Cyber risk modeling comes of age
Ten million per month – that’s how many hacking attempts the head of the U.S. Office of Personnel Management said her agency was able to thwart each month in 2015.
Still, one breach alone crippled the agency and cost the agency leader her job. When over 21 million records of current and former government employees were compromised, there was no other recourse but for the director to resign. More recently, Chief Information Security Officers (CISO) at Yahoo and Equifax made similar departures following breach incidents.
Breaches like these are more commonplace today than even five years ago. Cyber thieves are becoming more sophisticated in their attacks, and companies are finding themselves struggling to keep their security measures up to date. As cybercrime evolves, so must our understanding of where the vulnerabilities lie, and what tools we need to prevent attack.
Evolution of Cyber Risk
Since the inception of interconnected computers sharing information, cyber vulnerability has existed. The first known cyberattack happened on November 2, 1988, when a Cornell University graduate student released an internet worm that quickly infected two thousand computers in a matter of 15 hours, roughly 10 percent of the computers then connected to the internet. In order to contain malicious code, administrators had to partition the then-small internet to pin down the worm, then spend an average of two days per machine to remove the virus.
The cost of the first internet infection was just as tough to pin down. A judge’s ruling set the cost at somewhere between $200 and $53,000 per machine. According to a Harvard spokesperson, economic damages from the Morris worm were between $100,000 to $10,000,000.
Since that time, cyber risks have grown in scope and sophistication. In 2000, email phishing scams came into vogue. Emails were typically infected with malware code that would easily get around any anti-virus program through a clickable link. That kind of control over servers and individual machines morphed into denial-of-service attacks that peaked in 2007, ransomware attacks that plagued 2010, point-of-sale compromises, and spread to cyber warfare and Android hacks, reaching into nearly every facet of an organization’s operations. In the first quarter of 2013, over 6.5 million malware samples were created.
As cyberattacks become more sophisticated, the costs of preventing them increase. In 2010, cybersecurity spending in the United States totaled $27.4 billion. In 2018, that number is expected to be $96.3 billion according to recent Gartner, Inc. forecasts. While that seems like a large amount to spend on cybersecurity, it pales in comparison to the impact of cybercrime, which is expected to reach $6 trillion annually by 2021.
Anticipating and Preventing
Not surprisingly, those costs will continue to climb as cyber criminals become more sophisticated in their attacks. Companies too have had to become more sophisticated in how they detect potential threats. When cybercrimes first appeared, mitigation took the form of looking at employee sentiments – were disgruntled employees gaining access to systems or giving away passwords? Malware and viruses were a few of the threats considered when building mitigation strategies.
As cybercrime has grown, so has the need for more data and analytics. Now, depending on the industry, companies must consider a large array of exposure points and consider also the motivations of cyber thieves. Does the company store passwords and personal identifiable information that would be valuable on the dark web? Are there weaknesses or vulnerabilities within the supply chain that could be exploited? What types of information does the company store that could be compromised or prove valuable to thieves?
Knowing these data points can help companies understand their unique risk exposures, which can help both companies and underwriters mitigate losses and put preventative measures in place.
Modeling Cyber Risk
In the past, businesses had little historical data to understand their cyber risks, which meant that plans were often reactive instead of proactive. Preventions existed and evolved, but as one risk was mitigated another, more complex risk appeared.
Such an approach is understandable given the lack of comprehensive cyber risk models. Unlike weather modeling, cybercrime is an ever-evolving area of risk that has proven difficult to develop models for. Risk models created two years ago, for example, would be outdated and ineffective for much of today’s cybercrime activity.
The solution is to collect data as close to real-time as possible, and to use criteria that looks inward at an organization’s operations as well as outward.
Another consideration: applying an economic model around cyber risk. Insurers need to understand probability of risk, severity of risk from a financial standpoint, and the potential for recurrence.
Today, underwriters and businesses have tools at hand that can help companies see the depth and breadth of their risks over their entire enterprise, and show the components of their risk. Data science and modeling solutions such as Guidewire Cyence Risk Analytics give organizations and insurers an evaluation across a variety of factors.
Guidewire evaluates an organization’s risk based on many technical and behavioral risk data covering people, processes, technology, and attacker motivations. Data points that cyber risk modeling platforms consider vary depending on the organization, but include:
• Technical vulnerabilities, misconfigurations, and malicious indicators
• Remediation processes and response times
• Motivation of third parties and attractiveness of the company to cyber thieves
Once the data is collected, modelers like Guidewire leverage data science and machine learning techniques to curate the data, transform it and find predictive signal. The evaluation identifies key factors driving a company’s risk, aiding in the underwriting, pricing and risk management for insurers.
When an insurance company uses risk modeling to understand their insureds’ exposures, it gives underwriters a more detailed understanding of potential loss, which can help in creating new cyber products and mitigation strategies.
The Modeling Evolution
As companies look to get ahead of the cyber threats, understanding the factors that go into creating a comprehensive risk exposure picture can help companies close up gaps and improve internal security measures. Modeling at the individual company level and the portfolio level allows for a more detailed view of cyber risk that is based on real exposure data for that company.
Cyber underwriting has evolved, as well. Insurers have harnessed data in a way that has allowed them to get ahead of cyber criminals and identify emerging threats. The result is stronger cyber risk preventions through a collaborative, integrated effort.
About the authors. . .
Elissa Doroff is product manager for XL Catlin’s Cyber & Technology insurance business. She can be reached at firstname.lastname@example.org or at 1 212 915 6542.
Samantha Disabella is an associate underwriter on XL Catlin’s Cyber & Technology insurance team. She can be reached at email@example.com or at 1 212 915 7081.
Philip Rosace is senior solutions manager, Cyence Risk Analytics at Guidewire Software. He can be reached at firstname.lastname@example.org or at 650-513-0760