Addressing insurance of data breach cyber risks in the catastrophe framework

Abstract

Considering data breaches as a man-made catastrophe helps clarify the actuarial need for multiple levels of analysis—going beyond claims-driven loss statistics alone—and calls for specific advances in both data and models. The prominent human element and the dynamic, networked and multi-type nature of cyber risk are perhaps what makes it uniquely challenging. Complementary top-down statistical and bottom-up analytical approaches are discussed. Focusing on data breach severity, we exploit open data for events at organisations in the U.S. We show that this extremely heavy-tailed risk is worsening for external attacker ‘hack’ events. Writing in Q2 of 2018, the median predicted number of ids breached in the U.S. due to hacking in the last 6 months of 2018 was 0.5 billion, with a 5% chance that the figure exceeds 7 billion, doubling the historical total. ‘Fortunately’, the total breach in that period turned out to be near the median.