Cyber: Modeling for a Fast-Moving Risk

Damini Mago, associate director – cyber product management, insurance solutions at Moody’s, explores some of the challenges in modelling cyber risk.

Cyber ​​insurers face a dynamic and challenging risk outlook as the pendulum swings between threats on one side and cyber resilience on the other. For example, according to a report from Howden, cyber insurance premiums rose between 2020 and 2022 in response to the rise of remote working. At the same time, businesses rushed to adapt their cybersecurity to manage threats from personal device use and remote network access. Better threat awareness and good cyber hygiene practices improved businesses’ resilience, which helped lower premiums.

Yet any fortified resilience is continually being tested, as ransomware and malware attacks have intensified—Zscaler reports that there will be 1.13 billion phishing attacks in the U.S. alone in 2023. Criminal gangs and state-sponsored threat actors have become more opportunistic, expanding into previously inaccessible target areas. For example, state-sponsored group Qilin recently attacked UK pathology service provider Synnovis, disrupting the country’s National Health Service.

The risks of non-malicious cyber events have also come to the fore following the recent CrowdStrike incident involving a faulty update, which temporarily disabled millions of Windows devices. The real-world consequences ranged from cancelled flights and disruptions to payment systems to crippled healthcare systems.

Moody’s has been modeling cyber risk for insurers for over a decade, and in a chaotic risk landscape like cyber, understanding tail risk is a critical area of ​​focus to gain confidence in understanding systemic risk. With Moody’s RMS Cyber ​​Solutions Version 8, we are moving in line with the needs of the cyber insurance market, facilitating the inclusion of a broader range of scenarios, with the number of unique events catalogued doubling over the past decade to over 20,000. The threat and digital landscape is constantly evolving, and we are applying our deep research in areas such as digital supply chains and cloud outages to our modeling.

Unlike natural hazard risks, cyber risks cannot simply be diversified via geographical distribution due to their complex correlation structures. This extension of the event catalogue provides the opportunity for further diversification within portfolios. It helps to improve decision support and risk transfer processes and provides the basis for improved event response. This is a first step towards diversification in cyber risk management or assessing correlations in ILS investor portfolios.

Moody’s is improving exposure data quality to benefit from our advanced risk modeling, as many insurers still face challenges in collecting basic exposure data such as company size, industry and geography. Our cyber solutions help address this by leveraging a portion of Moody’s Orbis dataset, which covers approximately 19 million companies globally with revenues greater than $1 million.

Moody’s aims to provide a detailed – yet understandable – scenario framework, recognizing the complexity of the cyber ecosystem. One of our goals is to help model users uncover potential correlations that could impact pricing and risk aggregation by diving deeper into the data and broadening the scope of modeled events. With input from Moody’s Cyber ​​Risk Steering Group, the industry is driving our model development and we aim to bring cyber risk modeling to the same level the industry is experiencing with nat cat perils. We aim to achieve a level of sophistication combined with powerful, yet easy-to-use functionality that can make sense of this ever-changing risk landscape.