One of the major difficulties in quantifying cyber risk has been the inability to properly model the risk. However, researchers have started to adapt natural disaster risk models to be used in the cyber risk market.
Boston-based research and modeling group, AIR Worldwide Corp, plans to have a “cyber risk model ready for general consumption within two to three years,” according to the firm’s manager and principal scientist, Scott Stransky. Mr Stransky stated that AIR has “a prototype cyber model available now, and we are looking at 2018 for a general release.”
Stransky said that the most challenging part of modeling cyber risk was the difficulty in amassing enough data because companies do not like to admit that they have been breached. To overcome this, AIR has partnered with third-party data sources and insurers that can provide claims data through nondisclosure agreements.
AIR is also working on how to best model damages resulting in the fallout of a cyber attack. While first-party costs for lawyers, forensic firms and public relations firms is fairly easy to model, third-party liabilities can be tough to estimate. For example, Stransky stated, “suppose hackers get into the computer system running a dam, causing the dam’s spillway to malfunction and flood a neighborhood near the dam. While the dam itself is not physically damaged, who pays for that? Until we know which insurance policies will pay for that, we will not be able to model damages for that.”