In a recent Insurance CIO Outlook article, Phil Norton, Ph.D., of Arthur J. Gallagher & Co., discusses modeling cyber risk by evaluating the source, quantity and quality of a company’s stored data. Since estimating cyber risk for insurance claims is still in its infancy, the amount of data is “relatively sparse.” However, Norton explains that by going beyond relying on record counts and average breach costs, and considering industry, number of employees, revenues and other data “readily available and highly correlated with the risk,” one can create a highly predictive model of assessing cyber risk. Norton explains that through “quality data” and “statistical methods,” one can provide a “powerful alternative to simple benchmarking of insurance purchasing patterns.” For instance, Norton’s methods found that after a breach, larger companies experience a reduction in their cost per employee, cost per record breached and cost per network device compared to smaller companies. On the other hand, larger companies experience bigger breaches and therefore greater aggregate costs. In the end however, significant adjustments must be considered once the company’s industry is measured.
Furthermore, through taking into account the number of employees, cost-of-record variability per industry and a difference in records held by industries, Norton was able to refine risk modeling significantly by “altering severity of claim expectations according to industry.” For instance, while retail cyber claim has experienced sever potential for catastrophic loss, Norton found smaller retailers do not bear that same risk. After incorporating the different statistical correlations into one model, one can then better predict an industry’s risk based on the company’s size. Taking all factors into consideration helped to discover that large retailers with many locations must take into account that the number of locations provides the best indicator in this particular industry, instead of solely relying on the number of employees. Perhaps most importantly, Norton notes that while this currently is a “sophisticated assessment technique” for gauging cyber risk, this evolving industry is certainly susceptible to constant change in the future.