Diverging Cyber Cat Model Results Challenge Underwriters’ Risk Analysis: Guy Carpenter

August 1, 2023 by

Significant progress has been made in advancing vendor’s cyber catastrophe models, but a notable degree of variability exists across model outputs, which can pose a challenge to insurance and reinsurance companies as they formulate their views of risk, according to a report from Guy Carpenter.

“Among the greatest challenges for cyber writers is constructing their own view of risk to manage cyber exposure accumulation in order to support decisions around capacity constraints and capital deployment,” Guy Carpenter said in the report titled “Under the Lens: Investigating Cyber Vendor Model Divergence,” in which it analyzed differences between three major cyber catastrophe models: Guidewire Cyence, CyberCube and Moody’s RMS.

On a positive note, Guy Carpenter affirmed that cyber models’ results “are gradually converging over time as more credible data points become available for calibration and validation.”

One of the principal findings of the report is that there is no single driver of cyber model divergence but rather a varying combination of multiple parameters that drive discrepancies in modeled average annual losses (AALs), including revenue, industry sector classification and differing treatment of specific coverages.

More Revenue, Less Divergence

The main driver of loss variability across the three tested vendor models was annual revenue, the report said, indicating that organizations with larger revenues have less model divergence than smaller organizations. Here’s how Guy Carpenter phrased it: “Annual revenue input results in the highest modeled loss differences, with the greatest model divergence concentrated in the nano (< $1 million) and micro ($1 million-$5 million) revenue bands.”

The report explained that cyber risk data from larger organizations is readily accessible but is less available with micro and mini risks.

  • CyberCube and Guidewire Cyence were more conservative than Moody’s RMS in their loss estimates for micro and mini risks.
  • Guidewire Cyence is more conservative than CyberCube for micro and mini risks, but produces lower results for higher revenue sizes.
  • Moody’s RMS showed the least differentiation in results across revenue bands.

[/sidebar]

Revenue is intrinsically connected to the main types of cyber losses, such as business interruption (BI), contingent business interruption (CBI) and data restoration, the report said. “As such, it is expected that modeled losses will increase as revenue increases. However, variability in modeled results decreases as revenue increases.”

Above $5 million range, the report continued, the variability of results was very consistent out to the very large risks with revenue greater than $1 billion.

This is a significant finding from the report because the cyber insurance market continues to see increased penetration in the small revenue space, which Guy Carpenter said “will increase attention on the reliability of modeling for very small risks.”

“A deeper understanding of the relative treatments of low-revenue organizations by the vendor models will be essential to the alignment of internal views of risk to vendor views,” the report added.

Industry Drives Differences

The results of Guy Carpenter’s study show that industry sector is the second-most-impactful driver of variability in losses, after annual revenue.

Variability between the vendor model results was most evident for businesses classified as “Variety Stores” or as “Eating and Drinking Places” in the retail sector.

The Guy Carpenter report suggested that the divergence here is largely driven by Cyber Cube’s more conservative view of the retail industry sector. Explaining further, the report noted that CyberCube’s model considers financial fraud to be a significant contributor to loss, closely tied to payment process events that impact retailers. [/sidebar]

“Industry sectors differ in how they carry out their business. This necessarily means that technologies utilized across sectors also will vary and will be relied upon to different extents,” the report said. “Different sectors may also vary in their security posture, resiliency and attractiveness to threat actors. As a result, conceptually, industry sector will have a significant impact on cyber loss. We also find that this area causes significant variability in losses across vendor models.”

On the other hand, the report noted, the three models have little disagreement in perceived risk from a number of company employees, after accounting for all other input parameters.

Specific Coverage Treatment

“Ransomware and malware events are top event drivers for modeled losses across vendors as well as being broadly agreed upon as a major driver of loss across the industry,” the report said.

But here resides another source of model divergence. Guy Carpenter pointed to vendor models’ differing treatment of specific coverages, such as Ransomware & Extortion and Regulatory Defense & Fines.

While property policy wordings are far more homogeneous, cyber policies are written with differing coverages using diverse definitions, which makes it difficult to align diverse cyber policy wordings with available model functionality, the report said.

“Until the space becomes more standardized, there will continue to be challenges in aligning policy wordings with available model functionality.”

Methodology

To conduct its study, Guy Carpenter applied advanced analytics using predictive modeling “to achieve a deeper and more robust understanding of key factors driving divergence in cyber model outputs.”

The analysis aimed to address three points:

  • Determine which input parameters drive the greatest cyber model divergence.
  • Identify market segments where industry view of risk is most divergent.
  • Highlight risk characteristics for which a given cyber model may yield a significant average annual loss (AAL) penalty.

To analyze these points, Guy Carpenter relied on a sampled company-level dataset that approximated the distribution of the cyber industry, including key input parameters (such as annual revenue and country of domicile) that Guy Carpenter compiled across available vendor models. The dataset was then modeled using each of the three cyber models to generate an AAL at the individual-company level, as well as a portfolio average.

“By marrying cyber catastrophe modeling expertise and predictive analytics, this study helps insurers and reinsurers identify market segments where the model view of risk is most divergent,” according to Erica Davis, global co-head of Cyber, Guy Carpenter, in comments accompanying the report. “This will result in more confidence for insurers and reinsurers in making decisions about their deployment of capacity, which ultimately supports the cyber industry’s sustainable growth forward.”

This study is a companion to an earlier report, titled Through the Looking Glass: Interrogating the Key Numbers Behind Today’s Cyber Market.

This article first was published in Insurance Journal’s sister publication, Carrier Management.