Now showing 1 - 1 of 1
No Thumbnail Available
Publication

Essays on Modeling, Management, and Regulation of Cyber Risk

2020 , Schnell, Werner

While new information technologies (IT) have brought opportunities and prosperity, the flip side of the coin is that these technologies have increased society's reliance on and vulnerability to them. Every interruption in the confidentiality, integrity, and availability of data and services can have severe consequences. Such threats, termed cyber risk, can comprise large-scale data breaches or the breakdown of critical IT systems and can spread quickly around the globe. Due to its emerging nature, the extant academic literature on cyber risk is scarce and our knowledge is quite limited. My doctoral thesis is composed of four essays, all aiming to improve our understanding of cyber risk and derive recommendations for action. The first essay sets the stage by providing an in-depth discussion of cyber risk. Starting with a systematic literature review, we derive what we know about cyber risk, how it can be modeled, and the obstacles when it comes to insuring against cyber risk. We find that the data quality with respect to cyber risk is not satisfactory and, consequently, academics and practitioners lack sound risk models. Managing and pricing cyber risk especially hinders the development of a cyber insurance market. Moreover, we find that cyber insurance peculiarities such as small portfolio sizes, heavy tails, high and potentially nonlinear correlations, and risks of change (parameter and model risk) additionally present obstacles to the development of a cyber insurance market. This paper has been published in the Journal of Risk Finance. The second essay uses the findings of the first one and analyzes the consequences for risk management. It contrasts the characteristics in cyber risk data with the regulatory models Solvency II, US risk-based capital (RBC), and Swiss solvency test. We identify the shortcomings of the regulatory models from both an operational and underwriting cyber risk perspective. The models applied to cyber risk do not guarantee the shortfall probability the regulator aims for. Especially for small portfolio sizes and high cover limits, the heavytailedness and high dependency in cyber risk reduce the merits of diversification and consequentially lead to lower survival probabilities. In general, we find that the current regulatory models are not well equipped to handle cyber risk. The third essay models the cyber insurance market and analyzes the interaction of demand and supply as a function of the portfolio (and market) size. We show that previously identified cyber risk characteristics, such as strong tail dependence, high costs, information asymmetries, and modeling risk, lead to a market trap. This describes a situation in which it is not optimal for insurers and insurees to start transferring cyber risks and a market does not develop. Since beyond a minimum market size the trap can resolve, insurers are advised to pool their risks with other insurers, and governments should incentivize such behavior. Moreover, sharing data on cyber risk can reduce the modeling risk, and IT security standards can mitigate asymmetric information. The last essay analyzes the dependence between cyber risks (policy) and systemic components in more detail. Due to incomplete datasets, modeling dependence and frequency distributions is challenging. Because the inductive approach of network pandemics allows one to model the spreading of threats across entities (policyholders), it can fill in the missing data with model estimates. Our results show that the existing actuarial dependence models, such as linear correlation and copulas, and frequency distribution, such as binomial and Poisson distribution, systematically misjudge cyber risks. This implies that regulatory capital models underestimate the strength and non-linearity of dependence. Moreover, network pandemics allow for analysis of systemic events and worst-case scenarios. In addition, insurers can differentiate premiums based on the connectivity and IT security levels of the policyholder. This enables risk adequate pricing and internalization of systemic costs.