There is a notable degree of variability across cyber catastrophe vendor model outputs, according to a recent study which revealed a number of parameters driving discrepancies, including revenue, industry sector classification and differing treatment of specific coverages.
Guy Carpenter’s report, titled Under the Lens: Investigating Cyber Vendor Model Divergence, investigates the key drivers of cyber catastrophe model differences using advanced predictive analytics to create an informed view of risk.
It stated: “While significant progress has been made in advancing cyber catastrophe vendor models over the past decade, a notable degree of variability across model outputs still exists.”
The research analysed three major cyber catastrophe models – Guidewire Cyence, CyberCube, and Moody’s RMS – to uncover the key factors that affect modelled loss differences.
It uncovered a number of parameters driving these differences, which included revenue, industry sector classification and differing treatment of specific coverages.
Jess Fung, North America Cyber Analytics Lead, Guy Carpenter, said: “Vendor models’ results are gradually converging over time as more credible data points become available for calibration and validation.
“However, a notable degree of variability across model outputs still exists, which can pose a challenge to insurance and reinsurance companies as they formulate a unique view of risk. Our report serves as a starting point in investigating and addressing this challenge.”
According to the report, revenue was the clear driver of loss variability across the three tested vendor models.
The study found that annual revenue input results in the highest modelled loss differences, with the greatest model divergence concentrated in the nano (under USD 1 million) and micro (USD 1 million to USD 5 million) revenue bands.
The report noted that cyber risk data for larger organisations is readily accessible but there is a clear reduction in the information available on smaller and micro risks leading to greater variability in modelling.
Additionally, the study flagged that a deeper understanding of the relative treatments of low-revenue organisations by the vendor models will be essential to the alignment of internal views of risk to vendor views and predicted that increased penetration of cyber in nano and micro markets will lead to better data and reduced variability in modelling going forward.
The second most impactful driver of model variability is industry sector classification.The report noted that industry sectors use a range of technologies and differ in how they carry out their business. Different sectors may also vary in their security posture, resiliency, and attractiveness to threat actors – all factors that affect the modelling.
Analysts highlighted that the different classification approach taken by each vendor model leads to additional variability.
Finally, the report identified differing interpretations and treatments of the Ransomware & Extortion coverage indicator for the models – which are also the top event drivers for modelled losses across vendors.
It highlighted the fact that cyber policies are written with differing coverages using diverse definitions for each, it stated that until this becomes more standardised, there will continue to be challenges in aligning policy wordings with available model functionality.
Moreover, Regulatory Defense & Fines coverage, like Ransomware & Extortion, is indicative of the varying views on coverage options by the vendor models but also illustrates the differing approaches taken in defining cyber scenarios, the report pointed out.
Erica Davis Global Co-head of Cyber, Guy Carpenter, said: “By marrying cyber catastrophe modelling expertise and predictive analytics, this study helps insurers and reinsurers identify market segments where the model view of risk is most divergent.
“This will result in more confidence for insurers and reinsurers in making decisions about their deployment of capacity, which ultimately supports the cyber industry’s sustainable growth forward.”
