Product Family


XL Catlin

Ten million per month – that’s how many hacking attempts the head of the U.S. Office of Personnel Management said her agency was able to thwart each month in 2015. Still, one breach alone crippled the agency and cost the agency leader her job. When over 21 million records of current and former government employees were compromised, there was no other recourse but for the director to resign. More recently, Chief Information Security Officers (CISO) at Yahoo and Equifax made similar departures following breach incidents.

Breaches like these are more commonplace today than even five years ago. Cyber thieves are becoming more sophisticated in their attacks, and companies are finding themselves struggling to keep their security measures up to date. As cybercrime evolves, so must our understanding of where the vulnerabilities lie, and what tools we need to prevent attack.

Evolution of Cyber RiskSince the inception of interconnected computers sharing information, cyber vulnerability has existed. The first known cyberattack happened on November 2, 1988, when a Cornell University graduate student released an internet worm that quickly infected two thousand computers in a matter of 15 hours, roughly 10 percent of the computers then connected to the internet. In order to contain malicious code, administrators had to partition the then-small internet to pin down the worm, then spend an average of two days per machine to remove the virus.

The cost of the first internet infection was just as tough to pin down. A judge’s ruling set the cost at somewhere between $200 and $53,000 per machine. According to a Harvard spokesperson, economic damages from the Morris worm were between $100,000 to $10,000,000.

Since that time, cyber risks have grown in scope and sophistication. In 2000, email phishing scams came into vogue. Emails were typically infected with malware code that would easily get around any anti-virus program through a clickable link. That kind of control over servers and individual machines morphed into denial-of-service attacks that peaked in 2007, ransomware attacks that plagued 2010, point-of-sale compromises, and spread to cyber warfare and Android hacks, reaching into nearly every facet of an organization’s operations. In the first quarter of 2013, over 6.5 million malware samples were created.

As cyberattacks become more sophisticated, the costs of preventing them increase. In 2010, cybersecurity spending in the United States totaled $27.4 billion. In 2018, that number is expected to be $96.3 billion according to recent Gartner, Inc. forecasts. While that seems like a large amount to spend on cybersecurity, it pales in comparison to the impact of cybercrime, which is expected to reach $6 trillion annually by 2021.

Cyber Risk Modeling Comes of Age Infographic

Anticipating and PreventingNot surprisingly, those costs will continue to climb as cyber criminals become more sophisticated in their attacks. Companies too have had to become more sophisticated in how they detect potential threats. When cybercrimes first appeared, mitigation took the form of looking at employee sentiments – were disgruntled employees gaining access to systems or giving away passwords? Malware and viruses were a few of the threats considered when building mitigation strategies.

As cybercrime has grown, so has the need for more data and analytics. Now, depending on the industry, companies must consider a large array of exposure points and consider also the motivations of cyber thieves. Does the company store passwords and personal identifiable information that would be valuable on the dark web? Are there weaknesses or vulnerabilities within the supply chain that could be exploited? What types of information does the company store that could be compromised or prove valuable to thieves?

Knowing these data points can help companies understand their unique risk exposures, which can help both companies and underwriters mitigate losses and put preventative measures in place.

Modeling Cyber RiskIn the past, businesses had little historical data to understand their cyber risks, which meant that plans were often reactive instead of proactive. Preventions existed and evolved, but as one risk was mitigated another, more complex risk appeared.

Such an approach is understandable given the lack of comprehensive cyber risk models. Unlike weather modeling, cybercrime is an ever-evolving area of risk that has proven difficult to develop models for. Risk models created two years ago, for example, would be outdated and ineffective for much of today’s cybercrime activity.

The solution is to collect data as close to real-time as possible, and to use criteria that looks inward at an organization’s operations as well as outward.

Another consideration: applying an economic model around cyber risk. Insurers need to understand probability of risk, severity of risk from a financial standpoint, and the potential for recurrence.Today, underwriters and businesses have tools at hand that can help companies see the depth and breadth of their risks over their entire enterprise, and show the components of their risk. Data science and modeling solutions such as Guidewire Cyence Risk Analytics give organizations and insurers an evaluation across a variety of factors.

Guidewire evaluates an organization’s risk based on many technical and behavioral risk data covering people, processes, technology, and attacker motivations. Data points that cyber risk modeling platforms consider vary depending on the organization, but include:• Technical vulnerabilities, misconfigurations, and malicious indicators• Remediation processes and response times• Motivation of third parties and attractiveness of the company to cyber thieves

Once the data is collected, modelers like Guidewire leverage data science and machine learning techniques to curate the data, transform it and find predictive signal. The evaluation identifies key factors driving a company’s risk, aiding in the underwriting, pricing and risk management for insurers.

When an insurance company uses risk modeling to understand their insureds’ exposures, it gives underwriters a more detailed understanding of potential loss, which can help in creating new cyber products and mitigation strategies.

The Modeling EvolutionAs companies look to get ahead of the cyber threats, understanding the factors that go into creating a comprehensive risk exposure picture can help companies close up gaps and improve internal security measures. Modeling at the individual company level and the portfolio level allows for a more detailed view of cyber risk that is based on real exposure data for that company.

Cyber underwriting has evolved, as well. Insurers have harnessed data in a way that has allowed them to get ahead of cyber criminals and identify emerging threats. The result is stronger cyber risk preventions through a collaborative, integrated effort.


About the authors. . .Elissa Doroff is product manager for XL Catlin’s Cyber & Technology insurance business. She can be reached at or at 1 212 915 6542. Samantha Disabella is an associate underwriter on XL Catlin’s Cyber & Technology insurance team. She can be reached at or at 1 212 915 7081.Philip Rosace is senior solutions manager, Cyence Risk Analytics at Guidewire Software. He can be reached at or at 650-513-0760

To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. AXA XL Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.