Just as a hurricane can decimate an entire shoreline

neighborhood, cybersecurity risk has the potential for

aggregated single events or groups of events causing

harm to many parties simultaneously.

For example, many companies share common

infrastructure when accessing the internet and cloud

computing resources. An outage at a technology

service provider operating this shared infrastructure

has the potential to affect many companies

simultaneously. Once you understand accumulations

within a portfolio, it is important to explore disaster

scenarios to test the potential outcomes of everything

from power outages to ISP interruptions to cloud

provider disruptions to the emergence of new zero

day vulnerabilities on a variety of the most widely used

software and hardware technologies and many others,

all based on real data.

When simulating a disaster scenario of a week-long

outage at one of Amazon’s most commonly used data

centers, we see that losses depending on the exact

scenarios to the S&P 100 group of companies can

potentially exceed $12 billion. Insurers will need to

incorporate these tail loss events when evaluating the

adequacy of their pricing. Increasingly, regulators and

rating agencies are paying closer attention to these

extreme events and insurers’ aggregate exposure when

evaluating capital adequacy and credit risk.

Lloyds of London’s has been very public on their

goals of understanding accumulations for various

cyber disaster scenarios. But beyond direct cyber

incidents like a cloud provider outage, perhaps the

more concerning incidents are silent cyber scenarios

exposing noncyber insurance products to potential

cyber-related losses. Lines of coverage like property

tend to have limits that are orders of magnitude higher

than a typical tower of cyber insurance coverage;

additionally, these policies have not contemplated or

charged for cyber-related risks and, unless specifically

excluded, could be exposed to losses occurring at the

intersection of cyber and physical events.


By examining both the cyber risk of individual

organizations, as well as the potential aggregate

impacts of a range of scenarios and outcomes, Cyence

enables the development of a comprehensive view

of the elements that contribute to an organization’s

cybersecurity risk, how it benchmarks against its peers,

and how to manage that risk over time. Understanding

the primary vectors of cybersecurity risk to an

organization can help drive informed enterprise risk

management strategies and empower insurers and

reinsurers to efficiently, effectively, and consistently

evaluate cybersecurity risk of insureds, and monitor the

accumulation exposures of portfolios accordingly.

Arvind Parthasarathi is a founder and the

CEO of Cyence.

Copyright © 2016 Marsh & McLennan Companies


More magazines by this user
Similar magazines