Caroline Baylon - Security Risk Models for Cyber Insurance

First edition published 2021

by CRC Press

6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press

2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

The right of David Rios Insua, Caroline Baylon and Jose Vila to be identified as the authors of the editorial material, and of the authors for their individual chapters, has been asserted in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access

Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe.

ISBN: 9780367339494 (hbk)

ISBN: 9780429329487(ebk)

Typeset in Computer Modern font

by KnowledgeWorks Global Ltd.

To Susana, Isa, and Carla. DAVID RIOS INSUA

To my parents. CAROLINE BAYLON

To Julian, Oriana, Marina, and Rodrigo. JOSE VILA

Cybersecurity has firmly established itself as a major global threat. We regularly hear reports of a company having experienced the biggest data breach in history, with each much larger than the last. It is not uncommon for organisations to suffer attacks involving the data of hundreds of millionsor even billionsof customers. We are also seeing a rise in cyber attacks on critical infrastructure, from transportation networks to the power grid, and their related potential for disruption. As a response to this risk, the insurance industry is developing novel cyber insurance products that facilitate risk transfer within a risk management portfolio.

However, the development of cyber insurance products presents a number of challenges. One of them is the rapidly evolving cyber threat landscape, including the growth in the number of attacks and the sophistication of attackers, that makes it difficult to accurately assess cyber risks. Another is the limited amount of historical data, which is traditionally the basis for insurance underwriting. In addition, customers are often unable to fully evaluate the cybersecurity risks they face and lack clarity around cyber insurance options. These issues call for new approaches in this domain.

This publication is the result of an initiative of the AXA-ICMAT Chair in Adversarial Risk Analysis, supported by the AXA Research Fund, and the CYBECO (Supporting Cyber Insurance from a Behavioural Choice Perspective) Project, a European Union-funded project through the Horizons 2020 programme. The project has brought together a diverse team of interdisciplinary European researchers, including cybersecurity practitioners as well as experts from the fields of risk analysis, psychology, behavioural economics, decision analysis, computer science, modelling, and policymaking. The findings underscore the importance of supporting independent academic research projects to find new ways to tackle the cybersecurity challenges that our society faces today.

The result is a volume that examines cyber insurance decision-making processes within organisations, identifies the behavioural issues underlying cybersecurity, and proposes innovative risk analysis models. It provides a timely contribution to the literature on cybersecurity and cyber insurance, offering guidance to companies in their cybersecurity resource allocation decisions and insights for insurers and brokers in their risk mitigation roles, thus contributing to a more resilient and cybersecure environment.

MARIE BOGATAJ, Director of the AXA Research Fund, Paris

ARNAUD TANGUY, AXA Group Chief Security Officer, Paris

A defining feature of modern society is its pervasive digitalisation, as exemplified by the information systems that store and process valuable data, much of it confidential. These systems include cyber-physical systems that operate critical infrastructures, the social networks that host so many of our interactions with others, and platforms that enable financial transactions such as online shopping or banking, to name but a few. Against this backdrop, cyber attacks are increasing in frequency, impact, and sophistication and can affect all types of organisations from corporations and governments to SMEs and NGOs, as well as individual citizens. The number of security breaches has increased by 67% in the past five years and cyber crime is estimated to cost the world economy $600 billion annually, or 0.8% of global GDP (Accenture and Ponemon Institute, 2019; McAfee and Center for Strategic and International Studies, 2018). The 2017 NotPetya attack was particularly destructive, causing over $10 billion in damage as it propagated across the corporate networks of a number of major multinational companies.

The use of cybersecurity risk management methods are essential in order to deal with these challenges. This enables organisations to assess the threats to their assets, what security measures they should implement to reduce the likelihood of such threats occurring, and to lessen their potential impacts should they occur. Yet, despite their virtues, the current frameworks used for cybersecurity risk management are mainly based on risk matrices, which have well-documented shortcomings that could potentially lead to a sub-optimal allocation of cybersecurity resources. They also do not typically take into account the intentionality of threats. This may be even more of an issue if we take into account the increasing variety of threats, as well as the growing number of security measures to choose from to counter these threats.

In this context, new methods of cybersecurity risk management are emerging, notably involving the use of cyber insurance. Cyber insurance can fulfil a key role by keeping risks manageable for insured companies by transferring the risk to insurers. It also provides companies with incentives to improve their cybersecurity by requiring them to implement certain minimum protections, thereby reducing overall risk. However, the cyber insurance market is still underdeveloped for several reasons. From the demand side, companies may struggle to decide whether or not to buy cyber insurance and which products to buy, in part due to difficulty understanding their cybersecurity risk. This is made more complex by the rapidly changing nature of the risk. From the supply side, this also means that it is difficult for insurance companies to create an overall risk picture for the domain, making it challenging to design and price cyber insurance products.