Everything You Wanted to Know About the Verisk Cyber Exposure Data Standard
Mar 15, 2016
Editor's Note: On January 19, 2016, AIR Worldwide released a preparer's guide for cyber exposure data in conjunction with our parent company, Verisk Analytics. Recently, AIR published a blog about how the data standard can be used today. This article provides insight into how the standard was developed, what it contains, and how it will help companies understand their cyber risk.
Companies that write cyber policies or find cyber coverage included in "all-risk" policies risk being subject to cyber attack claims. Making risk assessment challenging is the fact that insureds often don't know or won't disclose information about their cyber vulnerability, such as network dependencies. Along with the risk and the challenge, however, comes the opportunity for companies to grow their cyber risk business—with the proper tool. The Verisk Cyber Exposure Data Standard, along with its SQL implementation, is the tool that can help companies understand their exposure and aggregation risk, evaluate risk, and make underwriting or pricing decisions today. What follows is a detailed explanation of how the new standard works and why.
Flexibility Is Key
Cyber insurers and potential insureds can have varying levels of engagement before contracts are written. Some insurers might consider only the industry and revenue of a potential insured, while others may spend weeks interviewing IT staff and require comprehensive questionnaires to be filled out before deciding whether the risk fits with the rest of their portfolio. There is also variation in how much effort cyber insurers put into evaluating new business, based on the premium and limit being offered. In developing a cyber exposure data standard, one of AIR's main goals was that it be applicable across the entire spectrum of cyber risk underwriting.
The Verisk Cyber Exposure Data Standard does not require companies to collect every last bit of data about a potential insured, and the preparer's guide can help organizations prioritize what additional information to collect. Because of this flexibility, companies won't quickly outgrow the standard, as they can use what they collect now and grow into new data fields over time as resources permit. Not only will the standard work with only partial information filled in, but AIR's forthcoming probabilistic model will work with limited information as well. The more detailed the input information, however, the more accurately the results will reflect risk differentiation.
How Did We Develop the Standard?
AIR began the process of developing the cyber exposure data standard in consultation with our sister company ISO®, which had developed a policy form for cyber risk—similar to what they do for property risk. We made use of the available coverages in the form as the basis for the insurance coverages within our cyber standard. Then during the past year AIR met with more than 60 companies in the cyber insurance, broking, reinsurance, and security spaces and refined the draft standard with their input. At each of these meetings, we received useful feedback on the draft data standards. We also reviewed many of the policy forms and cyber insurance application forms from these companies to expand the parameters included in our draft standard. After another round of formal feedback, the standard was released to the public on January 19, 2016.
What Does the Verisk Cyber Exposure Data Standard Contain?
Any organization can be entered in the standard, regardless of whether it has affirmative cyber coverage or not, including companies, governmental organizations, non-governmental organizations, non-profits, and others. The preparer's guide provides details about the various fields, including ones labeled "Common Core," which―after consulting with Lloyd's of London―were deemed especially important to collect. Very few fields are mandatory, allowing these standards and AIR's forthcoming cyber model to be used by any organization that has information on revenue and industry―the only required data elements.
The standard is broken out into various tables, with Organization, Data, Asset/Storage, and Transfer the most critical.
This table—the only one that is required to be at least partially populated—contains basic information about the insured, including contact information. Especially important fields include industry and revenue, which are mandatory. There are also fields that capture an organization's recovery plans—from disasters, network intrusions, and other problems. Since these are not just "yes" or "no" fields, AIR provides guidance on choosing the appropriate value for these and other fields in the AIR's Quality Score Rubric to make the process less subjective and more uniform. Other characteristics that can be captured in this table include indicators for whether the organization has a chief security officer and meets various industry standards (such as NIST 800-53 or ISO 27001). If an organization meets these certifications, AIR will make other assumptions about it, for example that they have an "excellent" security policy score.1 In addition, it is possible to include information on previous cyber attacks an organization has experienced.
One very significant kind of loss an organization can experience either during or after a cyber attack is stolen or unavailable data. This data can include credit card information, health records, social security numbers, or even website data. Information can be entered into the Data table for each type of data that an organization maintains, including the count and value of the data (for credit cards, the count may be high and the value of each low, and vice versa for website data). AIR developed context-based assumptions for counts and values when the Data table is left blank. For example, AIR is developing functions that relate a retailer's revenue and the number of credit cards it stores in its database.
Data is at risk when stored on various devices, including servers, laptops, flash drives, and mobile devices. Each of these "assets" has unique security features that can be captured in fields in the Asset/Storage table, including scores for encryption, antivirus, and firewall. Also, to capture blackout scenarios caused by cyber attacks, the physical location of the asset is something that can be entered. Information can also be entered to account for cloud storage.
Although the manner in which data is stored is critical to its security, even if data is stored with high quality encryption and other security measures, it becomes susceptible to breach if it is subsequently transferred as plain text. Therefore, the Verisk Cyber Exposure Data Standard allows companies to enter information about how data is transferred between and within organizations (e.g., email, FTP, etc.).
How Can I Make Use of the Standard Today?
To make the preparer's guide truly practical and immediately ready to use within your organization, companies can download an SQL schema, which provides a uniform and consistent manner for cyber exposure data storage.
The prepare's guide and SQL schema can help you gain new insights into potential cyber aggregations in your books of business. These analyses can be conducted by organizations themselves, or they can be done in consultation with AIR, utilizing additional data resources that AIR has collected.
By making use of our SQL schema implementation and AIR's cyber consulting service, potential sources of aggregation in your book can be studied and analyzed. Lloyd's of London is requiring syndicates to perform three deterministic cyber scenarios before the end of March, 2016, according to Market Bulletin Y4938. AIR can already provide deterministic scenario analyses, whether motivated by regulatory requirements or a desire to gain a different perspective on existing books of business.
Please reach out to AIR to discuss how we can help analyze your commercial books' cyber aggregations today.
1 This is analogous to how, upon indicating that a building is IBHS certified in a property model, AIR makes other assumptions about that building.