'Cyber Risk Aggregation: A Complex Problem that requires a Complex Modeling Solution' is written byDeNexus' Head of Research & Modeling Strategies, Romy Rodriguez Ravines.
Over the years, we’ve discussed the challenges of Cyber Risk Aggregation and DeNexus’ unique bottom-up approach powered by Inside-Out data to accurately quantifying, modelling, and estimating Portfolio level cyber risk with our flagship product DeRISK, the leader in evidence-based, data-driven, OT/ICS Cyber Risk Quantification and Management.
In cyber risk, a cyber-attack can result in claims that erupt across the globe, and financial loss events can be very nuanced and complex. In addition to the topic of cyber risk aggregation in general is Systemic Risk, which is defined by the notion that one incident could cause a cascading failure that triggers the collapse of an entire system. An example of this would be a cyberattack that takes down the power grid, and thus impacts sectors from transportation to communications and healthcare.
In this Blog, Romy Rodriguez Ravines dives into the questions, answers, and complexity associated to cyber risk aggregation.
From a cyber risk modelling perspective, we start by asking these initial questions:
Are there going to be multiple cyber events with large losses in a year?
Are cyber events going to occur in the same industry and/or geography?
How big could the accumulated losses be?
It sounds like one should look at the events that spread across many units, in DeNexus’ OT/ICS use case, different industrial facilities. However, Risk Accumulations can start with a single company with multiple units. Risk owners operate across multiple facilities, and also their insurance policies cover multiple ones.
So, the problem of cyber risk aggregation is deeper, and it includes all cyber events across multiple facilities. Then, the fundamentally harder questions to answer become:
How can an incident affect multiple facilities?
How can we capture, with evidence-based data, the way they are connected?
How could the risk spread through multiple facilities that could be, both, digitally connected and located in different geographic locations?
Adding the dynamic nature of cyber makes it even more challenging to describe the co-exposure of multiple facilities. Many factors contribute to that joint exposure, including firmographics, strategic aspects, technological or supply dependencies, and operational data flow. Dependencies that are hard to capture by traditional systemic risk modeling. Moreover, different sources of dynamism have different effects. Both the threat landscape and technology landscape, change the dynamics of a cyber event. So, it is not enough to look at cyber risk from the outside. It must be also looked at from the inside, as we do with DeRISK.
DeRISK’s detailed, bottom-up approach provides more valuable insights to better understand and accurately assess cyber risks, and it is mandatory for industrial Cyber Risk Quantification, Management and Transfer. It means understanding the individual risk by looking at it from the inside out, and by continuously measuring with (near) real-time data. Combined with the intelligence that can be built on the cyber threats – risk managers and insurers can determine their exposure, the likelihood of loss, and where the risk falls on the spectrum between widespread and interconnected.
Dealing with inside-out cyber data is very delicate. It is valuable not only for asset owners – what is my cyber posture and risk? - and for insurers – what is the risk profile I’m evaluating? -. It is also valuable for cyber attackers – where are the vulnerabilities that I can exploit? – where vulnerabilities are not protected with controls? -. Here is where the DeNexus Trusted Ecosystem make a difference. The DeNexus Trusted Ecosystem is a Secure Cloud-based Infrastructure. A combination of data integrity, encryption and anonymization tools, security standards and certifications, trusted and certified infrastructure, policies and procedures to enable a strict control over the collection, storage and dissemination of highly sensitive cyber data.
-Stay tuned for the next Blog where our CTO, Alessandro Nepoti, gives a deeper dive into the DeNexus Trusted EcoSystem-
Click Here to read more from Romy Rodriguez Ravines on the DeNexus Knowledge Center and the DeNexus Trusted EcoSystem.
Click Here to learn more about DeRISK, a comprehensive Cyber Risk Quantification and Management platform!