Over USD 5 billion insurable loss each year to U.S. businesses through data exfiltration

3 May 2017 — Daniela GHETU
Data breaches can cost companies hundreds of millions of dollars, the loss potentially reaching USD 5 billion a year across the USA only from data exfiltration, says RMS.

RMS, a global risk modeling and analytics firm, announced the release of its updated and expanded RMS Cyber Accumulation Management System, which includes a suite of cyber models and supporting software. The update comes in response to the rapidly changing cyber risk landscape, analysis of which is detailed in a new RMS report, Cyber Risk Landscape 2017, published today.

The update incorporates new functionality, including the RMS Expected Loss Baseline model. RMS analysts have used this new model to calculate that if all U.S. businesses had cyber insurance, over USD5 billion a year would be lost to the insurance industry from cyber data exfiltration alone. Data breaches are the leading cause of cyber insurance loss.

"In only fifteen months since we launched the RMS Cyber Accumulation Management System, we've seen the cyber risk landscape change dramatically and version 2.0 of the system reflects those changes," said RMS senior vice president, Dr. Andrew COBURN. "For example, we've seen the largest ever data breaches, denial of service attacks, and attempted financial thefts. Data breaches can cost companies hundreds of millions of dollars, and our modeling shows the overall insurable loss across U.S. businesses from data exfiltration is running at over USD 5 billion a year. The past year has also demonstrated the potential for future systemic cyber catastrophes, for which overall losses would far exceed USD 5 billion, and version 2.0 has the capacity to model this risk."  

Version 2.0 of the RMS Cyber Accumulation Management System gives clients unprecedented analytics, enabling firms to be even more accurate with their calculations of attritional annual losses across cyber portfolios, as well as probable maximum loss (PML). To keep pace with rapidly-changing cyber risk, the updated system includes major updates to its affirmative cyber scenarios, which have been created from the largest available database of historical cyber incidents and claims data. The scenarios cover,
  • shifting patterns of data exfiltration - updated scenarios reflect changing criminal targeting, larger magnitude data breaches, and improvements in security standards against accidental data loss;
  • more intense denial of service attacks - version 2.0 responds to the increasing firepower available to attackers who could harness the Internet of Things;
  • financial theft - updated to include larger attack campaigns and reflect improvements in security networks being used within the financial services sector;
  • cloud service provider failure - incorporates the substantial growth in cloud usage by companies, the increasing market dominance of the big four cloud service providers, and lessons learned from recent cloud outages;
  • cyber extortion - updated to include recent examples of extortion demands on larger companies, with ransom payment sizes recalibrated to recent experience, and the consequences of business interruption.
The system now includes cyber-physical scenarios providing insight on cyber-attacks that cause losses to traditional lines of property insurance, such as fire and explosion triggered by hackers. These non-cyber lines range from commercial and residential property to industrial facilities, upstream energy, and marine. The updated cyber-physical scenarios also enable assessment of the 'silent' exposures in policies that have ambiguous terms on cyber-attack losses.

"As the first cyber risk management solution of its kind, the RMS Cyber Accumulation Management System has benefited from over a year of use by leading cyber insurance writers, helping them to analyze a third of the market by premium." commented COBURN. "That's a lot of client feedback and refinement which has informed the innovations of our latest update. And with our continued substantial investments into cyber model development, there is already more capability in our pipeline."

The RMS Cyber Accumulation Management System continues to be developed in collaboration with the Center for Risk Studies at the University of Cambridge. It also includes the RMS Cyber Exposure Data Schema, which is open source and the industry standard for providing a systematic and uniform way to capture cyber exposure data and manage accumulation risk.

Share |