A PRESENTATION TO

CAS 2015 Reinsurance SeminarAssessing & Reinsuring Cyber Risks

Dr Raveem Ismail DPhil, MSc by Research, MPhys (Oxon), MInstP

Ariel Re (Bermuda)

raveem.ismail@arielre.com

2

Relevant background

Oxford. Physics and Atmospheric Physics (microphysical modelling, volcanoes, aviation emissions, cirrus cloud).

Exclusive Analysis (now part of IHS). Political Risk/Violence consulting.

Aon Benfield. Terrorism Model Lead.

Validus/Talbot. Terrorism & War Underwriting Analyst.

Ariel Re. Specialty Treaty Underwriter.

3

The cyber insurance market

Not new.

Exclusions: NMA 2914, NMA 2915, CL 380.

Lloyd’s risk code CY in 2013.

No longer purely an FI / privacy hacking issue.

Focus now: “malicious” cyber, and BI not just PD.

4

Attributes

The parallels with natural hazards do not hold.

Exposure is rapidly changing, and is connected in hidden ways: non-geographic accumulation*.

The parallels with physical assets do not hold either.

Self-certification is not an option!

Therefore difficult to model:

“The current state of cyber modeling is like trying to use the count of arrests for a crime to figure out the dollar losses from theft. They are

related, but not in all the ways you want…”**.* http://www.gccapitalideas.com/2014/10/21/costs-of-cyber-attacks/ ** http://www.riskandinsurance.com/cyber-risk-models-remain-elusive

5

A few cyber developments

Internet Of Things (IOT). E.g., surgical devices*.

Hacking even “air-gapped” (physically isolated) networks, systems and devices possible.

Many sophisticated actors. Including governments**.

Post-Snowden behavior changes: minimal/non-existent***.

Potential catastrophes: aeroplane hacking^, Equation Group^^.

* http://money.cnn.com/2013/04/08/technology/security/shodan/index.html , http://www.technologyreview.com/view/537001/security-experts-hack-teleoperated-surgical-robot / ** http://www.bbc.com/news/uk-28623365 *** http://cacm.acm.org/magazines/2015/5/186025-privacy-behaviors-after-snowden/fulltext^ http://www.wired.com/2015/04/twitter-plane-chris-roberts-security-reasearch-cold-war / , http://arstechnica.com/security/2015/05/alleged-plane-hacker-said-he-pierced-boeing-jets-firewall-in-2012 / ^^ http://arstechnica.com/security/2015/03/new-smoking-gun-further-ties-nsa-to-omnipotent-equation-group-hackers / , http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last / , http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage

6

Thoughts for the future

Not an opportune point in the insurance cycle.

Yet to see a credible cost-effective accumulation method and auditing process for insureds.

Loss experience needed.

Work with governments and credible third parties.

Data, when it comes, should come quickly.