Essec Business School

With ESSEC Knowledge Editor-in-chief

The threat of cyber risk is omnipresent: one might say it is virtually impossible to go a week without hearing about it, from Russian interference in the US election to prominent cyberattacks on hospitals and local councils in France. The ongoing war in Ukraine and the COVID-19 pandemic showed just how much we rely on IT solutions to communicate and work – and our vulnerability when hackers strike. Marie Kratz, Professor of probability & statistics at the IDS department at ESSEC and director of the ESSEC CREAR, and Michel Dacorogna, an expert in risk management, recently presented an overview of the latest advancements in the field of cyber risk in an invited review paper published in the Scandinavian Actuarial Journal (1).

One challenge when it comes to managing cyber risk is just how quickly the technology changes: yesterday’s solutions can be useless for tomorrow’s problems. The Swiss National Cyber Security Centre NCSC recorded a 227% increase in the number of attacks reported to them between 2021 and 2023.  Our world is highly interconnected, with only a few providers dominating the global cloud service market and operating systems. This creates systematic risk, where all consumers share the risk – the only way to avoid it would be to stay offline, which is easier said than done in 2024. Dr. Kratz notes, “As a result, modelling this risk needs to consider our highly connected world”.

What is cyberspace?

While cyberspace is virtual, it has a concrete impact on society and is governed by many of the same rules: this means we can view it as another realm, much like land, air, and the sea. There are several entities operating in the cyber realm, including government agencies, special interest groups, corporations, and individuals.

Evaluating cyber risk

Finding the right data is a challenge when evaluating cyber risk. Victims of cyberattacks can be hesitant to disclose the details of the attack, worried about bad publicity. This is starting to change with the increase of regulatory bodies and cyber insurance. The researchers also note that cyberattacks are increasingly financially damaging, with the demand for ransoms skyrocketing. These attacks are also increasingly sophisticated: as cyber security improves, so do the hackers’ skills, driven by the substantial rewards of their activities.

It is also challenging to provide insurance or valuation since the hackers tend to go after intangible targets, like reputation or elections, making financial consequences hard to evaluate. Currently, insurers tend to cap the possible compensation for these losses, while companies are asking for more cover.

The complexity of cyberattacks is further heightened by their potential to cause widespread problems in our interconnected global landscape, where an assault on one target can set off a chain reaction affecting others.  The researchers also note that cyber risk carries a strong political risk: it can impact geopolitical outcomes and hospitals, for example. This means that cybercrimes are heavily mediatized and can result in reduced trust in governments if improperly handled.

Collectively, these distinctive features complicate the application of traditional actuarial methods for assessing cyber risk. Nevertheless, the authors point out that analyzing extreme risks is a first viable approach to tackle this challenge. The researchers outline five types of models for cyber risk: actuarial models, stochastic models for risk contagion, data-driven (AI) models, exposure models and game theory based models. They also emphasize the significance of integrating  AI techniques with traditional probabilistic modeling, noting that such a blend can yield more dynamic models. This approach is particularly crucial in light of the rapidly evolving nature of the cyber risk landscape.

From risk to resilience

A more adequate concept has emerged: “cyber resilience”. It is the notion that security breaches are inevitable, and therefore, organizations should concentrate on enduring and recovering from these incidents, rather than solely on their prevention. This involves designing a strategy that addresses the risk environment, applicable processes and technology, and relevant actors. Governments in particular need to be doing this: the European Union has recognized it and proposed the cyber resilience act proposal. Specifically, cyber resilience includes:

• Investing in preventative measures
• Detecting issues faster
• Fixing issues more quickly
• Improving systems to reduce the impact of breaches
• Ensuring that companies can access cash to prevent bankruptcy and ensure continued ability to pay bills and employees in the case of a breach.

The latter especially points to the need for insurance, despite the challenges insurers face in providing adequate cover. To facilitate this process, Dacorogna and Kratz suggest collecting data on cyber risk, developing probabilistic models to assess it, partnering with cyber security firms, and developing commercial models (as is already done for natural catastrophes). Insurers already cover data and systems recovery, data protection, IT forensics, crisis management, ransomware, and business interruption (to ensure continued services), with the latter identified as a key need. However, afflicted customers have complained that the settlement time is too long and insurers try to worm their way out of payments.

Professor Kratz recently co-organized a workshop in Paris bringing together a wide international panel of specialists (among them from Microsoft, the American Academy of Actuaries, the French ANSSI, Gendarmerie Nationale and the European ENISA), in which attendees discussed the following topics:

• Progress in generative AI that could be both a threat and a weapon against cyber attacks
• Efforts at the European level to coordinate cyber defence and research on cyber risk
• The application of game theory to filter attacks
• New qualitative methods to assess cyber risk in complex systems in view of improving cyber security.

With the speed at which our world is undergoing technological changes, it is no wonder that our understanding of cyber risk and how to insure it has struggled to keep up. Dr. Kratz and Dr. Dacorogna highlight recent advancements, including shifting our mindset to cyber resilience, identifying questions to be addressed, and what the cyber risk landscape could look like.

References

1.   M. Dacorogna & M. Kratz (2023). Managing cyber risk, a science in the making, Scandinavian Actuarial Journal 10, pp. 1000-1021

2. See crear.essec.edu/crear-events/conferences-workshops/cyber-conference-2023