First open source cyber scenario released by AIR Worldwide during RIMS 2016

SAN DIEGO — Catastrophe modelling firm AIR Worldwide has launched what it calls the first open source deterministic cyber risk scenario, a move meant to help individual companies and the insurance industry as a whole better understand aggregated risk from large-scale cyber attacks.

Used in conjunction with the company’s data schema, cyber scenarios “will serve as practical examples to help perform deterministic scenario modelling of an insurer’s or reinsurer’s book of business,” notes a statement from AIR Worldwide, a Verisk Analytics business, released Monday during the RIMS 2016 conference and exhibition in San Diego from Apr. 10 to 13.

“Our main target audience is the insurance industry and people who deal with the insurance industry,” Scott Stransky, assistant vice president and principal scientist for AIR Worldwide, told Canadian Underwriter in advance of the conference. “The RIMS conference seemed like a good opportunity to promote our data standard and the new scenarios we have to offer,” Stransky said.

There is currently a lot of demand in the market, he pointed out, adding that the scenarios could be applicable to every insurer and even reinsurers.

“If you have a book of business, even if it’s not explicitly for cyber, you may have some cyber risk built into that book and you’d be very interested to see if one of these scenarios happened, what could I potentially lose,” he suggested.

The open-source cyber scenarios – which will be posted on AIR Worldwide’s website in SQL (Structured Query Language) – will include detailed descriptions of potential cyber events and be accompanied by SQL scripts. Based on the open source Verisk Cyber Exposure Data Standard, the scripts will capture the event’s severity and loss potential, notes a press release from AIR Worldwide.

“Anyone who wants to can download our database schema, which is also in SQL, begin to populate it with their exposures and then run the scenario we’re going to provide against that book of business,” Stransky said in an interview. “By offering this scenario for free, we hope to encourage people to adopt our standard,” which is also open source, “so you can actually change the assumptions underlying it,” he said.

The first cyber scenario to be released “will consist of a major cloud service provider experiencing downtime for several days, resulting in significant business interruption losses for its customers,” notes the AIR Worldwide statement.

Explaining that such a scenario “has the potential for revealing significant aggregation risk within an insurer’s book,” the company adds “using the scenarios, deterministic loss estimates can be studied for aggregations on cloud providers, payment processors, accidental breaches, black-outs, encryption quality and more.”

Stransky told Canadian Underwriter that underlying assumptions can be changed, such as the length of downtime for a provider, what provider is affected or financial module assumptions. In addition, being in SQL allows users “to modify on their own to really meet their own business needs,” he said.

“These open source deterministic cyber scenarios will supplement the number and variety of cyber scenarios that companies are currently managing, allowing the insurance industry to begin to truly understand their aggregated risk from large-scale cyber attacks that could lead to catastrophic accumulated losses,” Stransky says in the company statement.

The cloud scenario is the first of a series of deterministic cyber scenarios, with the plan being to release about 12 scenarios over the next year. Both the scenario timing and topics will be driven by client demand, Stransky said in an interview, but added the first three will deal with a cloud breach, payment processor issue and an accidental breach.

The second scenario is “especially important for the small businesses” that rely on such processors to “basically collect all of their revenue,” Stransky said.

AIR Worldwide has also expanded its cyber risk consulting practice to “help clients augment the cyber exposure information in their existing books of business and to produce custom reports on aggregation risk and the probability of breach,” AIR Worldwide reports.

“We’ll take their (insurers) data that they do have and enhance it with our other data sources,” Stransky explained. Once enhanced, “we can then run the same open source SQL query, but it’s now at a much more robust data set,” he said, adding that the enhanced data would then be sent back to the client.

More coverage of RIMS 2016 Annual Conference & Exhibition in San Diego

San Diego schools, students beneficiaries of 2016 RIMS Community Service Day

New mobile app from Zurich to help companies assess, manage risk

Forecasting emerging risks expected to get tougher: Marsh/RIMS report