A primary goal of building our model was to address specific questions from our clients. Because cyber doesn’t have the history that traditional coverages like property have, clients need fact-based tools to create an effective strategy.
Our model does rely on historical data but also expands the scope of information beyond the most publicized events, so we can include cyber or business interruption losses, incorporating our brokers’ invaluable experience working with clients as long as there’s been a cyber product.
We have worked to overcome these challenges by taking an approach that includes several key elements.
The first is our knowledge of the events that have happened, which is the cornerstone of our research efforts with Stanford. Looking at what has happened helps us set a baseline for possible cyber events, but it isn’t the only thing you want to consider.
Next, where sufficient data do not exist, we challenge ourselves to develop scenarios that can occur but have not yet occurred, as this helps define the most impactful events. As cyber risk continues to evolve, JLT will develop additional scenarios and update the model itself so the model matures with our knowledge about the risk.
Lastly, knowing there is inherent risk in any model that is built, we find it is extremely important to understand a model’s sensitivity to its critical parameters so that potential variations in results are appreciated by those using them, allowing for more informed risk management decisions.
Through our conversations with insurers, brokers and corporate leaders, a consistent theme has emerged—a belief there is a lack of available data to better understand cyber risk. We’re working with JLT and others in Silicon Valley and beyond to prove that belief wrong. There is an abundance of available data; the challenge is bringing those different data together and then separating the signal from the noise.
Our intention is to continually build and develop this database of cyber breaches, focusing on frequency, severity in terms of cost, and the litigation and regulatory enforcement that stem from such breaches.