Speaker: Shaun Wang
Cyber risk, and more broadly, data information security risk takes on increased importance in today’s digital economy. There are several challenges in quantification of cyber risks, which calls for new actuarial theories for cyber risks. Firstly, there is a convoluted relationship between threats (number of cyberattacks) and vulnerability (likelihood of weakness being exploited). Secondly, there is an interlocking relationship between firms’ cyber security spending and the required provision for the residual loss. Conceptually, the provision for the Annual Loss Expectancy can be viewed as the insurance premium for a full risk transfer, which depends on the level of information security investment. Thirdly, a firm’s information system has multiple data assets facing multiple areas of vulnerability, which need to be accounted for in optimal allocation of resources of cybersecurity investment. In this talk I present an actuarial economic theory, with mathematical equations for the combined effect of security investments in addressing cyber threats and vulnerability, from which one can derive the required provision for the residual Annual Loss Expectancy. I will discuss implications in cyber insurance product design, including the features of pre-breach prevention/mitigation and post-breach response. I will also discuss the externality effects of cybersecurity investment and the need for private-sector collective actions.