Cyber exposure data standard released

By Canadian Underwriter | January 19, 2016 | Last updated on October 30, 2024
4 min read

The insurance industry now has a global cyber exposure data standard.

The standard will help create a uniform method for data transfer across the insurance value chain, Verisk saidThe standard will help create a uniform method for data transfer across the insurance value chain, Verisk said in a press release. Verisk’s catastrophe modelling business, AIR Worldwide, has also developed a preparer’s guide to assist companies in collecting and storing the necessary cyber exposure data in an open format suitable for modelling.

Risk Management Solutions, Inc. (RMS) said in a statement that the Cyber Exposure Data Schema, developed in collaboration with the Centre for Risk Studies at Cambridge University and with support from some insurance and reinsurance companies, “provides firms with a standardized approach to identifying, quantifying and reporting cyber insurance exposure.”

The schema is supported by RMS, Amlin Plc, Aon Benfield, AXIS Capital, Barbican Insurance Group, Canopius Managing Agents Ltd., RenaissanceRe Holdings, Talbot Underwriting and XL Catlin.

The schema is both model agnostic and compatible with any exposure management system and will enable firms to:

  • Share and transfer information about exposures in a consistent and standardized format for risk transfer transactions, benchmarking exercises, and regulatory reporting;
  • Report exposure aggregates by different types of coverage and potential loss characteristics to a level of granularity that can inform risk appetite decisions;
  • Assess and monitor risk appetite by estimating losses from accumulation scenarios, or other types of risk models, to the exposure recorded; and
  • Clarify silent or affirmative covers by identifying insurance policies with ambiguity in whether they would pay out in the event of a cyber incident.

Many of the fields in the data standard are optional to provide flexibility for companies that collect different types of information or at different levels of detail, Verisk said in the release. For example, an “info by country” table allows for the collection of several data fields for separate countries and a “reinsurance table” contains field for insurance policy conditions. The only mandatory field is an “organization table,” which includes basic information like industry, revenue, recovery plans and other organization-wide items that may already be in place.

The preparer’s guide will assist companies in collecting and storing the data, the release said, adding that “many client organizations, including companies in the insurance, broker and reinsurance industry, have reviewed the standard and provided valuable input.”

Cyber risk has become the fastest-growing peril over the past year and the ability to analyze cyber risk accurately requires a full understanding of the cyber exposure data. “It is imperative that companies capture this data in a common format that can be used by organizations across the insurance value chain,” the Verisk release said. “It is also crucial that the exposure data standard used today and in the future be robust enough for organizations to grow into.”

“Verisk and AIR have developed a comprehensive data standard containing the critical parameters that must be captured to assess a company’s risk from cyberattacks,” said Nigel Pearson, global head of fidelity, Allianz Global Corporate & Specialty SE. “Collecting and storing this data forms a basis for analyzing accumulated risk, and Allianz can immediately begin leveraging AIR’s preparer’s guide to determine which additional parameters we should start capturing. We look forward to applying the standard for modelling when the AIR cyber risk model is complete.”

Tom Bolt, director, performance management, Lloyd’s of London, added that it is essential that the industry has good-quality standardized data to track exposures. “I am delighted that AIR has collaborated with us to help standardize some common data requirements and that their new data schema incorporates this.”

In addition, AIR has developed an SQL implementation to allow organizations to begin to use the standard in their enterprises. In the coming months, AIR aims to provide SQL scripts that can be used for deterministic scenario analysis and accumulation analysis.

“AIR Worldwide’s forthcoming probabilistic cyber risk model will serve to help insurers and reinsurers manage accumulations of cyber risk as well as assess and evaluate the risk of individual contracts,” said Scott Stransky, manager and principal scientist at AIR Worldwide. “The preparer’s guide represents a key first step in the development of a common cyber exposure data standard that better enables companies to capture the correct data and store it in a format usable in the forthcoming AIR model. The innovative cyber risk model will be critical to better understanding the financial implications of cyberattacks, including the aggregation risk associated with a megascale attack.”

RMS senior vice president, Andrew Coburn, added that the Cyber Exposure Data Schema is one component of its four-part cyber risk management framework being released in full at the beginning of February. “Having a standardized way to capture cyber insurance exposures will provide a much-needed framework for the market to grow its cyber capacity safely, Coburn said.

Canadian Underwriter