Quantifying cyber risk is hard. Cyber risk is dynamic and volatile. Without understanding cyber risk, organization cannot mitigate impact to...
The Management of Industrial Cyber Risks II – Risk Accumulation
The Management of Industrial Cyber Risks II covers risk accumulation and how to assess and manage cyber risk
In previous blog posts, we spoke of static versus dynamic risk, the data conundrum as well as the challenge to successful risk management being the differing nature of risks and industrial cyber risk presenting a significant challenge; not just in its management but also the potential to risk transfer.
As has been opined by many, one major challenge is the ability to calculate accumulation of cyber risk. The data conundrum is a major hurdle in this endeavor, and another is arguably the question: Is cyber risk systemic or systematic? The financial markets deal with this when analyzing investment opportunities. In the insurance world, this has not been so prevalent as insurance practitioners have generally steered clear of covering systematic risks.
Systemic vs Systematic Risk
In the financial markets, systemic risk essentially describes an event, usually at the corporate level, that could trigger the downturn of an industry, a section of an industry or economy. An example usually given by experts is the collapse of Lehman Brothers and its resultant effect regarding the financial crisis of 2008. Systematic risk is that which is inherently present in the market overall and an investor cannot escape it. For example, interest rate changes impact everyone regardless of industry. All sectors are affected.
Cyber Risk – Systemic or Systematic?
What does systemic versus systematic have to do with industrial cyber risk? It seems it could be quite a lot and the methodology insurers use to analyze their traditional portfolios will be (and arguably are already) tested by cyber risks.
As previously mentioned, the insurance markets have mostly avoided systematic risk by not providing cover for it. The argument being insurance provides protection for fortuitous loss and the risk causing the loss occurs by chance. If a risk is known to be ever present (or at least occur with undue regularity as to be considered ever present) and impacts everyone, such as interest rate risk, it is extremely difficult for the insurance market to assume, although some enterprising companies tried in the past and, unsurprisingly, failed. Diversification, a major arrow in the insurer’s quiver, is severely impacted.
The insurance market traditionally deals with forms of systemic risk; hence, the overt focus on accumulation of risk from an event. Various cybersecurity analytical firms have logically taken this route in helping insurers understand cyber risk accumulation by breaking down the portfolios by geography, sector, etc. to derive probable accumulation loss scenarios. This makes complete sense, but the follow on question is: With the rapid digitalization of all industrial sectors across all geographies, could cyber risk, or elements of it, morph from systemic to systematic or can it be either depending on circumstances? For example, is ransomware morphing into a systematic risk? The answer is unknown at this point as with various aspects surrounding cyber risk. It might be that digitalization is not the same for everyone and cyber risk remains in the domain of systemic for industrials notwithstanding that we are all still trying to understand the cyber risk exposure from supply chains. Nevertheless, for cyber insurance to become a long term, effective and enabling tool in an industrial company’s cyber risk management and thereby fuel insurance market growth with relevancy, insurers will need to monitor for this because the handling of the two types of risk and the accumulation impact can be quite different.
Tackling the question of accumulation in an industrial cyber risk insurance portfolio can be carried out from both a top-down and bottom-up approach. In the industrial space, there are various layers of accumulation such as vendor-related accumulation and/or facility accumulation within an insured and accumulation between insureds, industries, etc. This gets very complex which is exemplified when you consider a large utility scale wind farm where the vast majority of the ICS and OT assets are usually managed by a wind turbine OEM. In a consolidated wind turbine market, where there are only a handful of tier 1 manufacturers with thousands of facilities under management, what does that mean for OT cyber risk accumulation across different fleets?
To truly develop a clear and appropriately accurate accumulation picture for industrial cyber risk insurers, the bottom-up, more granular approach would seem to have greater insight, which requires an inside-out granular visibility of the risk from where risk accumulation can be built upstream. Monitoring it through quantification with real time data will allow insurers to determine exposure, probability of loss and where on the scale between systemic and systematic the risk is evolving. This will enhance their capability for underwriting analysis, capacity setting, capital allocation, etc. as mentioned in the previous blog post and, most importantly, profitability. All are elements required for the successful growth of the risk transfer market.
In future blogs, we will keep unfolding the risk accumulation bottom-up approach taken by DeNexus in its risk accumulation models, and the discussion of whether certain industrial cyber risks may be developing systematic characteristics.