Actuarial Modeling of Cyber Risk

By Caroline Hillairet

With the rise of the digital economy, cyber risk has become one of the most important social and economic hazards. In fact, Jerome Powell—current chair of the U.S. Federal Reserve—considers cyberattacks to be the primary threat to the global financial system [3]. Although many organizations have instituted “physical” protection strategies against cyberattacks, no defense is perfect; as such, insurance agencies seek to provide innovative policies that combine prevention, financial compensation, and support in the event of a crisis. But given significant uncertainties about the real value of the guarantees—due to the inherent nature of the risk itself—the cyber insurance market has encountered several pitfalls. For example, the emerging and evolving nature of cyber risk and its potential systemic component raise questions about its insurability, and its catastrophic and systemic tendencies may jeopardize risk pooling. This loss of mutualization—that is, the pooling of premiums from policyholders to compensate those who experience a claim—is even more accentuated if the number of policyholders is insufficient to absorb the claims. Here, we use mathematical models and actuarial analysis to better understand and quantify cyber risk. Specifically, we propose innovative models for both the risk’s severity component (size of the claims) and frequency component (accumulation of risk and clustering features).

A catastrophic event that affects a single victim may reach too great an amount of damage with too high a probability in what is called heavy tail loss. Mutualization may fail in this type of situation; defining the average value of a claim may not even be mathematically possible, but doing so is essential for insurance pricing. To ensure the viability of cyber insurance contracts, one must consequently redesign their perimeters by introducing limits and conditions (in terms of financial reparations) to reduce the uncertainty of the outcome for the insurer. But as extreme scenarios become more prevalent, insurers add more restrictions. The quality of the coverage subsequently diminishes, which poses an issue for policyholders, and the attractiveness of the contract declines; this becomes problematic for the insurer, who may not draw enough customers to ensure mutualization. A recent study proposed the use of generalized Pareto regression trees—which combine generalized Pareto modeling (from extreme value theory) with a regression tree approach—to break this vicious cycle [2]. This approach allows us to generate a classification of vulnerabilities/risk factors that is dedicated to the tail of the claims’ distribution; doing so lets us separate types of incidents or circumstances based on insurers’ ability to cover them without endangering risk pooling.

Another major concern is the systemic potential of cyber hurricanes. In this type of accumulation scenario, many policyholders are simultaneous victims of a massive attack that can potentially lead to a large number of claims and induce high costs, even if each claim is small. Cyber hurricanes may also saturate the insurer response capacity, given that cyber contracts generally stipulate the fast intervention of expert teams to assist policyholders during a crisis. The resulting inability of the insurance company to appropriately and swiftly intervene induces additional losses in the form of financial penalties, increased damages for the policyholders, and a ruined reputation. 

We propose a general methodology that designs stochastic crisis scenarios based on multi-group epidemiological models [4, 5]. These models, which describe the strength of connections between actors, can be calibrated via fast numerical procedures from a relatively small amount of data. Stochastic accumulation techniques offer a broad spectrum of stress tests that examine the potential impact of a massive cyber event and estimate the capacity of an entity (e.g., insurer, reinsurer, company) to absorb a shock of significant magnitude. We also investigate different actors’ responses to various types of attacks or behaviors and quantify the benefits of efficient prevention policies. In particular, these stochastic scenarios help us capture the total number of victims in each scenario and monitor the peak of the crisis to control the saturation risk. In the case of an attack on the mining sector, Figure 1 models the evolution of the infected percentage in other related sectors.

Figure 1. Evolution of the proportion of infected for different sectors in an epidemiological model of a crisis scenario that targets the mining sector. Figure courtesy of Caroline Hillairet and Olivier Lopez.

The systemic aspect of cyber risk—which is exacerbated by the interconnectivity of information systems—also challenges the traditional assumption in insurance models (like the Cramér-Lundberg model) that claims arrive independently. Alternative models, such as Hawkes processes, are better able to capture the clustering and self-exciting features of cyber events and dynamically monitor their risks. For instance, a linear Hawkes process \(H\) is a counting process that is characterized by its stochastic intensity (i.e., hazard rate) \(\lambda(t)\), which is fully specified by \(H\) itself. Namely,

\[\lambda(t) := \mu + \int_{(0,t)} \Phi(t-s)dH_s=\lambda_0(t)+\sum_{\tau_n<t}\Phi(t-\tau_n) \quad t \in [0,T].\]

Here, \(((\tau_i)_{i\in\mathbb{N}*})\) are the jump times of \(H\) (i.e., the arrivals of cyber events), \(\Phi\) is the deterministic excitation kernel, and \(\mu\) is the constant baseline intensity. 

Although Hawkes models can efficiently capture shocks and persistent aftershocks that constitute attack contagion [1], they induce challenges in the valuation of insurance contracts due to the loss of independency properties during the cumulated loss process. We provide an explicit closed-form pricing formula for contracts with underlying cumulative losses that are indexed by a Hawkes process [6]. The methodology relies on a representation of the Hawkes process known as Poisson imbedding (which is related to thinning algorithms) in terms of a Poisson measure \(N\) on \([0,T] \times \mathbb{R}_+\), to which we can apply the Malliavin integration by parts formula. Iteration of the procedure yields an explicit expansion formula that accounts for the addition of jumps to the Hawkes process; from an actuarial point of view, these additions are “stressed” scenarios.

In conclusion, all these methodologies must receive proper information. Unfortunately, one of the main challenges of cyber risk modeling and insurability is the critical lack of a consistent database. Solving this issue will require collaboration between insurance companies, governments, the private sector, and other economic agents.

References
[1] Bessy-Roland, Y., Boumezoued, A., & Hillairet, C. (2021). Multivariate Hawkes process for cyber insurance. Ann. Actuar. Sci., 15(1), 14-39.
[2] Farkas, S., Lopez, O., & Thomas, M. (2021). Cyber claims analysis using generalized Pareto regression trees with applications to insurance. Insur. Math. Econ., 98, 92-105.
[3] Fung, B. (2021, April 12). Cyberattacks are the number-one threat to the global financial system, Fed chair says. CNN Business. Retrieved from https://www.cnn.com/2021/04/12/business/jerome-powell-cyberattacks-global-threat/index.html.
[4] Hillairet, C., & Lopez, O. (2021). Propagation of cyber incidents in an insurance portfolio: Counting processes combined with compartmental epidemiological models. Scand. Actuar. J., 2021(8), 671-694.
[5] Hillairet, C., Lopez, O., d’Oultremont, L., & Spoorenberg, B. (2022). Cyber-contagion model with network structure applied to insurance. Insur. Math. Econ., 107, 88-101.
[6] Hillairet. C., Réveillac. A., & Rosenbaum, M. (2023). An expansion formula for Hawkes processes and application to cyber-insurance derivatives. Stoch. Process. Their Appl., 160, 89-119.

Caroline Hillairet is a professor at ENSAE Paris and a member of the Center for Research in Economics and Statistics in the Laboratory of Finance and Insurance. She is a fully qualified actuary; a board member of the French Institute of Actuaries; and scientific director of the Joint Research Initiative on Cyber Risk Management, which is sponsored by the AXA Research Fund. Hillairet’s research concerns cyber risk, long-term and longevity risks, and progressive utilities.