The feasibility of cyber-risk management to ensure social good

Global commerce is undergoing a profound digital transformation. As it becomes increasingly electronic and IoT/5G-driven, critical exposures in this sector are getting highly data-driven. As a result, the majority of modern business and economic risks are subsequently becoming cyber in nature. More importantly such cyber-risks are often networked and accumulate in a variety of different ways, thereby affecting many lines of business. As an example, commercial companies in diverse sectors such as automobiles, electronics, energy, finance, aerospace, etc., and their mutual trading relationships are characterized by systemic network linkages through major software providers (e.g., Oracle). A zero day attack motivated by a vulnerability in an Oracle DBMS release can have a catastrophic cascading service disruption effect that might amount to net commercial losses worth billions of dollars across the various service sectors. This will generate a ‘cyber-COVID’ like impact analogous to the recent human COVID19 outbreak on modern businesses. Popularly documented cyber-attack examples include the recent Mirai DDoS and WannaCry ransomware attacks caused havoc among firms in various industries across the globe, resulting in huge financial losses for the firms.

In the wake of huge cyber-attack induced losses in the past half-decade on firms like Sony and Target, risk mitigation has become a top board-level concern across many organizations worldwide. As a result, transfer based risk management products like cyber-insurance, which currently has a rapidly growing market, is a major go-to solution for the current corporate sector worldwide, in the event of a cyber-attack. However, market surveys suggest that demand for cyber-insurance (~USD 450 billion a year) significantly exceeds the capacity currently provided (~USD 10 billion a year) by the insurance industry. The primary reason that most insurers give for being cautious about expanding capacity is the accumulation risk posed by cyber-threats. The main fear among insurers here is that cyber-threats are inherently scalable and systemic through their spread via network interconnectivity - a single malicious email generated by a botnet activity as part of a social engineering attack can result in an entire organization becoming dysfunctional with respect to the service it provides, and in turn potentially affecting business services of all other organizations that depend on it.

In the event of cascading service disruptions due to a major cyber-attack, if all these organizations were to hold responsible their parent organization(s) on which they depend on for providing services, it is quite likely that the insurance company of a certain root organization would need to bear the responsibility of covering a huge aggregate/accumulated risk of all or multiple organizations in the service chain. There is a certain scepticism in the risk management community that shouldering this responsibility clearly may not be aligned with satisfying the budget constraints and profit requirements of most commercial risk-averse cyber-insurers, leave alone risk-tracking and risk-data availability challenges they might need to overcome to implement accumulative coverage policies.

A global multi-university research team (led by Ranjan Pal) comprising ourselves, Mingyan Liu of University of Michigan (Ann Arbor), Jonathan Crowcroft and Frank Kelly of University of Cambridge, Nishanth Sastry of King's College (London), Ziyuan Huang and Xinlong Yin  of University of Michigan (Ann Arbor), Sergey Lototsky, Leana Golubchik, and Konstantinos Psounis of University of Southern California, Tathagatha Bandyopadhyay of Indian Institute of Management Ahmedabad, Pan Hui of HKUST, Sasu Tarkoma of University of Helsinki, and Swades De of Indian Institute of Technology Delhi cracked multiple open problems from an economics and mathematical statistics viewpoint and focused on the common goal to judge the feasibility of profitable catastrophic cyber-risk management for the Industrial Internet of Things (IIoT) age ensuring social good. More specifically, the team investigated interesting but extremely critical cases of the dependence of (a) light and heavy tailed statistical cyber-risk distributions that characterize modern cyber-attacks, and (b) the underlying business network among organizations that tie the service market today, on the mathematical profitability/feasibility of cyber-risk management business (e.g., those run by insurance and re-insurance companies). From the supplier side of cyber-risk management solutions, both (a) and (b) are thought to be major factors whose complete knowledge is unavailable to the suppliers and consequently contribute to the apriori mentioned current scepticism. 

Through a rigorous mathematical investigation and detailed experimental validation conducted for three years, the team laid to rest the scepticism that a successful cyber-risk management business will be under threat in the modern digital era due to the absence of complete knowledge of (a) and (b) by risk managers. Their research sends out a clear message for society to embrace commercial cyber-risk management solutions for the better, alongside some mild and practically feasible do’s and don’t’s of human cyber-behavior that need to be adopted for a secure cyber-space. In terms of the overall social impact, the results will provide confidence to risk-averse cyber-risk managers such as insurance and re-insurance companies to expand their businesses in the modern cyber-era. This will positively contribute to a society’s economic security, psychological well-being, and global cyber-security in general - even in extreme scenarios of catastrophic cyber-wartimes. To the best of our knowledge, such impactful mathematically provable results achieved by the team using  minimal information related to business networks and/or cyber-attack statistics  is absent in the literature of cyber-insurance, be it for catastrophic cyber-attacks or otherwise – the efforts are completely new and eye-opening.

Authored by Ranjan Pal (University of Michigan Ann Arbor), Bodhibrata Nag (IIM Calcutta)

[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]