Cyber: Modelling for a fast-moving risk

Damini Mago, associate director – cyber product management, insurance solutions at Moody’s, examines some of the challenges in cyber risk modelling.

Cyber insurers face a dynamic and challenging risk outlook as the pendulum swings between threats on one side and cyber resilience on the other. For instance, according to a Howden report, cyber insurance premiums surged between 2020 and 2022 in response to the remote-working boom. At the same time businesses raced to adapt their cybersecurity to manage threats from personal device use and remote network access. Better threat awareness and good cyber hygiene practices improved business resilience, helping ease premiums.

Yet any strengthened resilience is continually being tested as ransomware and malware attacks have intensified – Zscaler reports that there were 1.13 billion phishing attacks in the US in 2023 alone. Criminal gangs and state-backed threat actors have become more opportunistic, broadening into target areas that previously appeared to be off limits. For instance, the state-backed group Qilin recently attacked UK pathology services provider Synnovis, disrupting the country’s National Health Service.

The risks from non-malicious cyber events have also come to the fore following the recent CrowdStrike faulty update incident, which saw millions of Windows devices temporarily impaired. The real-world impacts ranged from flight cancellations and payment system failures to reeling health systems.

Moody’s has been modelling cyber risk for insurers for over 10 years, and in a chaotic risk landscape such as cyber, understanding tail risk is a critical focus area to bring confidence in understanding systemic risk. With Moody’s RMS Cyber Solutions Version 8, we are moving in line with the needs of the cyber insurance market, facilitating the inclusion of a broader range of scenarios, with the number of unique events catalogued doubling over the past decade to more than 20,000. The threat and digital landscape are constantly changing, and we are applying our deep research in areas like digital supply chains and cloud outages to our modelling.

Unlike natural peril risks, cyber risks cannot be diversified simply through geographical spread due to their complex correlation structures. This event catalogue expansion brings the potential for further diversification within portfolios. It helps to enhance decision-making support and risk transfer processes, and provides the foundations for improved event response. This represents a first step towards achieving diversification in cyber risk management or assessing correlations in ILS investor portfolios.

Moody’s is enhancing exposure data quality to capitalise on our advanced risk modelling, given that it remains challenging for many insurers to collect basic exposure data, such as company size, industry and geographical location. Our cyber solutions help address this by utilising a portion of Moody’s Orbis dataset that covers approximately 19 million companies worldwide with revenues of over $1mn.

Moody's aims to provide a detailed – yet understandable – scenario framework, acknowledging the complexity of the cyber ecosystem. One of our goals is to help model users uncover potential correlations that might influence pricing and risk aggregation by delving deeper into the data and broadening the range of modelled events. With input from Moody’s Cyber Risk Steering Group, the industry is guiding our model development, and we are striving to level up cyber risk modelling to the same standards the industry experiences with nat cat perils. We aim to achieve a level of sophistication combined with powerful, but easy-to-use functionality that can make sense of this ever-changing risk landscape.