Cyber seems to be close to everyone's thoughts at the moment. At a time that the markets are seeking new business to write with their overcollateralised balance sheets and ILS funds are seeking new products to invest in that are not US hurricane and earthquake, many are turning to cyber. So how well does cyber fit the insurance model?
Back to First Principals
Going back to the first principals of insurance, insurance is predicated upon the 'law of large numbers' and the 'losses of the few will weigh lightly on the shoulders of the many'. For insurance to work you need a lot of 'like risks' (i.e. similar risks) which all have an independent chance of suffering a loss.
If we take by way of example the risk of say break-in/burglary, which is in many ways is similar to cyber, only with the break-in/burglary being in the physical world whereas with cyber is in the ‘virtual’ or ‘cyber’ world. If an insurer writes a portfolio of say homeowners in any given city, he may believe that say 1 in 100 homes will be broken into and therefore has his base rate on which to charge his premium. The insurer may be relatively comfortable with this rate as (i) there are only so many burglars in the city so they can physically do only a certain amount of break-ins per day; and (ii) each home is different and each offers varied protection against break-in – just because a burglar broke into one house it does not necessarily mean he can more easily break into another house.
From a 10,000 foot view of cyber risk we can see that there are essentially two main operating system families, Windows and Unix (which includes OS X (itself part of the BSD family), the Linux family, the BSD family and Solaris). So if an exploit is found in say Unix, there is a high likelihood that the exploit will work on all or most of the Unix family. The same would go for Windows.
Going back to our burglary analogy, we now see that all the homes in the portfolio use locks from one of 2 manufacturers and that each of those locks from one of the two manufacturers will work with the same key! If the burglar gets hold or manages to make one of these keys they can easily walk into any home. If our insurer knew this he would start to get a little concerned with aggregation risk – once the burglar has succeeded once he will be able to easily break in to many more. Now the only thing giving the insurer comfort is that, even with the key to half of the houses, the burglars cannot physically break into them all before they are (a) stopped, or (b) the home-owners can change their locks.
This brings us on to the speed that computers work – very fast! To illustrate this please watch the following short video from Malwarebytes which shows how the infection rate of the Wannacry Ransomeware as it travelled around the world: https://www.youtube.com/watch?v=IEAtGCkbq5Y
Going back to our burglary example, what would the insurer do if we now told it that once a burglar had successfully broken into 1 house he could walk into 50% of all homes and that he had the ability to clone himself and walk into those homes simultaneously and immediately?! The insurer themselves would immediately either be excluding burglary, re-rating it or calling his reinsurance broker! Yet this is cyber risk! We now appear to have a risk that has massive autocorrelation or serial correlation. All that remains now is the probability that the burglar cannot break in even a first time.
The Probability of Loss
I am not a cyber-security expert and do not pretend to be one, but again from the 10,000 foot view, a ‘secure’ computer system has been described as follows:
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and I'm not even too sure about that one"
"The only secure computer is one that's not yet built"
put this together with the logical “everything made by man can be broken by man”, and we get a “when” rather than an “if”. “When’s” can be insurable as long as the loss can be spread (through the application of Markowitz’s Modern Portfolio Theory as opposed to the law of large numbers), but we have already seen that, given the autocorrelation, the ability to diversify this risk is limited. For a recent example of where autocorrelation played a role one need only look at the mortgaged-backed CDO market. Mortgage defaults are increasingly correlated in the tail and therefore may not be the best assets to put into a CDO structure, and then to hope to get diversification by investing in several of these structures. This was doomed to failure, as the markets found out to their detriment in 2008.
If we still want to undo the Gordian Knot that is cyber risk we need to nonetheless try to assess the probability of loss. Going back to our first principals metaphor, we need to know how many ways there are to enter into the house – relatively few – the front or back door, any windows and, if we are Father Christmas, maybe the chimney. How about a computer system / network – here the possibilities are endless – from being invited in by an employee to back-doors, trojan horses, phishing, drive-bys, privilege escalation and even hardware. I am sure there are many intelligent cyber experts out there, but how many were able to predict ‘Heartbleed’, ‘Meltdown’ and ‘Spectre’, to name but a few, before they happened?
Some Additional Thoughts
Security Begins with Physical Hardware Ownership
When it comes to computer security it is clear that a computer that is switched off is more secure than a computer that is switched on. A computer that is not connected to any network is more secure than a computer that is connected to a network and a computer that is not connected to the internet is more secure than a computer connected to the internet. But all security bets are off when you have physical access to the actual hardware! Given this simple fact, it is amazing that companies are willing to put their data on hardware which is ‘in the cloud’, i.e. onto hardware that is not under their physical control, but under the physical control of someone else! They may save a couple of bucks, but the risk they expose themselves to is significantly greater. Those few bucks in savings won’t be able to pay the insurance premium, if insurance is even available, let alone finance the risk.
Cloud Computing and Virtual Private Servers
Not only does cloud computing put the hardware under someone else’s control, but people are often sharing the same server. This is where “Meltdown” and “Spectre” come in. They break the isolation between applications and/or the operating system, allowing others to, for example, read passwords, encryption keys or other data from someone else’s server instance on the cloud.
Overall, to my simplistic way of thinking, it is logically much safer to keep your data locked in your computer room behind a well maintained and monitored firewall than anywhere on the cloud.
It won’t come as a surprise that over 90% of all computers are made in China. It would seem to be rather easy for the Chinese manufacturers to put in back-doors / phone-home code at a very low level (beneath the BIOS), hidden elsewhere on the motherboard or possibly within hard drives. If one believed that China could behave in any way nefariously, then one may not be happy with buying a computer manufactured in China, in the same way that the US State Department, MI5 and MI6 will not allow use of Lenovo computers in their networks. “Machines produced by the state-backed technology company [Lenovo], which is the largest PC producer in the world, are claimed to have been found in tests by MI5 and GCHQ to have modifications in their circuitry which could allow remote access to the devices without the owners’ knowledge.” quote from the Independent Newspaper (https://www.independent.co.uk/news/uk/home-news/mi6-and-mi5-refuse-to-use-lenovo-computers-over-claims-chinese-company-makes-them-vulnerable-to-8737072.html).
Site Visits and Hazard Analysis
Again returning to our first principals, the complexity of cyber risk is not really in line with our burglary metaphor, but more in line with a very complex chemical plant. No insurer would dream of trying to rate and insure such a risk without a site visit and some form of in depth hazard analysis. Yet it would seem that now RMS, AIR (both well known for the physical risk analysis and modelling) and others believe that they can sit in splendid isolation and ‘model’ cyber risk, providing us a probability of a successful attack and the loss quantum (however that may be assessed) so associated with such attack. From what little I know, this strikes me as naïve and not where I would put my personal money.
Whereas there is a lot of talk about insuring and reinsuring cyber risk today, even though as an industry we currently have too much capital and are looking for new risks, is cyber risk truly a viable possibility to fill a gap? To my mind general and poorly specified cyber risk as the market is seeing today is more part of the general business risk, a risk which does not belong in the (re)insurance industry. I would therefore argue that, along with the general business risk, cyber risks run by companies are a risk that should be financed and borne by the equity holders of the businesses in question and not assumed by the (re)insurance industry. As understanding improves and coverage / risks are better defined, it may make sense to cover a well-defined part of the overall risks that a company faces from ‘cyber’ within the (re)insurance market, but that does not appear to be the case today.