Quantification of Cyber Risk – Risk Categories and Business Sectors

Abstract

This white paper presents analysis of Advisen Cyber Loss dataset (www.advisenltd.com/data/cyber-loss-data/) containing a historical view of cyber events, collected from reliable and publicly verifiable sources. The dataset analyzed in this study comprehends 132,126 cyber events during 2008-2020, affecting 49,496 organizations, with more than 80% of the organizations represented in the dataset residing in the USA. A summary of the findings is provided as follows:

- Currently, data collection and databases on losses from cyber events have an unbalanced recording of samples with the strongest emphasis on developing the US. centric data collection. However, cyber risk is international in nature affecting both commercial and private industry as well as government agencies across all sectors of the economy. Therefore, we advocate that a concerted effort be made to develop an adequate measurement and modelling process for cyber-related risks in the domestic landscape, there is a strong need and utility to be gained by collecting such data specifically for Australia.

- There are many cyber risk classifications, each designed with specific intent, purpose, and which build on pre-existing laws and policies. Enterprises and market participants should adopt the cyber risk classification that best fits their needs; standardisation within sectors makes sense but standardisation across different sectors may be ineffective.

- Over 60% of companies that recorded cyber-related losses have suffered from cyber-attacks more than once in the period 2008-2020. This suggests that governance processes relating to mitigation of such events can significantly be enhanced and that regulation and reporting around best practices as it emerges could help mitigate repeated events of the same nature from reoccurring.
- Losses from cyber related events are heavy-tailed. This means that while the majority of losses is typically relatively small (85% of events cause losses <$2 million), there is a chance for extreme losses, e.g. 5% of losses exceed $10 million, while 1.4% of cyber-related losses even exceed $100 million, and 0.17% of events cause losses >$1 billion.

- There is no distinct pattern or clear-cut relationship between the frequency of events, the loss severity, and the number of affected records. Contrary to assumptions often made in practice, the reported loss databases don’t demonstrate a direct proportional relationship between total loss incurred from a cyber event and attributes from the event such as the number of compromised records (data records breached or stolen), the number of employees in a corporation or the number of units of a company affected. This finding shows that all companies, no matter the volume or size of data record can be susceptible to significant incurred loss from cyber events.

- The frequency and severity of the events depend on the business sector and type of cyber threat.

- It is clear that even with the increased scrutiny and increased regulatory guidance the rate of cyber crime has not abated. In fact the frequency of reported cyber-related events has substantially increased between 2008 and 2016 (4,800 reported events in 2008, 16,800 reported events in 2016). Furthermore, the reporting of such events for modelling purposes could be enhanced as there appears to be a significant delay in the reporting of events that needs to be taken into account when drawing conclusions on the risks.

- The most significant cyber loss event category, by number of events, continues to be Privacy - Unauthorized Contact or Disclosure and Data – Malicious Breach. Data related breaches have become increasingly more common since 2008, while Cyber Extorsion, Phishing, Spoofing and other Social Engineering practices also continue to increase, the pace at which malicious breach related events has occurred has now surpassed these other prominent categories of loss event risk type in recent years.

- The heavy tailed nature of cyber loss continues to be present. This is directly observed by the fact that cyber loss are well represented by the expression “one loss causes ruin” adage attributed to heavy tailed loss processes that demonstrate regular variation or power lower severity tail behaviour. As such, in all categories of cyber loss type and in all sectors of the economy it was found that loss severity is often dominated by large individual events. Overall, data breaches have caused the most serious financial consequences in the last four years, while the Information sector, Professional Scientific & Technical Services, and Finance & Insurance have suffered most of the financial damage during the sample period 2008-2020.