Cyber operational risk scenarios for insurance companies

AbstractCyber Operational Risk: Cyber risk is routinely cited as one of the most important sources of operational risks facing organisations today, in various publications and surveys. Further, in recent years, cyber risk has entered the public conscience through highly publicised events involving affected UK organisations such as TalkTalk, Morrisons and the NHS. Regulators and legislators are increasing their focus on this topic, with General Data Protection Regulation (“GDPR”) a notable example of this. Risk actuaries and other risk management professionals at insurance companies therefore need to have a robust assessment of the potential losses stemming from cyber risk that their organisations may face. They should be able to do this as part of an overall risk management framework and be able to demonstrate this to stakeholders such as regulators and shareholders. Given that cyber risks are still very much new territory for insurers and there is no commonly accepted practice, this paper describes a proposed framework in which to perform such an assessment. As part of this, we leverage two existing frameworks – the Chief Risk Officer (“CRO”) Forum cyber incident taxonomy, and the National Institute of Standards and Technology (“NIST”) framework – to describe the taxonomy of a cyber incident, and the relevant cyber security and risk mitigation items for the incident in question, respectively.Summary of Results: Three detailed scenarios have been investigated by the working party:∙Employee leaks data at a general (non-life) insurer: Internal attack through social engineering, causing large compensation costs and regulatory fines, driving a 1 in 200 loss of £210.5m (c. 2% of annual revenue).∙Cyber extortion at a life insurer: External attack through social engineering, causing large business interruption and reputational damage, driving a 1 in 200 loss of £179.5m (c. 6% of annual revenue).∙Motor insurer telematics device hack: External attack through software vulnerabilities, causing large remediation / device replacement costs, driving a 1 in 200 loss of £70.0m (c. 18% of annual revenue).Limitations: The following sets out key limitations of the work set out in this paper:∙While the presented scenarios are deemed material at this point in time, the threat landscape moves fast and could render specific narratives and calibrations obsolete within a short-time frame.∙There is a lack of historical data to base certain scenarios on and therefore a high level of subjectivity is used to calibrate them.∙No attempt has been made to make an allowance for seasonality of renewals (a cyber event coinciding with peak renewal season could exacerbate cost impacts)∙No consideration has been given to the impact of the event on the share price of the company.∙Correlation with other risk types has not been explicitly considered.Conclusions: Cyber risk is a very real threat and should not be ignored or treated lightly in operational risk frameworks, as it has the potential to threaten the ongoing viability of an organisation. Risk managers and capital actuaries should be aware of the various sources of cyber risk and the potential impacts to ensure that the business is sufficiently prepared for such an event. When it comes to quantifying the impact of cyber risk on the operations of an insurer there are significant challenges. Not least that the threat landscape is ever changing and there is a lack of historical experience to base assumptions off. Given this uncertainty, this paper sets out a framework upon which readers can bring consistency to the way scenarios are developed over time. It provides a common taxonomy to ensure that key aspects of cyber risk are considered and sets out examples of how to implement the framework. It is critical that insurers endeavour to understand cyber risk better and look to refine assumptions over time as new information is received. In addition to ensuring that sufficient capital is being held for key operational risks, the investment in understanding cyber risk now will help to educate senior management and could have benefits through influencing internal cyber security capabilities.

Download Full-text

Corporate Social Responsibility and Operational Risk: The Impact of CSR in Organizations as a Tool to Reduce the Operational Risks

SSRN Electronic Journal ◽

10.2139/ssrn.1802677 ◽

2011 ◽

Cited By ~ 1

Author(s):

Edmundo R. Lizarzaburu

Keyword(s):

Corporate Social Responsibility ◽

Social Responsibility ◽

Operational Risk ◽

Operational Risks ◽

Corporate Social ◽

The Impact

Download Full-text

Big Data and Actuarial Science

Big Data and Cognitive Computing ◽

10.3390/bdcc4040040 ◽

2020 ◽

Vol 4 (4) ◽

pp. 40

Author(s):

Hossein Hassani ◽

Stephan Unger ◽

Christina Beneki

Keyword(s):

Data Mining ◽

Big Data ◽

Cyber Security ◽

Data Analytics ◽

Data Availability ◽

Machine Learning Techniques ◽

Insurance Companies ◽

Security Risk ◽

Insurance Policy ◽

The Impact

This article investigates the impact of big data on the actuarial sector. The growing fields of applications of data analytics and data mining raise the ability for insurance companies to conduct more accurate policy pricing by incorporating a broader variety of data due to increased data availability. The analyzed areas of this paper span from automobile insurance policy pricing, mortality and healthcare modeling to estimation of harvest-, climate- and cyber risk as well as assessment of catastrophe risk such as storms, hurricanes, tornadoes, geomagnetic events, earthquakes, floods, and fires. We evaluate the current use of big data in these contexts and how the utilization of data analytics and data mining contribute to the prediction capabilities and accuracy of policy premium pricing of insurance companies. We find a high penetration of insurance policy pricing in almost all actuarial fields except in the modeling and pricing of cyber security risk due to lack of data in this area and prevailing data asymmetries, for which we identify the application of artificial intelligence, in particular machine learning techniques, as a possible solution to improve policy pricing accuracy and results.

Download Full-text

Data Breach, Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

Law & Social Inquiry ◽

10.1111/lsi.12303 ◽

2018 ◽

Vol 43 (02) ◽

pp. 417-440 ◽

Cited By ~ 16

Author(s):

Shauhin A. Talesh

Keyword(s):

Risk Management ◽

Cyber Security ◽

Participant Observation ◽

Legal Regulation ◽

Insurance Companies ◽

Organizational Sociology ◽

Cyber Insurance ◽

Privacy Laws ◽

Cyber Risk ◽

Management Services

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.

Download Full-text

Modeling the Effect of Spending on Cyber Security by Using Surplus Process

Mathematical Problems in Engineering ◽

10.1155/2020/3239591 ◽

2020 ◽

Vol 2020 ◽

pp. 1-10 ◽

Cited By ~ 1

Author(s):

Ciyu Nie ◽

Jingchao Li ◽

Shaun Wang

Keyword(s):

Cyber Security ◽

Optimal Allocation ◽

Optimal Investment ◽

Security Level ◽

Insurance Company ◽

Risk Transfer ◽

Surplus Process ◽

Premium Income ◽

Cyber Risk ◽

The Impact

In this paper, we assume the security level of a system is a quantifiable metric and apply the insurance company ruin theory in assessing the defense failure frequencies. The current security level of an information system can be viewed as the initial insurer surplus; defense investment can be viewed as premium income resulting in an increase in the security level; cyberattack arrivals follow a Poisson process, and the impact of attacks is modeled as losses on the security level. The occurrence of cyber breach is modeled as a ruin event. We use this framework to determine optimal investment in cyber security that minimizes the total cyber costs. We show by numerical examples that there is an optimal allocation of total cyber security budget to (1) IT security maintenance/upkeep spending versus (2) external cyber risk transfer.

Download Full-text

The Role of User Behaviour in Improving Cyber Security Management

Frontiers in Psychology ◽

10.3389/fpsyg.2021.561011 ◽

2021 ◽

Vol 12 ◽

Author(s):

Ahmed A. Moustafa ◽

Abubakar Bello ◽

Alana Maurushat

Keyword(s):

Information Security ◽

Computer Science ◽

Computer System ◽

Cyber Security ◽

Science Studies ◽

Social Engineering ◽

Psychological Traits ◽

User Behaviour ◽

Long Time ◽

The Impact

Information security has for long time been a field of study in computer science, software engineering, and information communications technology. The term ‘information security’ has recently been replaced with the more generic term cybersecurity. The goal of this paper is to show that, in addition to computer science studies, behavioural sciences focused on user behaviour can provide key techniques to help increase cyber security and mitigate the impact of attackers’ social engineering and cognitive hacking methods (i.e., spreading false information). Accordingly, in this paper, we identify current research on psychological traits and individual differences among computer system users that explain vulnerabilities to cyber security attacks and crimes. Our review shows that computer system users possess different cognitive capabilities which determine their ability to counter information security threats. We identify gaps in the existing research and provide possible psychological methods to help computer system users comply with security policies and thus increase network and information security.

Download Full-text

CYBER RISKS IN THE MUNICIPAL ECONOMY DURING THE PANDEMIC: DAMAGES AND THE STRUGGLE FOR CYBER SECURITY

Municipal economy of cities ◽

10.33042/2522-1809-2020-3-156-80-87 ◽

2020 ◽

Vol 3 (156) ◽

pp. 80-87

Author(s):

M. Vasilenko ◽

O. Kozin ◽

M. Kozina ◽

V. Rachuk

Keyword(s):

Cyber Security ◽

Integrated Approach ◽

Cyber Attacks ◽

Remote Work ◽

Public Authorities ◽

Systematic Analysis ◽

Preservation Of Evidence ◽

Cyber Risk ◽

The Impact ◽

Municipal Economy

As a result of remote control and automation, the urban infrastructure becomes extremely vulnerable to intrusions, attacks, human errors, accidents that are growing. Due to the concentration of local and global computer networks, systems and software, the “cyber risk” of the municipal economy is multiplicative, which makes it systemic and international. Its essence is manifested both at the national and global levels through the impact on business, municipal and state authorities. Today, the existing pandemic contributes to an increase in the number of cyberattacks, which indicates an even greater cyber vulnerability of municipal administrations and public authorities. Coronavirus COVID-19 has become a tool for hacker attacks on users and enterprises. The purpose of the article is to determine, based on a systematic analysis of the new cyber risks of the municipal economy that arose during the pandemic, to formulate our own views on the classification and methods of counteracting municipal organizations and enterprises. According to experts, since the beginning of this year, thousands of domains associated with coronavirus have been registered in the world. This number also includes sites of various hacker groups that offer information about coronavirus, masks, or quick treatment methods. In fact, these phishing sites are used by hackers to extort money or steal confidential, as well as commercial information. The main types of attacks that increase the threat and actually create a "cyber infection" are noted. Based on the material of this article and the experience of the authors, measures are proposed that ensure the safety of municipal enterprises, which should be carried out in the first place. Strict measures in IT management during a crisis are also recognized as undeniable and necessary. Such as help from cyber experts and help for cyber experts; preservation of evidence of intrusion, staff training, accumulation of experience to accelerate progress in work. Remote work during a pandemic can make it difficult for IT staff to monitor cyber risks, since many of these risks go beyond the financial or technical capabilities of municipalities. Therefore, based on these proposals for the safety of municipal enterprises, an integrated approach to cyber risks is proposed, including an emergency response plan. Based on international experience, the possibility of insuring municipal enterprises and organizations against potential losses associated with cyber attacks by hackers, as well as to eliminate the consequences of these attacks, is also noted. Keywords: cyber-security, cyber-risk, municipal economy, “phishing”, pandemic, Covid-19

Download Full-text

Some Principles for Regulating Cyber Risk

AEA Papers and Proceedings ◽

10.1257/pandp.20191058 ◽

2019 ◽

Vol 109 ◽

pp. 482-487 ◽

Cited By ~ 4

Author(s):

Anil K. Kashyap ◽

Anne Wetherilt

Keyword(s):

Financial Sector ◽

Operational Risks ◽

Probability Of Success ◽

Private Incentives ◽

Impact Responses ◽

Cyber Risk ◽

The Impact

We explain why cyber risk differs from other operational risks in the financial sector. The form of cyber shocks differs because of their intent, probability of success, possibility of a hidden phase, and evolving form of the risks. The impact differs because problems can spread quickly and because uncertainty over the possibility of a hidden phase can impact responses. We explain why private incentives to attend to these risks may differ from societies' preferences and develop six (micro- and macroprudential) regulatory principles to deal with cyber risk.

Download Full-text

Quantifying Operational Risk in General Insurance Companies. Developed by a Giro Working Party

British Actuarial Journal ◽

10.1017/s1357321700002919 ◽

2004 ◽

Vol 10 (5) ◽

pp. 919-1012 ◽

Cited By ~ 12

Author(s):

Michael Howard Tripp ◽

H. L. Bradley ◽

R. Devitt ◽

G. C. Orros ◽

G. L. Overton ◽

...

Keyword(s):

Performance Management ◽

Best Practice ◽

Financial Analysis ◽

Belief Systems ◽

Working Party ◽

Operational Risk ◽

Value Theory ◽

Risk Indicators ◽

Insurance Companies ◽

The Impact

ABSTRACTThe paper overviews the application of existing actuarial techniques to operational risk. It considers how, working in conjunction with other experts, actuaries can develop a new framework to monitor/review, establish context, identify, understand and decide what to do in terms of the management and mitigation of operational risk. It suggests categorisations of risk to help analyses and proposes how new risk indicators may be needed, in conjunction with more normal quantification approaches.Using a case study, it explores the application of stress and scenario testing, statistical curve fitting (including the application of extreme value theory), causal (Bayesian) modelling and the extension of dynamic financial analysis to include operational risk. It suggests there is no one correct approach and that the choice of parameters and modelling assumptions is critical. It lists a number of other techniques for future consideration.There is a section about how ‘soft issues’ including dominance risk, the impact of belief systems and culture, the focus of performance management systems and the psychology of organisations affect operational risk. An approach to rating the people aspects of risk in parallel with quantification may help give a better overall assessment of risk and improve the understanding for capital implications.The paper concludes with a brief review of implications for reporting and considers what future work will help develop the actuarial contribution. It is hoped the paper will sow seeds for the development of best practice in dealing with operational risk and increase the interest of actuaries in this emerging new topic.

Download Full-text

Risks of Banking Services’ Digitalization: The Practice of Diversification and Sustainable Development Goals

Sustainability ◽

10.3390/su12104040 ◽

2020 ◽

Vol 12 (10) ◽

pp. 4040

Author(s):

Francisco Zabala Aguayo ◽

Beata Ślusarczyk

Keyword(s):

Sustainable Development ◽

Risk Management ◽

Operational Risk ◽

Banking Services ◽

The Sustainable Development ◽

Operational Risks ◽

External Risk ◽

Diversification Management ◽

The Right ◽

The Impact

The study aims to investigate threats that might occur in diversification management, operational risks of banking services in the process of digitalization, as well as the impact on customers and banks. The right choice of a risk management model for a bank plays an important role in the sustainable development of competitiveness and the transformation of banking activities in the future. This work assesses bank risks and determines information risks in relation to the total capital of Santander Bank of Spain. The authors adapted an operational risk management (ORM) model to minimize the risks of the bank’s digitalization and upcoming operational risks. The ratio of the total operational risk to the total bank’s capital was 0.65%, which is below the permissible minimum value and is acceptable. Based on this indicator, diversification of business risks can be applied. As a result of the study, the total value of operational risks was calculated and the acceptability of this indicator to the capital of Santander Bank was assessed, which allowed the authors to assess whether the value was critical. In addition, it was also revealed that the main external risk of Santander Bank in 2018 was fraud in the use of online payments. The results might help to more effectively evaluate insurance payments for identified operational risks and effectively make decisions and optimize reporting documents of banks.

Download Full-text

Operational Risks in Financial Sectors

Advances in Decision Sciences ◽

10.1155/2012/385387 ◽

2012 ◽

Vol 2012 ◽

pp. 1-57

Author(s):

E. Karam ◽

F. Planchet

Keyword(s):

Real Life ◽

Operational Risk ◽

Financial Sector ◽

Solvency Ii ◽

Basel Ii ◽

Insurance Companies ◽

Operational Risks

A new risk was born in the mid-1990s known as operational risk. Though its application varied by institutions—Basel II for banks and Solvency II for insurance companies—the idea stays the same. Firms are interested in operational risk because exposure can be fatal. Hence, it has become one of the major risks of the financial sector. In this study, we are going to define operational risk in addition to its applications regarding banks and insurance companies. Moreover, we will discuss the different measurement criteria related to some examples and applications that explain how things work in real life.

Download Full-text