Extreme Data Breach Losses: An Alternative Approach to Estimating Probable Maximum Loss for Data Breach Risk

Abstract

This study proposes a measure of the data breach risk’s probable maximum loss, which stands for the worst data breach loss likely to occur, using an alternative approach to estimating the potential loss degree of an extreme event with one of the largest private databases for data breach risk. We determine stationarity, the presence of autoregressive feature, and the Fréchet type of generalized extreme value distribution (GEV) as the best fit for data breach loss maxima series and check robustness of the model with a public dataset. We find that the predicted data breach loss likely to occur in the next five years is substantially larger than the loss estimated by the recent literature with a Pareto model. In particular, the comparison between the estimates from the recent data (after 2014) and those for the old data (before 2014) shows a significant increase with a break in the loss severity. We design a three-layer reinsurance scheme based on the probable maximum loss estimates with public–private partnership. Our findings are important for risk managers, actuaries, and policymakers concerned about the enormous cost of the next extreme cyber event.