A PRESENTATION TO
CAS 2015 Reinsurance SeminarAssessing & Reinsuring Cyber Risks
Dr Raveem Ismail DPhil, MSc by Research, MPhys (Oxon), MInstP
Ariel Re (Bermuda)
2
Relevant background
Oxford. Physics and Atmospheric Physics (microphysical modelling, volcanoes, aviation emissions, cirrus cloud).
Exclusive Analysis (now part of IHS). Political Risk/Violence consulting.
Aon Benfield. Terrorism Model Lead.
Validus/Talbot. Terrorism & War Underwriting Analyst.
Ariel Re. Specialty Treaty Underwriter.
3
The cyber insurance market
Not new.
Exclusions: NMA 2914, NMA 2915, CL 380.
Lloyd’s risk code CY in 2013.
No longer purely an FI / privacy hacking issue.
Focus now: “malicious” cyber, and BI not just PD.
4
Attributes
The parallels with natural hazards do not hold.
Exposure is rapidly changing, and is connected in hidden ways: non-geographic accumulation*.
The parallels with physical assets do not hold either.
Self-certification is not an option!
Therefore difficult to model:
“The current state of cyber modeling is like trying to use the count of arrests for a crime to figure out the dollar losses from theft. They are
related, but not in all the ways you want…”**.* http://www.gccapitalideas.com/2014/10/21/costs-of-cyber-attacks/ ** http://www.riskandinsurance.com/cyber-risk-models-remain-elusive
5
A few cyber developments
Internet Of Things (IOT). E.g., surgical devices*.
Hacking even “air-gapped” (physically isolated) networks, systems and devices possible.
Many sophisticated actors. Including governments**.
Post-Snowden behavior changes: minimal/non-existent***.
Potential catastrophes: aeroplane hacking^, Equation Group^^.
* http://money.cnn.com/2013/04/08/technology/security/shodan/index.html , http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot / ** http://www.bbc.com/news/uk-28623365 *** http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext^ http://www.wired.com/2015/04/twitter-plane-chris-roberts-security-reasearch-cold-war / , http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-he-pierced-boeing-jets-firewall-in-2012 / ^^ http://arstechnica.com/security/2015/03/new-smoking-gun-further-ties-nsa-to-omnipotent-equation-group-hackers / , http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last / , http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage
6
Thoughts for the future
Not an opportune point in the insurance cycle.
Yet to see a credible cost-effective accumulation method and auditing process for insureds.
Loss experience needed.
Work with governments and credible third parties.
Data, when it comes, should come quickly.