(Image credit: Adobe Stock.)
AIR Worldwide, the Boston-based catastrophe modeling firm, has release an open-source deterministic cyber risk, claiming as the industry’s first. The company plans to plans to release a series of deterministic cyber scenarios over the next 12 months. AIR has also expanded its cyber risk consulting practice to help clients augment the cyber exposure information in their existing books of business and to produce custom reports on aggregation risk and the probability of breach, aimed at helping companies understand their cyber risk today.
AIR says that its cyber scenarios, used in conjunction with the vendor’s data schema, will serve as practical examples to help perform deterministic scenario modeling of an insurer’s or reinsurer’s book of business. AIR’s first cyber scenario will consist of a major cloud service provider experiencing downtime for several days, resulting in significant business interruption losses for its customers, the company reports, adding that such scenario has the potential for revealing significant aggregation risk within an insurer’s book. The vendor says that its consulting clients will be given early access to future scenarios.
“AIR Worldwide is committed to broadening the understanding of loss potential from cyber breaches,” comments Scott Stransky, assistant VP and principal scientist, AIR Worldwide. “These open source deterministic cyber scenarios will supplement the number and variety of cyber scenarios that companies are currently managing, allowing the insurance industry to begin to truly understand their aggregated risk from large-scale cyber attacks that could lead to catastrophic accumulated losses.”
AIR’s cyber scenarios will include detailed descriptions of potential cyber events and be accompanied by SQL (Structured Query Language) scripts that capture the event’s severity and loss potential and can be run against a book of business, the company reports. The SQL scripts are based on the open source Verisk Cyber Exposure Data Standard, enabling companies to view all the assumptions made within the scenario and modify them according to their view of risk. Using the scenarios, deterministic loss estimates can be studied for aggregations on cloud providers, payment processors, accidental breaches, blackouts, encryption quality, and more, according to AIR.
Unique Database of Company-Specific Information
While AIR’s monthly cyber scenarios are designed to facilitate risk analytics and encourage the collection of exposure information necessary for modeling, AIR’s cyber consulting services offer modeling for a wide range of scenarios today, the company says. AIR says that its new services can help underwriters identify the guidelines expected to affect cyber risk assessments the most. AIR claims a unique database of company-specific information for tens of thousands of global commercial establishments can be leveraged to supplement company data with critical information such as cloud provider and employee count. Through these engagements, AIR can transfer client data into the standard format, augment it, and convert it into decision-making assets, the vendor asserts.
In January 2016, AIR and its parent company, Verisk Analytics, announced the Verisk Cyber Exposure Data Standard, designed to help create a uniform method for data transfer across the insurance value chain. AIR also developed a preparer’s guide designed to assist companies in collecting and storing the necessary cyber exposure data in an open format suitable for modeling, along with an SQL implementation, to allow organizations to begin to use the standard in their enterprises while helping them understand their exposure and aggregation risk, evaluate risk, and make underwriting decisions.
“As transferring cyber books of business across the insurance value chain becomes more widespread, the practical implementation of the Verisk Cyber Exposure Data Standard will help make the process more uniform,” AIR’s Stransky adds. “In addition, the schema we released will be used in the upcoming AIR probabilistic cyber model so that organizations can prepare for modeling cyber risk in the future.”