In the second part of their article on quantifying and pricing cyber risk, Tim Freestone and Malcolm McLelland respond to reader queries and share further proof of their theory
Both readers of our previous article (Part 1) on cyber risk and those unfamiliar with that article will likely be interested in comments we received about it from actuaries and underwriters at major cyber risk insurers. Here are a few:
- "I understand finance theory, but we all know that markets are irrational, so there's no way for cyber risk to be systematically priced in the capital market."
- "You might think you're measuring cyber risk, but you're not. Cyber risk is an actual attack on an actual network computer port."
- "Unless your model is using data on successful cyber-attacks on specific IP addresses and port numbers, and on the method of attack, then your model is not useful in underwriting."
These are interesting comments when viewed in the context of discussions we have had with cybersecurity managers and consultants. Here are some:
- "Over 90% of all successful cyber-attacks use social engineering methods rather than direct attacks made over the internet on specific ports and services. If the metric is monetary losses from cyber-attacks, socially engineered attacks probably represent well over 95%, perhaps over 99%, of losses from cyber-attacks."
- "Some of the more damaging cyber-attacks I'm aware of were never reported; for example, exfiltration of a major transportation equipment manufacturer's comprehensive engineering documents for a new truck series."
- "Companies only disclose cyber-attacks when required, not voluntarily, and the law and regulations are still developing. Before 2022, when the US passed CIRCIA [the Cyber Incident Reporting for Critical Infrastructure Act of 2022], cyber-attack disclosures were usually made only when sensitive personal identifying information (patient, customer or employee data) was breached. Before that, disclosures were made only if they represented material events under SEC Form 8-K disclosure requirements."
"There is over 50 years of empirical evidence that rational traders price risks in a systematic way"
With respect to the notion that capital markets are irrational and, so, are unable to rationally price cyber risk, this view ignores over 40 years of financial economic theory and evidence, as well as the 100s or 1,000s of sophisticated traders that demonstrably price, hedge and diversify cyber risk daily in the capital markets.
The issue is not whether irrational traders exist in the US capital markets. They do. The issue is whether there are rational traders that influence risk prices in a systematic way. There are and there is over 50 years of empirical evidence that they price risks in a systematic way, and our own empirical results show this is the case for cyber risk.
Notice the stark contrast to the beliefs of cyber risk actuaries with respect to the causes of cyber risk, on the one hand, and those of cyber security experts and consultants on the other. The reader, in a sense, must decide who to believe about the causes of cyber risk: the actuaries or the cyber security experts.
The choice is quite important: without modelling cyber risk (and cyber-attacks) as a function of actual systematically driven causal factors, it is quite difficult to develop accurate, reliable cyber risk models with adequate predictive capabilities. That is, statistical models tend to only work well when modelling actual causal relationships. So, should we be willing to ignore what cyber security experts say about the actual causal factors of cyber risk and continue to build non-causal models based on current cyber actuarial best practices?
It is perhaps well to recall a famous quote of Ayn Rand – regardless of what one thinks about the controversial writer – on the importance of being rational: "We can ignore reality, but we cannot ignore the consequences of ignoring reality."
A new agenda
"Do we have any evidence, short of what can be provided using APT, that cyber is a systematically distributed market risk?"
At the close of Part 1, we indicated the issues we would be covering in Part 2. Owing to the overwhelming and very supportive response we received from readers, we are altering that agenda to respond to the largest issue on the minds of readers, namely – do we have any evidence, short of what can be provided using arbitrage pricing theory (APT), that cyber is a systematically distributed market risk? This really is the largest issue because, if true, it adds so much information that can be used to improve underwriting results. For example, it would address:
- How are investors pricing cyber risk?
- How is cyber risk correlated among companies? Think portfolio selection criteria, an issue currently on the minds of investors in cyber risk-linked securities and catastrophe bonds. This should also be on the minds of cyber insurers and investment portfolio managers.
- How are the markets pricing cyber's systemic risk?
If cyber is a market risk, then it can be hedged. And this information is forward looking so insurers can adapt their pricing models in real-time rather than waiting for end-of-year loss ratios.
We understand that APT is thought to be a bit abstract and may not offer as persuasive a case to many readers as a more concrete example of cyber being a market risk. But we also want to be clear that, if we had not been able to confirm the systematic nature of cyber risk using APT, we would not be providing the cyber-attack case history of major US retailer Target as evidence that cyber is a market risk. This is because APT represents a formal, rigorous framework that can be validated using statistical tests for robustness. It would be very difficult, if not impossible, to subject the following case history of Target's cyber-attack to the same level of rigour.
Cyber risk pricing in the equity markets
With this as background, we now turn to an excellent example of cyber risk pricing in the equity markets. We have cited the cyber-attack on Target, not because it is unique, but because it shares many of the same characteristics of other cyber-attacks. This shouldn't be a surprising finding. Systematically distributed market risks share many characteristics that result from their unmistakable systematic nature:
- Broad impact: They affect a wide range of assets or securities in the market, rather than being specific to individual companies or sectors.
- Non-diversifiable: These risks cannot be diversified away by holding a diversified portfolio of assets. They are inherent to the market as a whole.
- Correlated effects: Market-based systematic risks often lead to correlated movements in asset prices, meaning that when one asset is affected, others are likely to be affected in a similar manner.
- Impact on market prices: They influence market prices and returns, impacting investors' overall portfolio values.
- Persistent nature: Market-based systematic risks can persist over time, affecting market participants' expectations and investment decisions.
- Measurable and observable: While the specific impact of market-based systematic risks can vary, they are generally measurable and observable in market data and trends.
We will observe many of the systematic effects described above in the attack on Target Corporation in 2013; in fact, we'll see one systematic effect we had not anticipated when we began this study of the Target attack. (We are referring to the subsequent attack on retailer Home Depot reported in 2014, an attack orchestrated by the same hackers that attacked Target.)
And we ask ourselves and the community of cyber risk managers and insurers: how could we possibly separate the underlying systematic nature of how a large percentage of cyber-attacks are planned and executed, from the corresponding price patterns we observe in the stock prices of the victims of cyber-attacks and their peers?
This article continues in a PDF - click here to download it (free access)