Zero Day

Models for natural catastrophes have become common, so what is the need for the kind of cyber-risk model that JLT is developing with Stanford University?

GROEBER: Our cyber model is a tool that has science and analytics behind it to give our clients visibility into how they should prepare as cyber threats become much more prevalent.

A primary goal of building our model was to address specific questions from our clients. Because cyber doesn’t have the history that traditional coverages like property have, clients need fact-based tools to create an effective strategy.

Our model does rely on historical data but also expands the scope of information beyond the most publicized events, so we can include cyber or business interruption losses, incorporating our brokers’ invaluable experience working with clients as long as there’s been a cyber product.

What are the challenges in building a model for cyber risk?

GIACOBBE: Cyber risk is evolving—with limited data sets compiled—which is a challenge when you are working to measure it and advise clients how to protect themselves from it. In addition, any model that you build, including common models such as catastrophe models or workers compensation models, will have inherent risk—in the models themselves as well as the outputs.

We have worked to overcome these challenges by taking an approach that includes several key elements.

The first is our knowledge of the events that have happened, which is the cornerstone of our research efforts with Stanford. Looking at what has happened helps us set a baseline for possible cyber events, but it isn’t the only thing you want to consider.

Next, where sufficient data do not exist, we challenge ourselves to develop scenarios that can occur but have not yet occurred, as this helps define the most impactful events. As cyber risk continues to evolve, JLT will develop additional scenarios and update the model itself so the model matures with our knowledge about the risk.

Lastly, knowing there is inherent risk in any model that is built, we find it is extremely important to understand a model’s sensitivity to its critical parameters so that potential variations in results are appreciated by those using them, allowing for more informed risk management decisions.

What is the role of Stanford Law School’s Securities Litigation Analytics project?

HEGLAND: This research project is funded in part through the Stanford Cyber Initiative, which is broadly focused on studying “cyber-social systems” through an interdisciplinary approach. The Stanford Securities Litigation Analytics project is a natural starting point toward building a database of cyber breaches because cyber security is a looming threat to corporate boardrooms in terms of shareholder litigation. Having a better understanding of what that cyber risk looks like can better inform what shareholder litigation risk may look like in the future.

Through our conversations with insurers, brokers and corporate leaders, a consistent theme has emerged—a belief there is a lack of available data to better understand cyber risk. We’re working with JLT and others in Silicon Valley and beyond to prove that belief wrong. There is an abundance of available data; the challenge is bringing those different data together and then separating the signal from the noise.

Our intention is to continually build and develop this database of cyber breaches, focusing on frequency, severity in terms of cost, and the litigation and regulatory enforcement that stem from such breaches.