The demand for cyber insurance continues to escalate as businesses grow increasingly reliant on digital infrastructure for their everyday operations, and cyber threats become ever more sophisticated.
Cyber represents a sizeable market for insurance, and in 2022 the total global cyber insurance premium was valued at US$11.9 billion. The market offers significant growth opportunities, with a predicted compound annual growth rate (CAGR) of 19.6 percent to reach US$29.2 billion by 2027.
To accommodate this market growth, cyber insurers are having to respond and act on the dynamic nature of cyber threats and the constant evolution of cyber risks. Subsequently, cyber coverages must also adapt to mirror an ever-changing landscape of cybersecurity threats.
The potential risks that insurers need to cover are large. An examination of typical cyberattack scenarios in Moody’s RMS Insured Exposure Database, a scenario such as a 1 in 200-year Wiperware attack impacting the U.S. would see losses exceeding US$14 billion, surpassing the current global premium.
The first cyber insurance policies were written in the late 1990s, and unlike more traditional P&C perils, cyber does not have extensive claims experience.
And many of us will remember the nascent state of technology and networks of the period. The 1990s and 2000s were eras of little network connectivity or cyber threat, which is incomparable to now, especially when it comes to our reliance on technology. Even the loss experience of the last ten years doesn’t seem totally relevant to today’s landscape.
So, as a relatively new industry, effective portfolio management for cyber risk poses a significant challenge. Combine the fast-paced changes in the cyber threat landscape and the absence of extensive historical data and this all makes risk aggregation complex.
Additionally, with significant variations in policies and an ongoing effort to standardize policy language, aggregating cyber risks accurately across a portfolio becomes even more intricate. Continuous monitoring and adjustments become vital to account for new types of cyber threats and changes in the digital footprint of insured businesses.
And as digital transformation intensifies across industries and the continuous emergence of new entrants in the insurance market grows, the task of aggregating and managing cyber risk will become ever more crucial in maintaining the resilience and growth of the cyber insurance sector.
Navigating the Complexity of Quantifying Cyber Risk
In a previous blog, we discussed the complexities of cyber risk modeling. Cyber risk management fundamentally rests on two key pillars: risk selection and risk modeling.
Risk selection is an essential step in underwriting, and often involves a thorough examination of a client’s IT network. This is typically achieved through long questionnaires and external data sources, such as ‘outside-in’ scans.
These scans are valuable in detecting network vulnerabilities, such as open ports that could expose a client to cyber threats like ransomware.
However, these techniques mainly offer a retrospective view. They may reveal a client's current risk management practices, but they fail to predict future vulnerabilities – or how a client might tackle them.
Hence, relying solely on this information could lead to oversimplified models that inadequately represent the continually evolving nature of cyber risk, from the volume and types of attacks to the shifting targets.
Meanwhile, cyber risk modeling, akin to natural catastrophe risk modeling, aims to apply robust methodologies to quantify risk for technical pricing and the understanding of portfolio and catastrophe risk.
Diversification, an integral part of this process, is typically achieved through parameters such as industry, company revenue, and country.
However, in the context of cyber risk, this diversification can be minimal in certain scenarios, as attacks may exploit vulnerabilities in common operating systems or cross-operating system platforms.
Going through a hardened market in the last year and the continuous conversation on the lack of sufficient cyber capacity, one of the biggest challenges in the cyber insurance market is understanding systemic aggregations risks.
The challenge in applying catastrophe modeling principles to cyber risk lies in the vast complexity and variability of cyber risk scenarios. A cyber model would potentially require billions of unique scenarios to accurately characterize the risk.
This complexity arises from the countless software interactions and varying responses to disclosed vulnerabilities across companies.
The key to overcoming this challenge could lie in avoiding overly prescriptive event definitions, but a broader event definition that encompasses the risk.
This approach, adhering to the law of large numbers, would allow for more effective cyber risk modeling by smoothing over individual uncertainties and accounting for the ‘unknown unknowns.’
Introducing Moody’s RMS Cyber Solutions 7.0
To stay ahead of the cyber risk curve, Moody’s RMS continuously builds upon previous models to represent the latest view of risk, which is why we are excited to announce the launch of Cyber Solutions 7.0.
Building on Cyber Solutions 6.1 which helped deliver better portfolio diversification and a clearer understanding of risk accumulations by exploring the physics and dynamics of the cyber ecosystem, Cyber Solutions 7.0 delivers refreshed threat actor and vulnerability data in the model framework.
This helps reflect the continuously evolving risk landscape but also adds improved risk differentiation and the ability to explore the sensitivity of exclusions of certain kinds of events.
By leveraging our comprehensive understanding of the cyber ecosystem’s physics and the data supporting it, we can measure the evolving risk landscape with regularity.
The risk landscape has seen considerable evolution in the past year, especially in the realm of attrition risk which is in constant flux. Catastrophe risk, when viewed through the lens of system physics and broader data, allows us to capture the existing landscape effectively.
Frequency and severity become tangible products of this synthetic world. This allows us to delve deeper into individual nodes within our framework, using technographic data for account-level differentiation, including important factors like patching cadence.
Patching Speed as a Secondary Modifier
With Version 7.0, Moody’s RMS is introducing patching cadence as a secondary technographic modifier in our contagious malware/ransomware model.
There are a huge number of security metrics out there on an individual risk level and while they are important and relevant for risk selection, quantifying their influence in a meaningful way is a challenging task.
Using the well-established Moody’s RMS simulation framework, we can now assess how the vulnerable population varies as a function of patch speed.
Patching cadence metrics serve as the quantitative dials at an individual account level, revealing whether an account’s patching speed is faster or slower than the average.
This addition will allow risk characteristics to shape the view of risk more accurately and present an objective measure of sensitivity to a catastrophe event, allowing better preparation and response.
Filtering Events for Tailored Results
The increase in unique events supported by Moody’s RMS in Version 7.0 allows users to filter events based on tags of their choosing, enabling them to remove certain events from their event set.
This feature helps (re)insurers to meaningfully explore the impacts and variability on individual or portfolios of risk. With the industry’s ongoing updates and evolutions in exclusionary language, it provides clients with the flexibility needed to experiment with insurance wordings and exclusions, thereby enabling them to explore a range of possible outcomes.
Embracing Industry Standard with Oasis Open Exposure Data Template
In our bid to enhance consistency and efficiency in the capture and transfer of cyber exposure data in the (re)insurance market, we have supported the Oasis Open Exposure Data Template.
By reducing frictional costs and providing clarity about data utility – on what data fields can be captured, this standard makes a timely entrance to embed itself across the (re)insurance value chain. Users can directly import this industry-standard template into Cyber Solutions.
In addition, Cyber Solutions 7.0 delivers:
Improved Access with API Support: API support in Version 7.0 allows users to directly import cyber exposure templates into Cyber Solutions, offering a seamless experience.
Update on U.S. Cyber Economic and Insured Exposure Database: Moody’s RMS was the first in the market to launch the cyber industry exposure database back in 2020, and later this summer, Moody's RMS will release an update to its view on the U.S. economy as well as the U.S. insured economy.
This release will ensure the latest industry curves run through the new version of the model, enabling stakeholders to stay updated with the most recent perspectives on risk.
These industry exposure and loss databases can support a variety of applications, such as defining business growth objectives, portfolio benchmarking, supplementing incomplete exposure information, or structuring and supporting risk transfer transactions.
Since then, the cyber insurance market has evolved dramatically, with the industry in the U.S. now generating an estimated premium of around US$9 billion.
By modeling these exposure databases in Version 7.0, Moody’s RMS can generate industry losses across the individual components of cyber – such as Wiperware, noted at the start of this blog – as well as the all-causes cyber curve. And as the market continues to evolve, it demonstrates the importance of our work in providing the market with the latest view of risk.
Learn more about our cyber modeling capabilities. Existing customers can also access the latest Cyber Solutions 7.0 documentation from Moody’s RMS Support Center.