Last week, AIR released the first ever preparer's guide for cyber exposure data in conjunction with our parent company, Verisk Analytics®. The AIR Cyber Exposure Data Standard Preparer’s Guide is available here. To make the preparer's guide truly practical and immediately ready to use within your organization, you'll also find an SQL schema ready for download and implementation.
This post will sort out the details of the Verisk standard and provide insight into the benefits that a user can derive today. These benefits include custom consulting studies—available now—that can help you gain new insights into potential cyber aggregations in your books of business.
The standard and schema are comprehensive and flexible, so organizations can use them now and grow into them in the future. They incorporate feedback from companies in the insurance, brokering, and reinsurance spaces. Any organization can be entered regardless of whether it has affirmative cyber coverage,1 including companies, governmental organizations, NGO's, non-profits, and others.
The structure of the cyber exposure data standard and schema. (Source: AIR)
The preparer's guide provides details of the various fields to capture for the standard and schema, which are summarized at a high level in the figure. In the preparer's guide, the column named "Common Core" indicates fields that―after consulting with Lloyd's of London―were deemed especially important to collect. Very few fields are mandatory, allowing these standards and AIR’s forthcoming cyber model to be used by any organization that has information on revenue and industry― the only required data elements.
The preparer's guide will be a useful resource for organizations in determining additional information collection parameters for potential insureds, and the SQL schema provides a uniform and consistent manner for cyber exposure data storage, leading to several immediate and future benefits.
By making use of our SQL schema implementation and AIR's custom cyber consulting service, potential sources of aggregation in your book can be studied and analyzed. Lloyd's of London is requiring syndicates to perform three deterministic cyber scenarios before the end of March, according to Market Bulletin Y4938. AIR can provide deterministic scenario analysis now, regardless of the driving factor, be it regulatory requirements or a desire to gain a different perspective on existing books of business.
In addition, beginning soon, AIR will release a useful SQL query every month. These queries will capture deterministic scenarios that can be run against a book of business. Deterministic loss estimates can be studied for everything from aggregations on cloud providers, payment processors, blackouts, and encryption quality via these queries. Also, because our database is implemented in SQL, organizations can develop their own scenarios and test them against their books.
As transferring data about cyber books across the insurance value chain becomes more widespread, practical implementation of this standard will help make the process more uniform. In addition, the schema we released will be used in the upcoming AIR probabilistic cyber model, preparing organizations for modeling cyber risk in the future.
I hope to see you at our Envision conference in Philadelphia, where we will demonstrate how to use our schema to estimate losses from a deterministic cyber scenario. We’ll also be discussing cyber risk modeling at the RAA Cat Modeling conference, and at the Advisen Cyber Risk Insights in London and San Francisco over the next few months. Please reach out to us to discuss how we can help analyze your commercial book's cyber aggregations today.