×

Capital requirements for cyber risk and cyber risk insurance: an analysis of Solvency II, the U.S. Risk-Based Capital Standards, and the Swiss Solvency Test. (English) Zbl 1454.91181

Summary: Cyber risk is becoming more significant for insurance companies in both underwriting and operational risk terms, but the characteristics of cyber risk are still not yet well understood. We contribute to the literature by analyzing the role of cyber risk in insurance regulation frameworks. The aggregated cyber risk exposure of an insurer is estimated by fitting different marginal distributions and dependence models to historical cyber losses. This aggregated cyber exposure allows us to derive the insurer’s survival probability and compare it with the goals of regulatory frameworks, such as the U.S. Risk Based Capital (RBC) or Solvency II (SII). Our findings indicate that regulatory models underestimate the potential risks associated with cyber threats. This is especially true for small cyber insurance portfolios, which are predominant in practice today. Regulatory models should be adapted to account for the heavy tails and dependence structure specific to cyber risks, instead of assuming “one size fits all”.

MSC:

91G05 Actuarial mathematics

Software:

gPdtest; QRM
PDFBibTeX XMLCite
Full Text: DOI Link

References:

[1] Aas, K.; Neef, L. R.; Williams, L.; Raabe., D., Interest rate model comparisons for participating products under Solvency II, Scandinavian Actuarial Journal, 2017, 1-22 (2017)
[2] Advisen., Cyber liability insurance market trends: Survey (2015)
[3] Alm, J., A simulation model for calculating solvency capital requirements for non-life insurance risk, Scandinavian Actuarial Journal, 2015, 2, 107-23 (2015) · Zbl 1398.91305
[4] American Academy of Actuaries, An update to P/C risk-based capital underwriting factors: September 2007 Report to the National Association of Insurance Commissioners P/C Risk-Based Capital Working Group (2007)
[5] Amin, Z., Quantification of operational risk: A scenario-based approach, North American Actuarial Journal, 20, 3, 286-97 (2016) · Zbl 1414.91156
[6] Baer, W. S.; Parkinson., A., Cyberinsurance in IT Security Management, IEEE Security and Privacy, 5, 3, 50-56 (2007)
[7] Bashan, A.; Berezin, Y.; Buldyrev, S. V.; Havlin., S., The extreme vulnerability of interdependent spatially embedded networks, Nature Physics, 9, 10, 667-72 (2013)
[8] Berliner, B., Limits of insurability of risks (1982), Englewood Cliffs, NJ: Prentice Hall, Englewood Cliffs, NJ
[9] Betterley. (2015)
[10] Biener, C.; Eling, M.; Matt, A.; Wirfs., J. H., Cyber risk: Risikomanagement und Versicherbarkeit (2015), St. Gallen, Sweden: Institut für Versicherungswirtschaft der Universität St. Gallen, St. Gallen, Sweden
[11] Biener, C.; Eling, M.; Wirfs., J. H., Insurability of cyber risk: An empirical analysis, Geneva Papers, 40, 1, 131-58 (2015)
[12] Böhme, R.; Kataria, G., Models and measures for correlation in cyber-insurance. Working paper. Fifth Workshop on the Economics of Information Security (2006), University of Cambridge: University of Cambridge, Cambridge, UK
[13] Born, P.; Klein, R. W., Catastrophe risk and the regulation of property insurance markets, Journal of Insurance Regulation, 35, 5 (2016)
[14] Braun, A.; Schmeiser, H.; Schreiber., F., Portfolio optimization under Solvency II: Implicit constraints imposed by the market risk standard formula, Journal of Risk and Insurance, 84, 1, 177-207 (2015)
[15] Bundesamt für Privatversicherungen, Technisches Dokument zum Swiss Solvency Test (2006)
[16] Cebula, J. J.; Young, L. R., A taxonomy of operational cyber security risks (2010)
[17] Christiansen, M. C.; Fahrenwaldt., M. A., Dynamics of solvency risk in life insurance liabilities, Scandinavian Actuarial Journal, 2016, 9, 763-92 (2016) · Zbl 1401.91116
[18] Christiansen, M. C.; Henriksen, L. F. B.; Schomacker, K. J.; Steffensen., M., Stress scenario generation for solvency and risk management, Scandinavian Actuarial Journal, 2016, 6, 502-29 (2016) · Zbl 1401.91117
[19] D’Arcy, S. P., Casualty catastrophe analytics: Where we are now and where we should be on this critical risk, Variance, 10, 2 (2016)
[20] De Giorgi, E., Reward-risk portfolio selection and stochastic dominance, Journal of Banking and Finance, 29, 4, 895-926 (2005)
[21] Edwards, B.; Hofmeyr, S.; Forrest., S., Hype and heavy tails: A closer look at data breaches, Journal of Cybersecurity, 2, 1, 3-14 (2016)
[22] Eling, M.; Schmeiser, H.; Schmit., J. T., The Solvency II process: Overview and critical analysis, Risk Management and Insurance Review, 10, 1, 69-85 (2007)
[23] Eling, M.; Wirfs, J. H., Cyber risk: Too big to insure?—Risk transfer options for a mercurial risk class. I.VW Schriftenreihe 59 (2016), St. Gallen: Sweden, St. Gallen
[24] Eling, M.; Wirfs., J. H., What are the actual costs of cyber risk events?, European Journal of Operational Research, 272, 3, 1109-19 (2019)
[25] European Commission., QIS5 technical specifications (2010)
[26] European Commission., Commission Delegated Regulation (EU): Supplementing Directive 2009/138/EC of the European Parliament and of the Council on the Taking-up and Pursuit of the Business of Insurance and Reinsurance (Solvency II), Official Journal of the European Union, 58 (2015)
[27] European Insurance and Occupational Pensions Authority, The underlying assumptions in the standard equation for the Solvency capital requirement calculation (2014)
[28] European Insurance and Occupational Pensions Authority, EIOPA statistics—Accompanying note (2017)
[29] Evan, T.; Leverett, E.; Ruffle, S. J.; Coburn, A. W.; Bourdeau, J.; Gunaratna, R.; Ralph, D., Cyber terrorism: Assessment of the threat to insurance. Cambridge Risk Framework Series, Centre for Risk Studies (2017), University of Cambridge: University of Cambridge, Cambridge, UK
[30] Frezal, S., Solvency II is not risk-based—Could it be? Evidence from non-life calibrations, North American Actuarial Journal, 365-79 (2018) · Zbl 1416.91176
[31] Haas, A.; Hofmann., A., Risiken aus Cloud-Computing-Diensten: Fragen des Risikomanagements und Aspekte der Versicherbarkeit, ZVersWiss, 103, 4, 377-407 (2014)
[32] Hess, C., The impact of the financial crisis on operational risk in the financial services industry: Empirical evidence, Journal of Operational Risk, 6, 1, 23-35 (2011)
[33] Holzmüller, I., The United States RBC Standards, Solvency II and the Swiss Solvency Test: A comparative assessment, Geneva Papers on Risk and Insurance-Issues and Practice, 34, 1, 56-77 (2009)
[34] Ibragimov, R., Portfolio diversification and value at risk under thick-tailedness, Quantitative Finance, 9, 5, 565-80 (2009) · Zbl 1176.91146
[35] Ibragimov, R.; Jaffee, D.; Walden., J., Nondiversification traps in catastrophe insurance markets, Review of Financials Studies, 22, 3, 959-93 (2008)
[36] Ibragimov, R.; Prokhorov., A., Heavy tails and copulas: Limits of diversification revisited, Economics Letters, 149, 102-7 (2016) · Zbl 1490.62319
[37] Ibragimov, R.; Walden., J., The limits of diversification when losses may be large, Journal of Banking and Finance, 31, 8, 2551-69 (2007)
[38] Insurance Information Institute, Cybersecurity and identity theft coverage: The state of the industry (2017)
[40] Kelly, S.; Leverett, E.; Oughton, E. J.; Copic, J.; Thacker, S.; Pant, R.; Pryor, L.; Kassara, G.; Evan, T.; Ruffle, S. J.; Tuveson, M.; Coburn, A. W.; Ralph, D.; Hall, J. W., Integrated infrastructure: Cyber resiliency in society, mapping the consequences of an interconnected digital economy. Cambridge Risk Framework Series, Centre for Risk Studies (2016), University of Cambridge: University of Cambridge, Cambridge, UK
[41] KPMG, Neues Denken, neues Handeln—Insurance Thinking Ahead: Versicherungen im Zeitalter von Digitalisierung und Cyber (2017)
[42] Kunreuther, H., The role of insurance in reducing losses from extreme events: The need for public-private partnerships, Geneva Papers on Risk and Insurance Issues and Practice, 40, 4, 741-62 (2015)
[43] Li, Y.; Tang, N.; Jiang., X., Bayesian approaches for analyzing earthquake catastrophic risk, Insurance: Mathematics and Economics, 68, 2016, 110-19 (2016) · Zbl 1373.62524
[44] Lloyd’s., Business blackout—The insurance implications of a cyber attack on the US power grid (2015)
[45] Louaas, A.; Picard., P., Optimal insurance for catastrophic risk: Theory and application to nuclear corporate liability, Working paper (2017)
[46] Maillart, T.; Sornette., D., Heavy-tailed distribution of cyber-risks, European Physical Journal B, 75, 3, 357-64 (2010) · Zbl 1202.68057
[47] Marsh., Continental European Cyber Risk Survey: 2016 Report (2016)
[48] McAfee., Net losses: Estimating the global cost of cybercrime (2014)
[49] McNeil, A. J.; Embrechts, P.; Frey, R., Quantitative risk management: Concepts, techniques and tools (2015), Princeton, NJ: Princeton University Press, Princeton, NJ · Zbl 1337.91003
[50] Moscadelli, M., The modelling of operational risk: Experience with the analysis of the data collected by the Basel Committee. Technical Report 517 (2004), Banca d’Italia: Banca d’Italia, Rome, Italy
[51] Mukhopadhyay, A.; Chatterjee, S.; Saha, D.; Mahanti, A.; Sadhukan., S. K., Cyber-risk decision models: To insure it or not?, Decision Support Systems, 56, 1, 11-26 (2013)
[52] National Association of Insurance Commissioners, Risk-based capital, forecasting and instructions 2009: Property/casualty (2009)
[53] National Association of Insurance Commissioners, Operational risk (2016)
[54] National Association of Insurance Commissioners, Cybersecurity (2016)
[55] National Association of Insurance Commissioners, Catastrophe risk (E) subgroup (2016)
[56] National Association of Insurance Commissioners, Report on the Cybersecurity Insurance Coverage Supplement (2016)
[57] National Association of Insurance Commissioners, Property and Casualty Risk-Based Capital Newsletter 21.1 (2017)
[58] Neslehová, J.; Embrechts, P.; Chavez-Demoulin., V., Infinite mean models and the LDA for operational risk, Journal of Operational Risk, 1, 1, 3-25 (2006)
[59] Oak Ridge National Laboratory, Electromagnetic pulse: Effects on the U.S. power grid (2010)
[60] Oughton, E.; Copic, J.; Skelton, A.; Kesaite, V.; Yeo, Z. Y.; Ruffle, S. J.; Tuveson, M.; Coburn, A. W.; Ralph, D., Helios solar storm scenario. Cambridge Risk Framework Series, Centre for Risk Studies (2016), University of Cambridge: University of Cambridge, Cambridge, UK
[61] Panjer, H. H., Recursive evaluation of a family of compound distributions, Astin Bulletin, 12, 1, 22-26 (1981)
[63] Privacy Rights Clearinghouse., Data breaches (2016)
[64] Prudential Regulation Authority. 2016. Cyber insurance underwriting risk. Consultation Paper CP39/16, November.
[65] Ruffle, S. J.; Bowman, G.; Caccioli, F.; Coburn, A. W.; Kelly, S.; Leslie, B.; Ralph, D., Stress test scenario: Sybil logic bomb cyber catastrophe. Cambridge Risk Framework Series, Centre for Risk Studies (2014), University of Cambridge: University of Cambridge, Cambridge, UK
[66] Sandström, A., Solvency II: Calibration for skewness, Scandinavian Actuarial Journal, 2007, 2, 126-34 (2007)
[67] Scarrott, C.; MacDonald, A., A review of extreme value threshold estimation and uncertainty quantification, Statistical Journal, 10, 1, 33-60 (2012) · Zbl 1297.62120
[68] Seeley, A., Implementation of a catastrophe risk charge in risk-based capital (2012)
[69] Shao, A. W.; Sherris, M.; Fong., J. H., Product pricing and solvency capital requirements for long-term care insurance, Scandinavian Actuarial Journal, 2017, 2, 175-208 (2017) · Zbl 1401.91192
[70] Sharara, I.; Hardy, M.; Saunders, D., Regulatory capital standards for property and casualty insurers under the US, Canadian and proposed Solvency II (standard) formulas (2010)
[71] Smack, L., Catastrophe bonds—Regulating a growing asset class, Risk Management and Insurance Review, 19, 1, 105-25 (2016)
[72] Statista., Underwriting expense ratio of property/casualty insurance in the United States from 2009 to 2015 (in billion U.S. dollars (2017)
[73] Statista., Loss ratio of property/casualty insurance in the United States from 2009 to 2015 (2017)
[74] Statista., Life and non-life insurance direct premiums written globally from 2013 to 2015 (in trillion U.S. dollars (2017)
[75] Swiss Re, Investors’ Day—Rüschlikon, December 8 (2015)
[76] Villaseñor-Alva, J. A.; González-Estrada., E., A bootstrap goodness of fit test for the generalized Pareto distribution, Computational Statistics and Data Analysis, 53, 11, 3835-41 (2009) · Zbl 1453.62231
[77] Wang, S., Aggregation of correlated risk portfolios: Models and algorithms, Proceedings of the Casualty Actuarial Society, 85, 163, 848-939 (1998)
[78] Wheatley, S.; Maillart, T.; Sornette, D., The extreme risk of personal data breaches and the erosion of privacy, European Physical Journal B, 89, 1, 7 (2016)
[79] Wirfs, J. H., How to organize cyber risk transfer? Working paper (2016)
[81] World Economic Forum, Global risks 2014: Ninth edition (2014)
[82] Wu, Y. C., Reexamining the feasibility of diversification and transfer instruments on smoothing catastrophe risk, Insurance: Mathematics and Economics, 64, 54-66 (2015) · Zbl 1348.91190
[83] Wüthrich, M. V., From Ruin Theory to Solvency in non-life insurance, Scandinavian Actuarial Journal, 2015, 6, 516-26 (2015) · Zbl 1401.91202
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.