Project Brief

Introduction

Cyber Risk is an emerging risk with new complexities that call for insurers and risk managers to jointly develop innovative solutions and tools, and enhance awareness and underwriting expertise.

The Cyber Risk Management (CyRiM) project is led by NTU-IRFRC in collaboration with industry partners and academic experts. CyRiM is a pre-competitive research project that aims to foster an efficient cyber risk insurance market place through engaging industry and academic experts guided by government and policy level research. The CyRiM project will help Singapore to become an industry centre of excellence on cyber risk and grow the cyber risk insurance market by promoting both the demand and the supply of insurance coverage.

Project Start Date: 1 April 2016
Project Lead
Shaun Wang

 

Organisation Chart

Problem Statement

The real and present danger posed by cyber risk to businesses and society needs to be tackled at many different levels; insurance is one important component that can provide risk mitigation and transfer that is needed to manage this rapidly growing threat. However, the insurance industry as a whole does not yet sufficiently understand the unique, complex and evolving nature of cyber risk and thus is not in a position to provide robust cyber insurance cover required by those at risk. The lack of sound data, the rapidly changing cyber threat environment, developing regulation and policy landscape, and the global nature of cyber risk with potential for high accumulation risk, constrains the development of cyber risk insurance market.

Objectives
  • Research into the definition of cyber risk with the objective to deliver an appropriate classification that also considers the emerging cyber – information risk landscape and jurisdiction variations
  • Creation of a cyber related event loss data-set including analysis of risk drivers and translation to estimated insurance claims based on a 'standardized' set of defined contract wordings
  • Creation of a set of cyber event scenarios for impact quantification and study of accumulation risk in systemic events
  • Creation of benchmark cyber loss models and dependency information to support actuarial pricing
  • Collaborative development of a non-intrusive cyber security exposure assessments capability to support company rating and integration with underwriting processes.
Governance and Funding
  • Aon Centre for Innovation and Analytics
  • Lloyd’s of London
  • MSIG
  • SCOR
  • TransRe

The project is overseen by a Project Oversight Board consisting of representatives of MAS, CSA, NTU-IRFRC and the industry Founding Members.

Advisory Partners to the project will bring expertise on policy, sell-side and buy-side across all industry sectors, IT security, and academia. The partners and selected specialist individuals will support the project through an Advisory Committee and on-going work groups per project work-stream. In addition, the Advisory Committee will ensure the project remains abreast of developments in cyber risk at a global level and will help to answer questions from the project team and the Board. The overall project budget over 3 years is a little over SGD 7 million in total.

Project Deliverables
  1. To ensure an industry standard definition and classification of cyber risk applicable to insurance underwriting but also relevant and consistent with corporate (buyers) and IT security definitions, and giving consideration for differences by location or jurisdiction.
  2. Creation of a dataset of scrubbed global cyber events and associated losses, with a focus on understanding each event, its trigger with respect to contract terms, how the losses develop/emerge over time, and what “metric” of exposure are associated with losses.
  3. To complement the data and to evaluate accumulation risk and help future-proof the research the project will develop extreme scenarios, incorporating trend analysis and expert opinion.
  4. Identify major risk drivers of cyber related loss events and map these to existing insurance lines of business and identify potential gaps or new business opportunities.
  5. Understand perceived threats, needs, and opportunities from buy-side by different industry sectors (i.e. finance, healthcare, and infrastructure) to jointly develop the cyber insurance market.
  6. Develop Cyber loss analytic models to assist the insurance underwriting process, including benchmark loss models, accumulation knowledge and dependency models.
  7. Develop Cyber Risk Assessment Framework to integrate with insurance industry to play a role in assessment, prevention, detection and recovery.
  8. Develop Strategy and Policy Recommendation for Policy recommendation on insurance business solutions to cyber risks.

Plan

The project initiated in April 2016 with a 3-year duration with the different work-streams running in parallel. The definitions and first dataset are expected to be released within year one, in addition to first report on cyber loss scenarios based on a survey of experts. The dataset will be continually developed throughout the project and ultimately handed-over to an operational mode on completion, the nature of the operating mode will be determined by the Project Oversight Board.

The cyber security assessment techniques will be developed in partnership with an IT security and research organization in collaboration with participating corporate entities allowing testing and continued developed.

Policy level recommendations and guidance will be subject to the findings of the project, yet are expected to naturally occur throughout the duration of the project but with an emphasis towards the latter phase as insights become more robust.

Scope

The project will initially consider all cyber related insurance risks, from data breach, to property damage, personal injury and life, liability and reputation, even infrastructure and terrorism. However, for the purpose of the data analytics an initial task will be to refine this scope through identification and selection of those risks considered insurable and suitable for further actuarial modelling. The full scope of risks will however be considered in the cyber event scenarios.

The CyRiM project will be based in Singapore and will have a strong focus on building local capabilities in cyber risk while maintaining a global perspective with hubs in the U.S. and Europe.

Press Release

"13th Singapore International Reinsurance Conference" - Official Keynote Address by Ms Jacqueline Loh, Deputy Managing Director, Monetary Authority of Singapore, at Marina Bay Sands on 3 November 2015.

To further the development of cyber insurance in Singapore, the MAS is supporting the Cyber Risk Test-bed project. This will promote both the demand for and supply of insurance coverage, as well as tackle the difficulties that arrise when nurturing new and emerging lines:

  • On the supply side, a lack of loss and claims data that underpins an effective and accurate risk pricing model.
  • On the demand side, a lack of awareness as cyber risk is new and emerging, and exposures are therefore difficult to understand and quantify.
  • Finally, insufficient technical expertise to underwrite such complex risks. 
 

Led by the NTU-Insurance Risk and Financial Research Centre (IRFRC) in collaboration with the insurance industry and corporates, the industry-wide cyber insurance test-bed project seeks to address the limits of insurability of cyber risks in three ways.

  • First, the common data sharing platform encourages pooling of not just insurers' claims data, but also corporates' potential loss data simulated through hypothetical events.
  • Second, it helps corporates understand their potential exposures and losses.
  • Third, the players on the platform can come together to establish industry standards on clear-cut definitions of cyber risks, coverage limits and terms and conditions.