Five years at KYND: Behind the Scenes
Realistic, but unlikely: KYND unlocks the modelling of more useful Realistic Cyber Disaster Scenarios
It was the year 1995 when Lloyds introduced Realistic Disaster Scenarios (RDS) in response to significant aggregations of property losses across the market as a result of three events: the explosion of the North Sea oil-drilling platform Piper Alpha (1988), Hurricane Andrew (1992), and the Northridge Earthquake (1994). The initial system was designed to test the market’s exposure to a variety of major natural and man-made catastrophes that were relevant at the time.
Now, just over a year ago, Lloyds updated their set of event scenarios to include a new and rapidly escalating threat that needs to be accounted for in today’s world – cyber risk. In our latest blog, we overview the three mandatory Lloyds cyber scenarios released last year, delve into what these mean for insurance carriers, and explain how KYND can help you take firm control over the cyber risk in your portfolio.
Ensuring scenarios are really realistic for the disasters you're worried about
Realistic Disaster Scenarios effectively mean descriptions of various catastrophic events that are used to assess the risk of a single (severe) incident causing widespread insurance claims, particularly if those claims are concentrated in a single portfolio of policies.
The impetus for RDSs is simple. If there's a flood in London, you don't want all of your policyholders to be landlords based in the UK capital, else you're on the hook for a large payout. If there's a financial mis-selling scandal and you're a specialist finance professional liability insurer, you're likely to see a wave of similar claims across your portfolio. And if you're a cyber insurer, it’s best to hope that your clients' data centres aren't all in Virginia, in case a power cut in the Eastern US puts all of them offline at the same time.
These situations are extreme, and rightly so: we expect (re)insurers to model their portfolios under particular stress so that when systemic events occur, (re)insurers remain solvent, and policyholders can successfully make claims to be reimbursed for losses. As a result, (re)insurance carriers and affiliated modellers have developed many iterations of RDS models that report on the losses to be anticipated in the case of the three mandatory Lloyds cyber scenarios: "Business Blackout II", a power cut in the Eastern US; "Cloud Cascade", an outage for a major cloud service provider; and "Ransomware Contagion", a spread of ransomware exploiting a newly-discovered vulnerability in a widely-used operating system.
More granular data for clearer modelling
In our experience, current modelling efforts for these scenarios still rely on some fairly broad-brush inferences, because carriers are reliant on high-level data. For example, losses from a cloud outage are assumed at an approximate market share for the cloud provider, or the locations of company offices, headquarters and revenues are used to estimate which insureds would be affected by a power outage. While these models have value, they can ultimately only offer a rough approximation of the true consequences of disaster scenarios.
In our work supporting our insurance partners, we have developed models similarly assessing the impact of the Lloyds mandatory RDSs. However, leveraging KYND's discovery and attribution capabilities, we're able to base our models on the actual cyber footprint of portfolio organisations to determine the extent of impact if one of these disasters were to strike.
Instead of basing sophisticated models on rough numbers, we can identify exactly which organisations – and which parts of their infrastructure – would be affected by these incidents. We use this primarily to develop a more accurate estimation of the breadth of impact from RDSs: a New York headquartered firm may be minimally affected by the Eastern US power outage if the majority of their servers are hosted on the West Coast or in other continents, yet a European firm may be significantly disrupted if they use cloud instances based in Eastern US data centres. These nuances between firms can only be assessed with granular data that addresses the way in which each RDS plays out. And because this is based on KYND's attribution and discovery, our partners don't need to request anything more from their insureds – all that's needed is a domain name.
This clearer model doesn't just make the quantification of aggregate loss more accurate. Because the analysis is based on a per-insured model, we're able to incorporate the specifics of policy conditions to accurately model the impact for (re)insurers. This means that parametric insurers, carriers at excess layers, or reinsurers covering multiple points in the tower, are all accounted for.
Finally, this granular cyber data allows KYND to support our partners with clear views of the extent of impact within each of their insureds, as well as the underlying data which drives the analysis – enabling carrier data teams to leverage both the outputs and inputs of our modelling, in turn allowing for more mature in-house capabilities. But while improving the accuracy of models for off-the-shelf RDSs is valuable, it's only half the picture.
More relevant and more common scenarios
In our discussions with carriers, we're increasingly encountering teams aiming higher than the mandatory level of modelling and reporting. First, for reporting on further events that could affect their portfolios, our partners are becoming more interested in truly relevant scenarios that target the real cyber accumulation of their portfolios. And secondly, our partners are exploring more probable scenarios, to manage possible points of accumulation that would cause outsize losses, even if these scenarios are less overtly "disastrous" than the mandatory RDSs.
This first trend is playing out as (re)insurers have more sophisticated discussions about the types of systemic events which are pertinent to particular portfolios of risk. The mandatory RDSs are highly relevant for organisations with large proportions of their digital infrastructure hosted in the US.
But for portfolios which have their assets concentrated in other regions, these scenarios will result in minimal losses, not performing the stress-test that they're intended for. In these cases, we can target similar events to the types of risks which would incur a systemic loss for the portfolio: for a European portfolio, we might model a northwest European blackout resulting from a gas supply interruption; for an ecommerce-focused portfolio, we might model an outage of a key payment provider. Addressing the relevance of extreme disaster scenarios is essential for meaningful discussion of systemic risk, especially in non-US markets.
The second trend, of exploring more common disaster scenarios, has surfaced for similar reasons. While modelling extreme disaster scenarios rightly stress-tests portfolios in the most trying of circumstances, there are events which are orders of magnitude more likely, but would still cause outsize systemic loss and resulting reinsurance claims. These smaller-scale events are both more frequent and expose more unusual points of aggregation than the mandatory RDSs. For instance, a deployment issue with a particular cloud service (e.g. Amazon's EC2, or Azure's Active Directory) at a particular data centre (e.g. US East 1, or West Europe) might not be as globally calamitous as the mandatory RDSs, but if a portfolio's members have more accumulated exposure to these instances, they can represent a significant loss for the (re)insurers covering that exposure. Similarly, bugs in little-used pieces of software, outages for non-mainstream CDNs, or data breaches at niche service providers could have an outsize impact on (re)insurers whose insureds have a disproportionate aggregate reliance on them.
The great news is that KYND's data and modelling offers a way to quantify these relevant, smaller and more nuanced scenarios. Our granular data on the infrastructure of each insured allows us to identify the specific instances where these unusual points of accumulation occur, and to model the impact of new and varied scenarios. Importantly, we're able to develop bespoke scenarios with our insurance partners, producing analyses for the specific cases which are important to them. Our partners are also able to explore and configure these scenarios, adjusting the severity and the specific details of each event.
At KYND we're always looking for ways to help our partners see, understand and manage the cyber risk they care about. And our RDS models represent a significant step forward, with improved accuracy, relevance and configurability to provide valuable insights into the impact of varied RDSs for (re)insurers. If you'd like to learn more or see how KYND can support your portfolio assessment, get in touch!
5 Years of KYND: Celebrate good KYNDs come on
PRESS RELEASE: KYND selected as trusted cyber risk partner to support Filhet-Allard’s clients across France and Europe