Beazley, Munich Re, Gallagher Re unveil cyber risk model for malware events

It provides transparent framework for assessing systemic cyber risk

Beazley, Munich Re, Gallagher Re unveil cyber risk model for malware events

Reinsurance

By Kenneth Araullo

Beazley, Munich Re, and Gallagher Re have published a white paper and model examining the potential accumulation risk facing the cyber insurance industry from extreme malware events.

The report introduces updated estimates of possible systemic losses, based on a new accumulation model developed through a year-long collaboration among experts in insurance, reinsurance, and broking. The initiative aimed to create a transparent framework for assessing systemic cyber risk.

The model incorporates three distinct malware scenarios applied to a synthetic portfolio representing the cyber insurance market. Munich Re said that the project sought to address limitations in existing systemic cyber-risk models, which often focus on economic losses or include elements typically excluded from standalone cyber insurance policies, such as cloud outages due to widespread power failures.

Additionally, some existing models involve parameters that may be challenging to interpret without significant technical expertise.

According to Munich Re, the absence of major catastrophic loss events in the cyber insurance market means that some level of subjectivity is inherent in any systemic risk model. However, the partners in the project emphasized the importance of providing clear justifications, explanations, and evidence for the model's parameters.

External experts contributed to the development process, and the report draws on academic and industry research. The assumptions regarding claims and incident response costs are based on actual claims data, which have been aggregated and smoothed to maintain client confidentiality.

The report suggests that the model serves as a transparent tool relevant to insurance for systemic cyber-risk, specifically through malware scenarios. It acknowledges the challenge of parameterization, given that the model's outputs are highly sensitive to the selected parameters.

The scenarios developed represent an upper bound of what is technically feasible. Although the scenarios are deliberately extreme, the model indicates that such events would not exhaust a significant portion of the deployed limit in the cyber insurance market.

The projected losses exceed twice the premium collected by the market, suggesting that the industry could potentially absorb a systemic event. Munich Re pointed out the need for re/insurers to maintain a robust capital base and a diversified portfolio to manage such risks.

The findings indicate that systemic losses in the cyber insurance market are most likely to arise from events such as widespread software supply chain attacks or self-propagating malware. In contrast, targeted malware incidents, while potentially resulting in significant economic losses, would generally not produce insured losses on the same scale.

By making the model's structure and assumptions available, Beazley, Munich Re, and Gallagher Re aim to provide a benchmark for calibrating systemic cyber-risk models and encourage broader industry adoption of consistent standards for evaluating these risks.

What are your thoughts on this story? Please feel free to share your comments below.

Keep up with the latest news and events

Join our mailing list, it’s free!