Where small businesses stand amid ‘the New Frontier of Cyber Catastrophe Modelling’ came under close scrutiny in the joint research study recently published by Guy Carpenter and At-Bay.
Exploring the current limitations in the cyber CAT modelling of the SMB segment, the report found that small and medium businesses (SMBs) now represent 45% of the cyber market exposure, up 45% from five years ago. It also highlighted that the increased share of SMBs in the cyber insurance market requires accurate quantification of their aggregation potential in order for effective capacity deployment and risk management.
Discussing the research, report author Jess Fung (pictured left), MD and Northern American cyber analytics lead at Guy Carpenter, highlighted the observed limitations of current cyber cat models, particularly with regards to the accurate assessment of aggregation risk in SMBs. It’s the role of the industry to find a way to address that emerging limitation, she said, while cyber cat modelling vendors continue to find better ways to refine their models.
“We should recognise the tremendous value that these cyber cat models have been delivering to the insurance industry to help them understand exposure aggregation, and help them figure out how much risk they want to bear and how much capital they want to deploy on cyber,” she said. “As we know, SMB is a huge area of potential growth for companies looking to enter this emerging risk space. [That’s why] it’s so important for cyber writers to get it right when it comes to exposure management strategy for SMBs.
“But the challenge with the current cyber models is that they struggle to account for SMB exposure in an accurate and granular way. And we sympathise with them because of the lack of credible data about things like technology dependencies and security posture within these smaller companies.”
Expanding on the disparity seen within SMBs when it comes to their security postures, Yoshi Yamamoto (pictured right), report author and cyber risk modelling director at At-Bay noted the struggle across the SMB market, which makes up the main portion of At-Bay’s portfolio. The firm has been working for over two years now on trying to gain a better understanding of what’s missing in terms of granular detail and help push the boundaries of cyber risk modelling.
In terms of the disparity of cyber risk, SMB is a “very strange” segment of the market, he said, not least because SMBs are much more subject to attack. This is led by the evolution of cyber incidents. Where before, data breaches were the choice of criminals because they could steal the information of large companies with a lot of good data, the rise of cryptocurrency and the anonymisation of financial transactions has led to ransomware becoming the cyber weapon of choice.
Then on the defense side of the equation, SMB companies often don’t have the budget and the security resources to maintain a healthy security posture while under attack. From the cyber security provide view of the market, the SMB segment isn’t an attractive proposition because they don’t have the budget to invest heavily. All this means that SMB companies don’t have enough choice to incorporate the right cybersecurity controls to make themselves secure.
This results in the SMB segment being riskier. “Where the disparity of the SMB segment comes in is that while the SMB segment, in general, is less secure, those companies with cyber insurance are generally much more secure than others,” he said. “Because, in general, cyber insurance providers require certain cybersecurity components before they’ll underwrite a risk. So, their exposure is much better than the general population.
“Also, some of these insurance companies are providing security services to insured companies, which again, makes them more secure. The disparity is that generally SMB companies are less secure, but specific companies are much more secure than others. And this discrepancy is very important to address in cyber cat models, on top of the information of the current vendor models.”
Fung added even among the SMBs with a limited cybersecurity budget, if they have impactful defence mechanisms and security controls in place – including firewalls with the right settings, endpoint detection and response (EDR), multi-factor authentication (MFA) – these can be very effective in protecting an SMB from cyber risk. “What that means is that being able to properly reflect that disparity of security posture is important in any insurance company's SMB strategy. That's what we want to stress with our paper and how we then propose a methodology to look at making the cyber model results more meaningful, more tailored for SMBs.”
Digging into that solution, Fung noted that the headline from the perspective of Guy Carpenter is that its proposed methodology leads to a very meaningful impact in terms of a reduction of 17% in the modelled cat loss, at the tail return period. That metric is one of the most important when insurance companies are looking to measure when setting their risk tolerance level around cyber.
Being able to assess that with more granular detail when looking to scale up your SMB portfolio is essential, she said. “The 17% reduction with the proposed methodology implies that, if we don’t properly account for SMB exposure, then the tail loss could be overstated, and that would lead to biased and potentially misleading conclusions about capital deployment around cyber.”
Yamamoto noted that in the joint paper, the teams modelled many of the additional components of an SMB’s security posture and controls as outlined by Fung above. Those components were critical to source, he said, because they exist within a company’s network. As a result, it’s not easy information to obtain from an external scan to obtain a better view of the risk from a modelling perspective. Using its connection with insureds, At-Bay was able to obtain this data and supplement it on top of existing cyber cat models.
“Essentially, we are modelling the behavior of the EDR and MFA, on top of the cyber cat modelling output, and modifying the risk appropriately to adjust to the risk level of the event,” he said. “That 17% reduction is very significant to us. With and without that component, our strategy could be changing so having that component, and then being able to properly assess the cybersecurity risk is very important for insurance companies.”