Abstract
After scrutinizing technical, legal, financial, and actuarial aspects of cyber risk, a new approach for modelling cyber risk using marked point processes is proposed. Key covariates, required to model frequency and severity of cyber claims, are identified. The presented framework explicitly takes into account incidents from malicious untargeted and targeted attacks as well as accidents and failures. The resulting model is able to include the dynamic nature of cyber risk, while capturing accumulation risk in a realistic way. The model is studied with respect to its statistical properties and applied to the pricing of cyber insurance and risk measurement. The results are illustrated in a simulation study.
Highlights
Researchers and practitioners from different disciplines have analysed ‘cyber risk’ and ‘cyber insurance’ from their provenience, among them IT system experts, economists, statisticians, actuaries, etc.; a recent survey of the literature on these topics in business and actuarial science is provided in Ref. [1]
A very comprehensive overview of various aspects of cyber insurance was given in Ref. [25], including a classification of existing research approaches with interdependent security according to the underlying insurance market model
We deviate from the very high mean severity estimates given in the existing literature for two reasons: First, it is reasonable that events listed in public databases exhibit much higher losses than the average daily-life cyber incident that goes unnoticed by the public and second, insurance policies currently offered on the market usually have cover limits of up to 5 million US$, it would not be reasonable to assume mean claim severities that already exhaust the policy limit
Summary
Researchers and practitioners from different disciplines have analysed ‘cyber risk’ and ‘cyber insurance’ from their provenience, among them IT system experts, economists, statisticians, actuaries, etc.; a recent survey of the literature on these topics in business and actuarial science is provided in Ref. [1]. Barriers are not a lack of demand for cyber risk transfer, but rather a number of obstacles that complicate the understanding and quantification of the underlying risk, including the lack of solid data on losses, a fast-paced evolution of cyber risk, and the disparity of data protection laws globally [4, 13]. Despite these challenges, especially in the US an existing market is already established; including underwriters, brokers, and organisations specialized on cyber data analytics [14].
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have