Heavy-Tailed Data Breaches in the Nat-Cat Framework & the Challenge of Insuring Cyber Risks
share
Considering cyber risk as a (man-made) natural catastrophe (Nat-Cat) systematically clarifies the actuarial need for multiple levels of analysis, going beyond claims-driven statistics to forecast losses, and necessitating ambitious advances in scope, quality, and standards of both data and models. The prominent human component and dynamic and multi-type nature of cyber risk makes it uniquely challenging when compared with other Nat-Cat type risks. Despite noted limitations of data standards and models, using updated U.S. breach data, we show that this extremely heavy-tailed risk is getting significantly worse -- both in frequency and severity of private information items (ids) exfiltrated. The median predicted number of ids breached in the U.S. due to hacking, for the last 6 months of 2018, is about 0.5 billion, but there is a 5 percent chance that it exceeds 7 billion -- doubling the historical total! In view of this extreme loss potential, insurance principles indicate a need to reduce ambiguity through research and to provide a sufficient basis for writing sustainable insurance policies. However, as demand for extended insurance coverage exists, premium differentiation is deemed attractive to incentivize self-protection and internalize externalities.
READ FULL TEXT