Cyber Risk: Stochastic Modelling of Personal Records Losses and Modelling the Spread of Ransomware
A Cyber attack is an assault using one or more computers against a single or multiple computers, networks or devices. It can maliciously disable computers, steal data or use a breached computer as a launch point for other attacks. The emergence of the Internet of Things (IoT) devices raises serious concerns in the areas of privacy and security. Global industry and governmental moves to address these concerns have begun, starting in the USA then rapidly followed by other developed regions in the world.
The presentation is aimed to support insurers knowledge and modelling of the Cyber risk over two modelling approaches. Each modelling was developed within Actuarial Theses submitted to the French Institute of Actuaries by the speakers and researched over the period 2020-2021.
First, a personal records losses model with an appropriate and documented modelling approach will be discussed. It enables to obtain a fair and intuitive severity model. This model is based on two open databases that describe historical Cyber incidents which mostly occured in the USA that will be presented.
Second, propagative ransomware models will be investigated through an epidemiological approach which deepens well known SIR models with the inclusion of a multi-group dimension as well as a graphs’ theory approach. Innovative data can be used such as Bitcoin’s transactions related to past ransomwares to derive key information thus obtain fair frequency models despite the low data quality and the scarcity of the data.
Eventually, several quantitative applications will be proposed to tackle key insurers issues such as CAT modelling approach to suit the Solvency 2, Pillar 1 requirements; risk management (through a Standard Formula adjustment to include operational Cyber risk in the framework), non-proportional cover pricing.