Cyber Predictions: You Don’t Know…

Posted on by Barry

I believe that there are many unknowns in the Cyber Age. You can flash back to the 2X2 of “known-knowns”, “known-unknowns”, “unknown-knowns” and “unknown-unknowns” but I want to keep it somewhat straightforward.

That’s why I show the illustrative visualization below. It’s my attempt of showing a relatively straight-forward visualization, a 2-dimensional visualization at that, of the Nth dimensional cyber-attack space at an instance of time. Essentially, the Nth dimensional cyber-attack space can not be visualized. This visual is my feeble attempt to capture what a 2D snapshot in time of the Nth dimensional cyber-attack space might look like.

For me, the cyber-attack space is not only Nth dimensional, but it perpetually unfolds in multiple dimensions and multiple directions each instance that:

  • a digital artifact is connected to the web;
  • a physical artifact, with embedded telco capabilities and/or digital content, is connected to the web;
  • an animal with an IP-sensor embedded on it or embedded in it, is connected to the web;
  • an insect with an IP-sensor embedded in it is connected to the web; or
  • a medicine with an IP-sensor embedded in it – and swallowed by a human – is connected to the web; or
  • any of the above is connected to one or more of the others on the list and one of the items of the new connection is (or has been) connected to the web.

When any of the above – or some combination or all of the above – occurs, then I believe that the visualization represents a changed 2D snapshot in time of the never-ending, always-unfolding Nth dimensional cyber attack space.

I agree that data – representing various attributes of potential emerging cyber risks and cyber risk losses – exists at each point (points not visible in the illustration) – and, data spread in various regions (also not shown) – exist on the cyber attack space which stretches into infinity. I also believe that data associated with points or areas of the never-ending, always-unfolding cyber-attack space changes as the unfolding unfolds. The values of the data are not static because the cyber-attack space is not static.

As an aside, that means that I don’t believe the cyber-attack space will ever stabilize nor will the ‘market’ of cyber risks or cyber-attacks ever mature.

But I believe “you don’t know” (the “you” being quants whether working for (re)insurers, cyber loss modeling firms, insurance broker firms or law firms with quantitative staff, management consultancies, analyst firms, …):

  1. When a cyber-attack is going to happen;
  2. What enterprise is or which enterprises are (whether the same enterprise or multiple enterprises which are members of an ecosystem) going to be cyber-attacked;
  3. How many times the same cyber prey will be cyber-attacked (and with what time interval between the cyber-attacks);
  4. Where on the planet a cyber-attack is going to happen;
  5. If multiple enterprises on the planet are going to be cyber-attacked simultaneously;
  6. The nature of the cyber-attack that is going to happen whether the cyber-attack will happen to one enterprise or to multiple enterprises;
  7. The “quality” of the data of previous – historic data – about one or more cyber-attacks to predict any of the above 1-6 unknowns (e.g., you don’t know how accurate your cyber loss models really are going to be);
  8. The magnitude of potential cyber losses associated with any of the above items 1 – 6;
  9. The length of the cyber tail losses from any of the above items 1-6.

My above comments also serves as my context to not believe any cyber modeling or cyber advisory firm that states “we can stop X% of cyber-attacks or stop Y% of cyber-attacks of a certain nature (e.g., ransomware attacks)”. I also don’t believe any firm believing that historic data can be used to predict future types of cyber-attacks or estimate future magnitudes of cyber losses.

I can hear insurance professionals telling me that “we’ve successfully – profitably – sold cyber insurance for 20 years !” Yes, but … Yes, but the cyber risks of 20 years ago were simpler (and I’d hypothesize, had more of a ‘short tail’ ) and were less complex than current cyber risks are and certainly future cyber risks will be. Loss ratios, and the attendant combined ratios, will increase in not that short a time to unprofitable levels.

Two of the “tells” for me (of the profitability of the cyber market disintegrating for insurers), are:

  1. Insurance professionals (who in their guts know that systemic cyber events are a very serious financial problem for insurers who care about CRs under 100%) wanting insurers to wait until “the industry agrees” on the definition of what “systemic cyber events” are on the entire industry level; and
  2. Quicker involvement of capital market players in cyber financing, inclusive of reinsurers and primary insurers looking for more involvement of capital market players (I agree I could be wrong about this point – perhaps someone could tell me about the speed of entry of capital market players getting involved in other commercial P&C insurance lines).

If (re)insurers and brokers begin to “market” captive programs, that would be a third “tell” for me that (re)insurers want to limit their own financial capacity exposed to losses from cyber events.

Time will tell, as they say, but I don’t think we’ll need to wait too long for insurers to back away from the cyber market.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.