The Art of Measuring Cyber Aggregation Risk

Cyber risk is now an embedded feature of the global risk landscape, and preventative risk management and post-event remediation are gaining importance as shareholders, customers, supply chain partners, and regulators are increasingly focused on how companies are managing cyber risks. Insurance is becoming an important piece of the strategy to help businesses address these risks.  

Cyber insurance is one of the fastest growing lines for insurers and reinsurers. While insurers are developing pricing tools for underwriting cyber risks, the focus on aggregation has increased – how to understand and control the potential exposure.   Unlike traditional property insurance where aggregation is monitored by physical locations, cyber insurance aggregation can span connected systems that extend beyond physical geographies.  While a large systemic risk has not yet materialized, it does not mean the risk is not present. Moreover, there is limited history and lack of data for this emerging exposure, which makes it difficult for insurers to measure cyber risk and calculate capital needs. In other words: it’s a huge challenge to profitably grow a portfolio of cyber risk, without exceeding risk tolerance.

For decades, insurers have considered aggregation from natural perils, and developed catastrophe models.  These models go beyond the insured loss experience by blending the historical evidence and expert understanding of the nature of the peril, and provide a more robust understanding of future exposure.   Modeling for cyber risk introduces new challenges, including:

• Changing perils – The types of cyber attacks, as well as the nature/motivation of the attackers, are in constant flux.
• Extended duration – Related attacks against different defenders may take place simultaneously, or may repeat over a period of months.
• Definition of damage  - Cyber damage is harder to quantify, due to the gap between the technical and business impact.
• Reporting lag – It may take months or years to discover a cyber attack.

Symantec Cyber Insurance, in collaboration with Guy Carpenter, has developed a series of frameworks to systematically break down this complex problem into tractable components.   Many of these components are impossible to observe directly from insured exposure or historical loss (much as wind or tides could not be inferred purely from insured hurricane loss).   But as the global leader in cyber security, Symantec has spent decades tracking the emergence of new cyber threats and attack vectors, and has unparalleled proprietary telemetry database, providing a unique capability to identify and quantify the nature of each phase of cyber attacks.

First and foremost, it is important to distinguish between the technical and business impacts of a cyber attack. The technical impact provides a mechanism to understand how an attack was carried out, but rarely provides a handle on the far greater consequences on a collection of businesses. To resolve this, Symantec has invented the CUBE framework that clearly articulates every facet that is relevant to a business user.

The framework consists of six complementary dimensions to break down the technical complexity of a cyber attack:

• Attackers
• Targets
• Objectives
• Vulnerabilities
• Impact
• Consequences

We will take a specific aggregation scenario to illustrate how this framework plays a useful role in describing these events. A cloud service provider disruption scenario has been widely regarded as one of the manifestations of aggregation on cyber portfolios. In the narrative below, the business impact on a leading cloud platform lasts for 24 hours and causes cascaded impacts on other businesses dependent upon its services. This scenario can play out in many different ways, and we can use the CUBE framework to showcase one such realization of this scenario.

The multi-dimensional view of risk provided by the CUBE framework not only helps insurers understand the key aspects of a scenario but also helps them control risk aggregation by avoiding higher degrees of exposure in their portfolios to the “footprints” of each of the attacks. The framework also minimizes the possibility of a misrepresentation of the description of a scenario and, consequently, the quantification of its frequency and severity. In essence, the CUBE framework provides a foundation to create an event set that can be understood easily by business users in the context of managing cyber aggregation risk.

It may be essential to think beyond the CUBE framework for building sophisticated risk models where uncertainty quantification becomes the primary goal. For this purpose, Symantec recommends using the “kill chain” methodology for a technical persona to capture the different phases of a cyber attack. For example, an insider attack on a confidential database in a large data aggregator will have a very different likelihood when compared to a financially motivated threat actor carrying out the same attack through a phishing campaign. A sequential model can capture this differentiation, specifically in the area of frequency quantification. More importantly, the quantification can be driven by Symantec’s security telemetry.

The kill chain tends to fall closer to the technical end of the spectrum in cyber security and is not as business-friendly as the CUBE framework. It is, however, extremely useful in understanding the diminishing probabilities of success as you move down the kill chain, where each subsequent step in the attack process poses a challenge to the attackers that not only depends on the motivation and capability of attackers but also the security controls that exist within the target(s).   

The relative importance of each of these frameworks is context dependent. If you are trying to model the frequency and severity of scenarios, you will find the kill chain much more appealing, but if you are a portfolio manager or a business stakeholder within an insurer, you are likely better served by the CUBE framework which transforms layers of complex cyber security concepts into simplified “snackable” content.

Ashwin Kashyap, Symantec Corporation, and Julia Chu, Guy Carpenter.

An unabridged version of this article was published in the MMC handbook 2016. Ashwin Kashyap is a Director, Product Management at Symantec where he specializes in creating and commercializing data-driven analytic products for cyber risk modeling to the insurance industry. Julia Chu is a New York-based Managing Director at Guy Carpenter where she focuses on strategic advisory.