterise in detail often considering the threat landscape or allow for more volatility than they might usually consider reflecting this unknown element.

What is clear is that threat actors are growing in ability and scale and therefore the threat landscape continues to evolve rapidly, and hence, considering the characteristics of the distributions selected is important, and more reliance may be needed on expert judgement for forward-looking risk assessment. Capital modellers should encourage their parameter providers for Cyber Risk to justify their selections clearly and demonstrate understanding so the output can ultimately be communicated to management.

As mentioned above, parameterisation involves a selection of a parameterisation method as well as parameters to use within methods.

3.2. Reserve Risk

The parameterisation of cyber underwriting risk captures the loss (and profit) potential of risks written in the projected business year as well as any unearned business from historical years. Cyber reserve risk parameterisation captures the risk that the cyber reserves, as at the internal model time = 0 date, are insufficient to cover their run-off.

There are a variety of methods that are commonly considered as part of reserve risk parameterisation – such as Bootstrapping or Mack’s model – and the reader is referred to a useful paper on the “Practical Challenges in Reserve Risk” which contains good summaries of techniques (Chan & Ramyar, Reference Chan and Ramyar2016). Given that many insurers and reinsurers may have limited cyber historical claims experience which would often be the initial starting point for any reserve risk parameterisation, reserve risk parameterisation faces similar issues as faced within the underwriting risk parameterisation. It is likely that many insurers currently have insufficient data to perform a bootstrap and thus must rely either on more market statistics or expert judgement in setting their reserving risk volatilities.

Given the developing nature of the cyber class of business, the ever-changing nature will also be seen in claims patterns and reserve risk information which would typically be used as part of the reserve risk parameterisation process.

Changing aspects could include the following:

• Changing development patterns due to ransomware impacts.

• Changing the duration of the tail (in situations where there might be delegated authority/claim disputes).

• Changing cyber categorisation (e.g. changes in Lloyd’s risk code categorisation of business between the CY and CZ risk codes in light of mandated changes).

• Changing split of attritional, large and catastrophe cyber losses; this could be due to underlying drivers changing as threats develop (and mitigating strategies are developed).

• Changing severity of losses with the range of threat actors continually developing (e.g. from sole hackers to state backed attacks).

• Changing severity of losses due to inflationary pressures.

• Changes in the geopolitical landscape.

• Changing policy wordings, these are frequently updated and these changes may impact the type of losses being seen in portfolios (e.g. affirmative language and cyber war exclusions).

3.3. Operational Risk

General parameterisation

The methods used to model cyber operational risk might be similar to the approach employed for modelling other operational risks. There are a number of good reference guides available which explore operational risk modelling best practices; for example, the reader is referred to the “Good practice guide to setting inputs for operational risk models” by the operational risk working party as a good general reference guide (Institute and Faculty of Actuaries Operational Risk Working Party, 2016).

Cyber risk specific considerations

Most insurance companies will maintain a risk register that will include a range of operational risks. Due to the occurrence of cyber events over the recent years, many risk registers will now also include cyber operational risks. This information will be an important starting point for any cyber operational risk parameterisation exercise (as is also the case with other types of operational risks).

Risk registers may only give loss estimates; however, conversations regarding the inherent uncertainty in that loss estimate will need to take place ahead of operational risks being entered into a capital model to capture the volatility required in the risk’s parameterised distribution.

It is important that meaningful cyber operational risks are captured in the risk register that is relevant and appropriate for the insurance company rather than generic risk scenarios. To this end, the reader is referred to an earlier paper produced by the Cyber Risk Working Party which gives detailed guidance on this topic (Institute and Faculty of Actuaries’ Cyber Risk Working Party, 2018).

When considering the cyber impact on their operational risk, companies should consider all sources of risks that drive the scenarios such as

• the company’s IT infrastructure

• the cyber security posture of the company and what mitigations are in place (i.e. data backups, server redundancies)

• impact of a cyberattack on critical services, that is, claims handling/processing, BAU operations and premium collection

• the company’s risk as a member of a corporate group/subsidiary operating in many territories

• risk of insider or “fat finger” losses and what mitigations the company has in place

• any legal and/or regulatory consequences of a cyberattack, for example, fines and reputational damage

These conversations should at a minimum include the chief technology officer of the company who should take ownership of the estimates. Operational risk scenarios are another example of where attaching a return period can be challenging and Cyber Risk events are potentially even more difficult given the lack of historical events and the changing landscape.

Companies need to attempt to be realistic wherever possible in their return period estimation; just because the event has not happened or previously seemed unlikely does not automatically mean that based on the current risk and threat landscape, the loss potential and return period remain static from year to year. Hence therefore it is crucial to engage with the IT team and/or external experts on cyber security wherever possible.

Another key consideration in operational risk is the obvious potential positive correlation of large or catastrophe cyber events whereby the company could also be impacted by an event which is driving losses to their portfolio which could have impactful consequences depending on the event and company defences.

3.4. Reinsurance (RI) Credit Risk

Finally, another area of the parameterisation of a capital model which must not be overlooked when considering the potential of Cyber Risk losses is RI credit risk. “The reinsurance credit risk is the risk of the reinsurance counterparty failing to pay reinsurance recoveries in full to the ceding insurer in a timely manner, or even not paying them at all” (Britt & Krvavych, Reference Britt and Krvavych2009).

RI credit risk is particularly important when considering extreme events which may trigger losses across numerous accounts/classes of business/insurance companies/types of risk, given the high potential interconnectivity of Cyber Risk exposures.

Recent high-profile legal disputes over cyber policy coverages illustrate that disputes can occur (Bloomberg Law, 2022). An extreme cyber event could trigger recovery disputes as well as solvency issues in cases where reinsurance purchased involved a reinsurer who may have been significantly exposed to a cyber event – for instance, through accumulation risk within the reinsurer’s own Cyber Risk portfolio.

For details of how RI credit risk can be modelled within capital models, the reader is referred to useful guides available through previous work done by members of the profession (Britt & Krvavych, Reference Britt and Krvavych2009).

In particular, a number of insurers now also consider a cyber stress test analysis as part of their risk management/capital modelling validation processes. Here, not only the obvious parameters such as cyber underwriting risk and cyber operational risk parameters need to be considered but also RI credit risk assumptions (such as the probability of default assumptions and loss given default assumptions). In the context of cyber, it’s important to remember that a reinsurer may be exposed to cyber operational risks which are correlated to the risk it faces through its underwriting activities, further stressing the potential for RI credit risk. Indeed, the rating agencies already consider Cyber Risk as part of their credit rating work, given that a cyber operational risk event could have significant adverse implications for a company (Fitch Ratings, 2022).

3.5. Market Risk

Cyberattacks on financial institutions and financial market infrastructures are becoming increasingly common and of high value to threat actors. The International Monetary Fund (Kopp et al., Reference Kopp, Kaffenberger and Wilson2017) prepared a paper that considers the impacts of systemic Cyber Risk interacting with other financial stability risks and the regulatory frameworks and supervisory approaches. Whilst most companies are likely to take direction from the Economic Scenario Generator providers on parametrisation for market risk, it should not be ignored that cyber threats pose an emerging risk to financial market stability. The Swift cyberattack is an example of a potential attack that could have consequences and produce greater economic uncertainty. Companies should consider whether they consider the tail of their market risk distributions and/or any drivers of loss are materially impacted by the current Cyber Risk landscape.

Furthermore, geopolitical instability resulting in severe Cyber Risk attacks on critical and/or economic infrastructure could have serious economic impacts and should be at least considered and discussed.

3.6. Dependency Modelling

Dependency modelling within an internal capital model of an insurance company is commonly now achieved using copulas; it is beyond the scope of this paper to fully explore copulas, how to model them and why copulas may be used; however, the reader is referred to reading available for further information (Shaw et al., Reference Shaw, Smith and Spivak2010).

In this section, we explore the considerations specific to Cyber Risk exposures which would need to be factored into dependency modelling parameterisation processes.

3.6.2. Appropriate copula type selection

The useful Figure below (Figure 2), which has been taken from a “On the aggregation of credit, market and operational risks” paper (Li et al., Reference Li, Zhu and Lee2015), illustrates the most well-known copulas and illustrates how copulas, such as the Clayton, can assist in achieving asymmetric dependencies at different ends of the distribution. The clayton copula can be used in situations where the modeller wants higher dependence in one distribution tail than the other – that is, when we want to model more dependence in an extreme stress event, such as those that might be modelled when considering Cyber Risk exposures.

Figure 2. Examples of copulas and the distribution asymmetries that they can assist in achieving.

3.7. Capital Allocation

General parameterisation

The practice of allocating capital across risk categories is already commonly performed in many insurance companies for a variety of reasons such as business planning, portfolio optimisation and return on capital considerations at a class/department level (e.g. for the purposes of underwriter and staff remunerations purposes or business strategy decisions).

There are a number of sources available that discuss the advantages and limitations of a wide range of allocation methodologies; these are not discussed in detail here, and the reader is referred to the following sources for further information (Institute and Faculty of Actuaries Capital Allocation Working Group, 1999) and (Venter et al., Reference Venter2003). Figure 3 below outlines the key considerations.

Figure 3. Key considerations when allocating capital.

Cyber risk specific considerations

In the context of cyber, capital allocation becomes particularly important and a useful tool to use in communications with senior management to demonstrate the potential for Cyber Risk losses which may not otherwise be perceived as material. Presenting a clear capital allocation, alongside the accompanying limitations of the analysis, assists in helping senior management move away from what they might expect the Cyber Risk potential to be (i.e. focussed at the mean and intuitively parameterised based on a lack of historical observations of the risk potential) to the loss potential that a more extreme event could achieve; this is an important distinction since a key responsibility of senior management is to manage balance sheet volatility to be within risk tolerances.

Capital allocation is also important in recent times given the rapid increases in Cyber Risk rates being charged in the market (whether operational Cyber Risk insurance or cyber underwriting risk reinsurance). Understanding potential capital allocations of cyber operational and underwriting risks helps senior management consider the premium budget versus risk trade-off between retaining the risk or potentially ceding it away to another (re)insurance organisation.

From a practical standpoint, when capital is being allocated, it’s key to consider the range of Cyber Risks being captured in the model and not just cyber underwriting risks. That is, allocate capital to the following:

• Cyber underwriting risks written through a cyber class of business.

• Cyber underwriting risks written through other classes affirmatively.

• Non-affirmative Cyber Risks.

• Cyber operational risks.

• Any mitigating impacts from cyber reinsurance or coverage that may have been purchased.

• Potential of any systemic Cyber Risk events to impact the macro-economic environment and thus drive losses in market risk.

Correlation impacts from Cyber Risk are an important consideration even if the company does not write affirmative cyber portfolio for these items listed. Hence, whilst it may not be deemed a material risk and/or dependency in the model, it should be considered because potentially in some extreme events a cyber operational loss could impact other lines or areas of the business such as Market Risk.

3.8. Conclusion

The information provided in this section summarises the key considerations when parameterising cyber risk within capital models. Note that the working party interviewed various capital teams across the London Market when preparing this review and found that most teams were at very early stages of feeling confident in their modelling approaches. There is often an information asymmetry of the risk at the underwriting stage and how this translates to capital modelling. This is even more challenging for cyber risk. Hence, we encourage capital teams to deep dive and think holistically about the risk cyber poses to the business. For example, diversification across lines of business and across risk areas could be material impact capital, and this should be carefully considered in the parameterisation of the model.

4.1. The Importance of Validation

An important part of the capital modelling process is the validation process to enable other stakeholders to have the confidence that the way the risk has been modelled is suitable. It is vital to validate any model to ensure the predictive power of the model is sufficient to make conclusions given the known limitations of the model. Cyber Risk modelling remains in its infancy and will continue to develop, likely at a rapid speed to improve both its complexity and to remain relevant with the emerging Cyber Risks.

The validation of Cyber Risk in the capital model should cover not only the validation of Cyber Risk as a product but also as a peril across the entire business. Validators should ask the question as to whether all the risks that the company faces as a business arising from Cyber have been included in the distribution. This validation should include assessing how the impact of Cyber Risk on operational risk, dependencies between lines of business and dependencies between risk types allowed for. To some extent, all companies are exposed to Cyber Risk even if they are not writing cyber products, and hence, this assessment should form part of the validation process.

Furthermore, companies will need to demonstrate that board and senior management have sufficient understanding of the cyber models including the data required and their limitations. This will be a challenge given the rate of change and complexity of the risk to keep the board educated so that they are able to make informed decisions for the business.

4.2. Validation Approach

The validation should ensure there is the appropriate level of experience and expertise capable of validating Cyber Risk as well as a truly independent challenge. Cyber Risk is a complex issue that constantly evolves, and it has been a challenging task to communicate all the risks in cyber security into something measurable and quantifiable. Hence, it is important that the challenge contains some expertise in the cyber security space so that any material issues are not overlooked.

When validating the approach to modelling Cyber Risk in the capital model, companies should consider the standard set of validation tools. However, given the maturity of the risk modelling, some of the more relied-upon validation tools will be less useful than for other risks. Figure 4 summarises the ordering of how useful different validation tools are when considering cyber risk.

Figure 4. Examples of validation tools that may be appropriate to consider for cyber risk modelling.

Methodology and assumptions review

From a validation perspective, a regular review of the methodology and assumptions applied in modelling Cyber Risk should be undertaken regularly. The company’s validation cycle is likely to define a periodic review of all lines of business, but companies should consider if it’s appropriate to review cyber on a more regular basis. The Cyber Risk landscape evolves rapidly, and hence, both frontline and independent assessment should be made at appropriate times to reflect the changing nature of the risk. In recent years ransomware has become more and more prolific with the threat becoming almost a “ransomware as a service” enabling many more threat actors to undertake ransomware campaigns attacking supply chains and/or more targeted attacks on large corporates. The validation process should ask the question if both the reserve and underwriting risk approaches reflect this new loss profile.

The level of detail of the validation and how often the line of business is reviewed will ultimately depend on its materiality to the entity. However, the potential impact across other risk areas should not be ignored. The approach to modelling cyber as a peril on operational risk as well as its potential impact on noncyber lines of business should be considered in any model. If the risk is not explicitly modelled, companies should be able to articulate how they have considered the risk framework and ultimately what capital implications it has.

Sensitivity testing

Sensitivity testing of assumptions being made in parameterisation and understanding the impact on capital is key. All material assumptions should be tested against expectations to ensure the model is performing as intended. When reviewing the results of these tests in respect to Cyber Risk, validators should be considering if the sensitivity of the variables is appropriate given the current Cyber Risk landscape. Depending on the granularity of the risk modelling, this may require regular assessment to conclude if the parameters are appropriately calibrated. For example, a rise in ransomware frequency may be the result of a new ransomware campaign that exploits a vulnerability that is difficult to patch. How this step change in the risk affects the premium and/or reserve risk parameters should be justified.

Stress and scenario testing

Stress and scenario tests are a useful tool to test the model in extreme situations to test if the modelled output is in line with expectations. For cyber, engaging with cyber security experts to provide realistic scenarios that may impact portfolios would add greater credibility to the validation tests. Some useful scenario tests for Cyber Risk could include the following:

• Reserve deterioration due to previously unknown emerging cyber losses and/or events.

• Profitability stress whereby the loss ratio for the cyber market deteriorates due to a widespread ransomware campaign.

• Assessing whether the modelled return period of certain cyber events is aligned with expectations at various return periods.

Backtesting

Backtesting refers to the process of testing the predictive models on historical data to assess whether modelled losses are in line with experience. The assessment of how the implied (modelled) return period of events compared with observed data is a challenge for cyber losses. There are two main issues presented with backtesting for cyber lines of business. First, the product is relatively new and so too is the claims experience to the market. Second, the fast-developing risk landscape from the ever-increasing sophistication of threat actors undermines the validity of testing the model against potentially outdated experiences.

Hence care should be taken with backtesting and not to ignore the expert judgement of the forward-looking risk that incorporates the changing risk landscape. This is perhaps where cyber as a line of business is most differentiated from other property and casualty classes, in that the past experiences may have limited ability to validate the expectation of the forward-looking risk. Whereas weather patterns and the risk related to them remain relatively stable year to year, Cyber Risk can dramatically change from year to year and hence impact the claims profile for the particular year of account. Over time, we may identify more predictive variables in the cyber threat and vulnerability landscape, which may allow us to model the risk more accurately. However, given this breadth of data is either in its infancy or not yet available caution should be applied.

Benchmarking

Benchmarking is a useful tool for any company to compare itself to the market it is operating in. Particularly the capital allocated for cyber against its peers may provide insight to understand if the company has a prudent or optimistic view of Cyber Risk. This is important information for the board but may not be available easily without the help of consultants who have access to the approaches across the market.

A crucial area of benchmarking for cyber catastrophe is to compare multiple model vendors and benchmark portfolio losses across various modelling approaches. These should also be compared to any realistic disaster scenarios developed by the company or submitted for regulatory purposes. Comparing Probable Maximum Loss (PML)/Occurrence Exceedance Probability (OEP) and Aggregate Exceedance Probability (AEP) from different model vendors is crucial to understanding the strengths and limitations of the cyber modelling across the market. This should help inform which vendor is most suitable for the portfolio and modelling approach adopted by the company and whether model blending is an option to consider.

Goodness of fit

For Cyber Risk, the claims history is likely to be too limited or not detailed enough to provide a basis for the most appropriate parametrisation; hence the focus for Cyber may be more aligned to the review of the appropriateness of the “Events Not in Data” (ENIDs) loading in the technical provisions. It may also be the case that as the risk continues to evolve, the ENIDs may start to appear and evolve within the data. Companies should stay aware that the cyber portfolio will continue to change over time and in some cases may drastically change in respect to exposure and risk. For instance, the threat actors present at any one period of time may drive a very different frequency and scale of loss, as well as latency in the loss profile. All these aspects of the Cyber Risk landscape should be considered.

Materiality assessment/risk ranking

The objective of the validation process is to test that all material risks are assessed in the internal model. Companies should perform a risk assessment of cyber both in terms of the line of business and as a wider peril on its business operations. IT teams should then recognise to what extent the risk is captured by the model and elements are not captured explicitly by the model. Furthermore, if a risk related to cyber is identified as not being covered, then an assessment of its’ materiality must be made and communicated to management. Ultimately, the treatment of Cyber Risk must be proportional to the size and complexity of the business and must be considered alongside all other areas of risk as whether all material risks are captured by the internal model.

Peer review

The rapidly changing environment and potential re-parametrisation annually of the cyber line of business makes peer review an important validation tool. Obtaining an independent opinion of the model output and results and its impact on the company enforces the challenge process and represents robust governance.

Reverse stress testing

Cyber as a peril impacting both the line of business and across other lines of business and risk areas may become an important reverse stress test scenario. Companies should not underestimate the potential impact of a cyber catastrophe event impacting the market as well as its impact on its own operational functionality. Possible examples of relevant reverse stress tests could include

• A major natural catastrophe occurring at the same time as a major ransomware event, causing an operational strain due to the company being unable to access its systems to make claims payments.

• A data breach of a company, resulting in the theft of significant confidential personal data from customers during a global pandemic.

• A cyberattack on a major stock exchange, causing market turmoil and losses to financial lines.

The reverse stress tests scenarios involving cyber are endless and must be specific to the risk profile of the company. However, as the Cyber Risk globally continues to grow, the company must consider to what extent they are exposed to it as a company failure event.

Stability and convergence testing

As with any other risk area, the chosen modelling approach for Cyber Risk must be stable and converge. The level of complexity in the cyber modelling approach is likely to determine at which level of simulations will converge as well as how the company chooses to model its cyber catastrophe risk.

Separate assessments of the cyber catastrophe convergence (especially if a vendor model ELT is used) should be performed.

4.3. Deep Dive Validation on Cyber Risk Modelling

Validating Cyber Risk in the internal model can be approached as with any other line of business. Most current capital models would break the loss profile into attritional, large and catastrophe losses which is currently not an unreasonable assumption given the current profile of claims seen across the market. However, the market has yet to see a true cyber catastrophe event in terms of capital strain/erosion.

Attritional and large loss

When validating the attritional and large loss models, companies will have to consider the lack of data during the parametrisation process for both underwriting and reserving risks. Even where there is some history in the portfolio, it’s suitability to the risk in the present must be factored in. Cyber Risk a decade ago is very different from that of today, and hence the parametrisation process must consider this. Nonetheless, historical events give a good indication of the cyber losses we may expect, and backtesting should be used to assess the model results. Significant recent data breach events (e.g. Marriot) provide the pricing teams and validators examples of major large losses involving various coverage types.

Ultimately, the validation needs to conclude whether the loss ratio at the mean and the 99^th percentile is appropriate for the portfolio. It cannot be ignored that a large part of this assessment will need to be qualitative and forward looking.

Coverages offered has also changes over time and may continue to change to meet the needs of the insured, so care needs to be taken in the parametrisation of both reserve and underwriting risks that this is appropriately considered.

• How has the claims frequency and or severity changed over time?

• Have the cyber coverages offered changed?

• Has the companies risk appetite/strategy changed?

• Does the parametrisation process include an implicit/explicit cat load?

• How does the current threat actor and/or threat vector landscape inform the view of risk going forward? For example, has the business considered the zero-day black market or commercial ransomware groups activity in estimating its loss ratios?

Benchmarking or alternative assumption tests should also be considered by the validation team when assessing the parametrisation of premium and reserve risk. Market data such as the Lloyd’s Market Association (LMA) data can be a useful tool to assess the cyber portfolio performance and tests alternative assumptions.

Catastrophe

The most challenging aspect of Cyber Risk is estimating the catastrophe risk element. Given that at the time of writing there were no true cyber catastrophic events to leverage from therefore makes the estimation of cat losses currently a theoretical exercise. This makes the validation of the catastrophe risk element of Cyber more challenging however not an unfamiliar concept for capital models. The level of cyber cat models across the market will vary significantly in complexity dependent on resources and materiality to the company. But regardless of what modelling approach is used the most important area to validate is how the return periods along the cyber cat curve are parameterised. Figure 5 summarises the key considerations for Cyber Catastrophe modelling validation.

Figure 5. Different approaches for validating catastrophe risk.

4.4. External Model Validation

External model vendor natural catastrophe models are well established following many decades of development. They are accepted across the market as effective ways to understand the risk posed from various perils, and the use of the models for capital purposes is fully embedded in the validation process given its materiality to many (re)insurance companies. Cyber models however are just at the start of this journey and continue to develop at a fast pace. The priority question for the validation to answer if the company is allocating capital with an external model should be “is the model aligned to our view of the risk”.

Validation approaches should follow the example set by the validation of natural catastrophe models across the market and apply a similar framework in assessing the model’s suitability and capital allocation. The Lloyd’s External Model Framework provides a useful example for natural catastrophe perils to follow (Lloyd’s of London, 2021a).

Demonstrate understanding of the model

The company should demonstrate that they have a good understanding of the modelling approach applied by the vendor and can articulate this. Some of the key topics to cover in demonstrating the understanding of the model involve the following:

• Strengths and weaknesses – The validation should acknowledge the strengths and weaknesses of the cyber models. Cyber modelling is evolving quickly, and hence, this may need to be regularly reviewed as part of the validation process. The vendor models currently have different philosophies for modelling Cyber Risk, and demonstrating that this is aligned to the company’s view is crucial. Currently, a company may identify that the data augmentation process of a vendor model may have both strengths and weaknesses in its ability to model the risk. Similarly, the modelling methodology choice may be seen either as a strength or weakness by the company depending on their own view. For example, some vendors are striving for a detailed ground-up approach to estimating cat losses, whereas others are relying on a market share approach whilst data quality is improving.

• Model parameters – Having demonstrated understanding of the model usually the model will allow for various parameter selections. One such selection may be the severity of loss assumptions of certain cyber scenarios or the way in which the model handles missing data in the augmentation process. The company must acknowledge and assess the sensitivity of these assumptions to the model output.

• Model output adjustments – Ultimately, once the company has understood the model and made parameter selections, it must conclude on how comfortable it is with the model output. Depending on the company’s assessment of the model, it should be clearly demonstrated what/if any adjustments are made so that the output reflects the company’s view of the risk. Consideration should also be given as to how the output is to be incorporated in the model. Should the vendor model prepare a full ELT or YLT output? It is important to be clear to that the output is fully understood and used accurately by the capital mode. For example:

  • Is the ELT provided across all scenario/event types or just by scenario/coverage?

  • Does the ELT/YLT include cyber attritional/large loss as well as cyber cat losses?

  • Does the vendor model include a correlation structure between different cyber scenarios?

  • For cyber, it is unlikely there is any seasonality in the earning of the risk; hence, does the internal model reflect this?

• Vendor validation – Further work on assessing the quality and depth of the vendor validation should be performed across both quantitative and qualitative areas. Cyber data is sparse, and threat actor/vector assumptions can be very subjective relying heavily on expert judgements. The company should validate the vendor’s approach in landing on the assumptions in the model and if they align with their own view.

Demonstrate model suitability to the portfolio

A very important part of any external model validation requires the business to provide an argument as to why the selected model is suitable for their portfolio. Given that cyber vendors currently have varying approaches to modelling each cyber scenario the business should consider first what are the material exposures in their portfolio. For example, are they mostly at risk of a cloud outage event or a ransomware campaign? This assessment will help in understanding how well the vendor model reflects the risk in the portfolio. The model outputs by vendor currently vary significantly, and hence, the capital required for the risk would be materially impacted by vendor model choice.

For some companies it may be that a multi model approach is required to approximately reflect the risk in their portfolios that meets their own view of the risk. This may be a combination of the vendor models as well as in-house models. Figure 6 highlights an example of validation testing performed across three vendors.

Figure 6. Example illustrations for validation testing.

The results below show that each vendor has a different view of the risk and what drives the losses at the mean and the tail. It is crucial that companies can demonstrate that they have understood and aligned the vendor’s view of risk to their own. This may mean making adjustments to the parameters and/or scenarios in the external model or output adjustments. Without their articulation and justification of the output, the company cannot demonstrate they understand the modelled risk output, and it is consequential impact on the capital. Furthermore, it’s worth noting that when performing sensitivity tests, the models may also behave differently to the stresses which should further inform and support decisions on how to adapt external models into the internal model.

Independent validation

In addition to the model assessment, companies should still be performing independent validation to review a specific component of the model. For example:

• Backtesting simply involves testing the vendor model against historical data. In this case, testing the cyber model against recent major events such as NotPetya or SolarWinds may help to understand the suitability of the model to the portfolio. However, given the immaturity and lack of “real” cyber catastrophe event, the amount and quality of analysis here are limited, and the validation should not place too much reliance on backtesting to assess the model’s ability to predict cyber cat losses. It can be debated that for cyber catastrophes that the forward-looking risk may never be a good fit for historical events given how quickly threat actors and evolve and change to exploit new weaknesses. Furthermore, the regulatory/legal environment changes in regard to cyber claims payments much also be carefully considered when backtesting.

• Comparison to industry estimates can be used to assess how the model output compares the market view of the risk. A suitable cyber comparison may not be easily found; however currently, sources such as Property Claim Services (PCS) have started developing market loss databases.

• Sensitivity and stress testing are perhaps one of the most crucial areas of cyber cat model validation currently. These tests should help to understand where the key assumptions reside. Companies may also choose to test the data augmentation process in some cyber models to understand the impact on capital and determine the importance of its own data collection at the time of underwriting.

• Stability testing is an important area for any external model and understanding the convergence of the standalone capital at risk in the internal model should be no different from any other external model exercise.

4.5. Validation by Risk Type

In addition to the validation of cyber as a line of business, we need to consider the impact on other areas of the internal model. The validation should also assess how the risk has been modelled across the risk profile of the business in terms of

1. (a) Cyber losses and the correlation to other risk types, for example, RI credit.

2. (b) Cyber as a peril and its potential impact to other risk types, for example, market risk.

This is likely to be a challenging area of the internal model parametrisation and validation given how mature is the markets’ understanding of Cyber Risk. Nonetheless, validation can be a useful tool in highlighting and challenging the business on its approach and understanding of the risk.

• Operational risk: Validators should consider whether Cyber Risk is modelled as part of an operational event for the business. All companies, to some degree, are exposed to this risk in the modern world, and hence, it cannot be ignored in the operational risk model. Validators should assess if the model explicitly allows for cyber operational events either malicious or non-malicious in nature within its outputs. The risk may be explicitly considered as part of scenario modelling or considered within an aggregate operational loss curve. Either way, this should be recognised and concluded as to whether the risk is adequately covered by the approach.

• Market risk: Cyber has the potential of causing global and local economic shocks with a precedent already set by the Swift attack. The risk that a cyberattack either directly or as a consequence of a major global outage causes market turmoil should not be ignored and the validation exercise should consider if appropriate consideration to this risk has been made. Many companies may consider this event beyond the 1 in 200; however, the Covid-19 pandemic illustrates how unforeseen events can have severe economic impacts.

• RI credit: Similar to natural catastrophe risk, cyber catastrophes have the potential to cause reinsurer default in extreme cases. Validators should assess if the cyber cat losses are well reflected by the RI default module.

• Non-RI credit: As with RI credit, cyber catastrophe (or even potentially large) losses may result in some non-RI credit defaults particularly in relation to broker and/or claims payments.

• Dependency structure: Perhaps one of the most challenging areas to parameterise with Cyber Risk is the interdependency of cyber as a peril across the company’s risk profile. Truly catastrophic cyber events have the potential of impacting every risk type and being a serious threat to the company’s viability. Validators should assess if the dependency of cyber as a peril across the business is aligned with the companies’ view of the risk. The reverse stress tests may be the most suitable way to assess this area of the model.

4.6. Conclusion

The validation exercise cannot conclude that the chosen modelling approach is perfect and without limitation. The overall aim should be to be transparent on the strengths and limitations of the modelling. The risk evolves quickly, and modelling this risk poses a new challenge to the industry; hence demonstrating how the company intends to manage with the known and any unknown certainties should be concluded in the validation. Validation should always focus on being “value-add”, therefore should seek to challenge and strengthen the key uncertainties in the modelling and ultimately conclude whether the allocated capital is adequate to support the risks, given the known uncertainties and limitations.

5.1. Cyber Dynamic Feedback Loop

The role of the ERM framework in managing Cyber Risk should help to enable management to gain confidence that the risk is being actively and effectively managed. Promoting and embedding a strong risk culture is essential and one which consciously includes Cyber Risk is now critical as it not only impacts insurance risk but also other risk areas across the business.

Below (Figure 7) is an example of how Cyber Risk could be considered in the traditional ERM feedback cycle (American Academy of Actuaries, 2013). Ultimately, it is important to consider how embedded the capital team is in the whole process to understand if adequate and appropriate capital has been allocated for the risk. Does the capital team have an embedded process to engage with the underwriters, pricing, exposure management and reinsurance teams on a regular basis so that all teams are aware of the relevant evolution of the risk affecting their own disciplines? Furthermore, risk and reinsurance should also play a role in the process to provide challenge and oversight as well as considering if the wider Cyber Risk impacts are being reflected in the capital model, for example, operational risk. This should also not just be at the time of annual parameterisation updates for cyber (whether affirmative or non-affirmative). The potential for losses can be of a scale to cause serious damage to companies so the key aspect is to “connect the dots” between different business touchpoints. Hence a more dynamic feedback cycle would help pro-actively manage the risk and understand any capital implications from the changing risk landscape.

Figure 7. An example feedback cycle.

5.2. Identify Cyber Risks across the Business

In order to embed Cyber Risk into the company ERM framework, it must be first defined and understood. The scope of the potential impacts and losses should not be confined to known losses or recent experience but should consider the broader potential for emerging threats to the business. These could be both malicious and non-malicious in nature. The company should seek to form its own view of the impacts across all areas of the business, for example:

• Insurance risk: Losses impacting both cyber products underwritten and the potential losses arising from cyber as a peril on noncyber policies.

• Operational risk: Potential for cyber incidents to impact the company such as ransomware attacks or data breaches.

• Strategic risk: Risk that Cyber Risk landscape makes achieving the company strategy more difficult or not possible.

• Reputation risk: Risk that, as a result of some cyber incident, the reputation of the business is severely impacted.

Crucially this stage of the framework in respect of cyber should aim to be comprehensive and cover all material and emerging Cyber Risks to the business. To produce this output, workshops with relevant stakeholders will be required, whereby companies may seek out cyber security expertise either internally or externally to provide technical insight and bridge the information asymmetry gap that can arise when trying to understand Cyber Risks. Crucially cyber security experts may be able to educate the company on what are the material risks and probable risks. This process should be continuous and regularly considered if the risk profile has changed.

5.3. Evaluation and Quantification of Cyber Risks

The evaluation of the Cyber Risks to the business can take a variety of forms. For insurers writing cyber policies, one of the most important areas will be in the pricing team. However, quantification of loss potential should involve reserving, exposure management, cyber security experts, claims teams and possibly also legal to understand the clause environment. Modelling of Cyber Risk is developing and maturing; hence various methodologies and approaches exist.

Stress and scenario testing is likely to be a key tool to help companies understand Cyber Risks in the first instance and then building on these to develop more complex stochastic models and help inform the capital requirement for the risk. The capital models will need to leverage from the work performed by pricing actuaries and accumulation management to model the tail risk. However capital teams will also need to leverage expertise across the business to assess dependency between other risk areas particularly operational risk.

Within the ERM framework, the quantification approaches for Cyber Risk will need a regular review of appropriateness of both the modelling methodology and parameterisation. Given the rapid change in the threat and security landscape, the risk requires constant review both on identification and also in regard to modelling approaches. It may be that blended model approaches are required to capture the full scope of the risk identified.

5.4. Managing Cyber Risks

An effective ERM framework will leverage from the quantification approaches and develop effective management of the risk to the company by embedding the following:

• Risk appetite statement outlining the specific risk that the company has chosen to expose itself to, such as underwriting only certain types of companies with a certain cyber security score, etc. This will need ongoing monitoring and a defined cyber data standard to adequately monitor and report. In addition, companies should seek to define the level of Cyber Risk they are prepared to accept, not just within insurance risk but more broadly across the business such as in operational risk. This may also define certain risk areas to avoid those that are deemed as high-profile cyber targets for criminals.

• Risk tolerances and risk limits that define the overall aggregate Cyber Risk that the company is prepared to accept that are monitored against exposure management modelling approaches of tail events.

• Reinsurance will play an important role in managing the overall exposure to Cyber Risk. Furthermore, the company may also need to purchase its own cyber cover to cover operational incidents.

• Cyber risk metrics may be developed to produce early warning risk indicators to management of either insurance or operational Cyber Risks that may be merging so that pro-active action can be taken to mitigate the impact. This may lead to defining triggers for model re-parametrisation for the pricing and capital model for cyber. This triggering of re-parameterisation needs to be more sophisticated for cyber than perhaps other classes of business as the cyber landscape moves so dramatically and quickly. For example:

  • RDS increases by a specific risk tolerance triggers capital review.

  • Increase in threat landscape metrics triggers a review of pricing parameters for ransomware risk.

  • Increase in a specific industry or peak exposures above a threshold triggers review of reinsurance appropriateness.

5.5. Business Impact

As the company evaluates the risk and monitors its exposure to the risk against its tolerances and metrics, an evaluation of the business impact needs to be made such as the impact on the profit or loss of the business. The profitability combined with exposure metrics risk monitoring should then inform the next business/strategy planning of the risk.

Geo-political and macro-economic factors may also impact the company’s evolving view of Cyber Risk and the decision on strategy. For example, increased tensions between nation states may lead to more cyber-criminal activity which may result in a threat landscape that is beyond the risk appetite of a company to write insurance.