Because data breaches often affect more than one organization, AIR recently released a Data Compromise Correlation Module in ARC that enables organizations to better account for correlations of cyber risk between companies in similar industries, as well as for entire portfolios.
Formerly termed “security breach” in our probabilistic cyber model, our new umbrella term, “data compromise,” covers the following causes of cyber loss that we model:
- Phishing and social engineering scams
- Malware and other computer hacks
- Accidental data issues
- Unauthorized data disclosures
- Potential fines due to the EU General Data Protection Regulation (GDPR)
By default, data compromise is uncorrelated in our model: Each company is treated independently, so if an event hits Company A, it only hits Company A and not Company B (or any other company or vice versa). While a individual company’s EP curve can be quite steep, when you combine independent EP curves from multiple companies, by mathematical law, you end up getting a flat overall portfolio EP curve.
Our new Data Compromise Correlation Module enables users to adjust portfolio EP curves to match expected correlations either within an industry or across the entire portfolio. The module is meant to provide users with more flexibility for assessing the risk of their portfolio, given that data compromise can and does affect more than one organization (whether it be multiple organizations that each get hacked within a short time frame due to a common vulnerability or they get hacked simultaneously by a worm that moves from one organization to another).
For example, given the number of breaches of hospital data in recent years, (re)insurers might want to consider that there could be common, vulnerable systems across several hospitals, in which case you could have the model reflect this by turning on correlation for the “Health Care and Social Assistance” industry. Or perhaps in your portfolio, you insure a high concentration of restaurants—a bakery, a food truck, and a coffee shop, for example—all of which rely on a common payment processor that a hacker could exploit and steal customer credit card data from, due to an unpatched vulnerability.
The Data Compromise Correlation Module in ARC can be used by a (re)insurer to assess the impact of a common vulnerability being exploited that could result in data compromise losses to organizations in a specific industry or to the entire portfolio. Recommended default settings for the Data Compromise Correlation Module are provided in our cyber model documentation, which clients can access through our client portal.
We’re excited to have quickly incorporated early client feedback into ARC, and look forward to continuing to iterate and provide more ways to tweak views of cyber risk.