This whitepaper is the result of a year-long cyber collaboration on the modelling of accumulation risk from significant malware events. The results of the project, the whitepaper and the model, are freely available.
Participants Beazley, Munich Re, and Gallagher Re have brought together experts in actuarial modelling, technical cybersecurity and underwriting to produce a paper on modelling potential systemic cyber losses from extreme malware events.
The findings detailed in the whitepaper indicate that the cyber insurance market could withstand a plausible yet remote malware event under the given parameters.
Key conclusions from the report:
- The generic model was constructed as a transparent and insurance-relevant model for systemic cyber-risk based on malware scenarios, yet parameterisation is a challenge. The model outputs are regarded as representative of the tail risk that exists in cyber.
- As with any model, the modelled loss outputs are highly sensitive to the chosen parameter. The values assigned to the model parameters from the three scenarios developed are deliberately extreme and designed to represent close to an upper bound to what was considered technically possible.
- Despite the extremity of the scenarios, the model suggests that they would not exhaust a significant proportion of the deployed limit in the cyber market. The modelled losses are over twice the premium collected by the market, suggesting that the market could digest a systemic event. However, the project also highlighted the importance for (re)insurers to have a strong capital base and diversified portfolio.
- When considering malware attacks, a widespread software supply chain or self-propagating malware pose the greatest risk of systemic loss to the cyber insurance market. By contrast, a targeted loss event, while significant, lacks sufficient footprint to reach a similar magnitude of insured losses although the economic loss could be significant.
The collaboration partners invite interested market participants to share feedback with the authors.
