Development of sustainable insurance for cyber risks, with associated benefits, inter alia requires reduction of ambiguity of the risk. Considering cyber risk, and data breaches in particular, as a man-made catastrophe clarifies the actuarial need for multiple levels of analysis - going beyond claims-driven loss statistics alone to include exposure, hazard, breach size, and so on - and necessitating specific advances in scope, quality, and standards of both data and models. The prominent human element, as well as dynamic, networked, and multi-type nature, of cyber risk makes it perhaps uniquely challenging. Complementary top-down statistical, and bottom-up analytical approaches are discussed. Focusing on data breach severity, measured in private information items (ids) extracted, we exploit relatively mature open data for U.S. data breaches. We show that this extremely heavy-tailed risk is worsening for external attacker (hack) events - both in frequency and severity. Writing in Q2-2018, the median predicted number of ids breached in the U.S. due to hacking, for the last 6 months of 2018, is 0.5 billion. But with a 5% chance that the figure exceeds 7 billion - doubling the historical total. Fortunately the total breach in that period turned out to be near the median.
Download