Sorry, Warren Buffet. Cyber Risk Can Be Quantified for Cyber Insurance

December 14, 2019  Jeff B. Copeland

An extensive article from Bloomberg, Merck Cyberattack’s $1.3 Billion Question: Was It an Act of War? details the pharmaceutical company’s lawsuit to collect on cyber insurance for the devastating 2017 NotPetya attack. The insurance companies argue that the damage resulted from an act of war (a Russian cyber attack on Ukraine that spread to knock out systems worldwide) and therefore was not covered by Merck’s property insurance. Merck argues that NotPetya was a cyber event like any other hack.

The article is a cautionary tale about the need to get clarity on just what’s covered and what’s excluded in policies that cover cyber-related risks, a key point for anyone evaluating insurance.

But then it goes on to cite Warren Buffet, whose Berkshire Hathaway owns GEICO and other insurers: Anyone who says they have a firm grasp on this kind of risk “is kidding themselves.”

Now, wait a minute. Far be it from us to question the smarts of one of the world’s smartest investors.  But RiskLens customers routinely use the RiskLens cyber risk quantification platform, built on the FAIR™ model, to get a grasp on cyber risk for the purpose of making “treat or transfer” decisions on buying insurance vs. investing in cybersecurity controls.

We recognize that the NotPetya attack was a mind-boggling, worst case scenario: an exploit that behaved like ransomware but was designed purely for destruction and released untargeted into the wild. But we put our faith in the ability of the FAIR model to break down any risk scenario into quantifiable factors that can be combined to put a price on cyber risk as a range of probable outcomes over time.

The starting point for an insurance decision supported by the RiskLens platform is identifying an organization’s top risks, in other words, the scenarios that would result in the biggest losses – say, sophisticated hackers planting ransomware that knocks out a system that runs a key production facility.

Scary, but ultimately quantifiable. Organizations typically have records on, for instance…

  • Frequency of ransomware attacks that have been cleaned up and strength of controls in countering them
  • Magnitude of costs associated with business interruption, as well as remediation after attacks.

…that make up the data that feeds into the RiskLens platform to produce a Monte Carlo-style output showing risk as a range of probable losses in financial terms, for instance, from everyday ransomware attacks to the rare NotPetya event. The platform can account for not just direct costs of business interruption but also the secondary costs that might result from lawsuits and fines.

Secondly, the RiskLens platform’s versioning capability shows the potential effect of various defensive measures that might reduce frequency or magnitude and thereby reduce risk. Decision makers can see the return on investment for controls or process improvements, compare risk levels to their risk appetite and then compare relative costs of investing in security or paying insurance premiums.

“Frankly, I don’t think we or anybody else really knows what they’re doing when writing cyber,” the Bloomberg article quotes Buffet, speaking from the point of view of the insurers. All the more reason for the insured to take the initiative with a clear, quantified view of cyber risk.

For a deeper dive, read this RiskLens case study:

Analyzing the Financial Risk of Ransomware with RiskLens