13 Mar 2020

A lack of historical data and the rapidly evolving nature of cyber threats mean that cyber risk modellers need to be selective in the lessons they learn from natural catastrophe models.

According to a new report from market-renowned cyber analytics provider firm, CyberCube, the evolution of natural catastrophe modelling since Hurricane Andrew in 1992 can act as a template for cyber modellers, but only up to a point. Beyond that, cyber modellers need to develop their own solutions.

‘Drawing from the Experience of Nat Cat Modeling’

‘Drawing from the Experience of Nat Cat Modeling’, highlights three key differences

While there are similarities between the two types of models, the report, ‘Drawing from the Experience of Nat Cat Modeling’, highlights three key differences. In addition to a lack of historical data and the rapid frequency with which cyber events are changing, cyber-attacks involve ‘active adversaries’ in the form of criminals or terrorists.

These important differences mean that cyber modellers do not have the time or ability to ‘observe, learn and adapt from past data and models’. One key challenge for cyber modellers identified in the report is the need to improve accuracy in this sector in which the past provides limited guidance as to future activity.

Enhancing cyber security

Oliver Brew, CyberCube’s Head of Client Services and one of the report’s authors, said “There’s a well-known phrase in statistical circles that while all models are wrong, some are useful. Models like CyberCube’s model do not have a predictive line of sight to outcomes but they do aid decision-making, capital planning and a wide range of other factors.”

He adds, “For a long time, our sector thought that by studying the way in which nat cat models developed, we could find answers to build better cyber models. What this report shows is that those parallels will only take us so far. The challenge for businesses like CyberCube is to use the tools at our disposal to learn from the past and make informed decisions about the future. The good news is that cyber models are improving rapidly with more useful data sources and faster cloud-hosted processing power.

‘Categorised and structured’ data

The report studied how Hurricane Andrew in 1992 highlighted significant weaknesses in what were then current modelling practices. Yvette Essen, Head of Content at CyberCube, said “Back then, insurers estimated the size of future losses using ‘experience’ data based only on what happened in the past. Actuaries simply adjusted recent history to reflect current trends. Hurricane Andrew helped to prove that past data is a poor gauge for future catastrophe exposure. Previous projections failed to recognise that science indicated unprecedented events were within the realm of reasonable possibility.

Limited volume of ‘categorised and structured’ data on insured cyber losses can hamper cyber models' development

The limited volume of ‘categorised and structured’ data relating to insured cyber losses may also hamper the development of cyber models. While there are many sources for information on well-documented cyber incidents, the report notes, these have not translated into a similar volume of useful data that insurers and modelers can utiltise.

Cyber risk analytics expert

CyberCube delivers renowned cyber risk analytics for the financial and insurance industry. With best-in-class data access and advanced multi-disciplinary analytics, the company’s Software-as-a-Service platform helps insurance companies make better decisions when underwriting cyber risk and managing cyber risk aggregation.

CyberCube’s enterprise intelligence layer provides insights on millions of companies globally and includes modeling on over 1,000 single points of technology failure. Drawing from the Experience of Nat Cat Modelling is published online and available from CyberCube on the official company website.