Active Cyber Risk Modeling: a new approach to aggregate risk

Cyber threats are among the most pervasive facing most organizations, with cybercrime and cyber insecurity ranked as the 8th most severe global risk according to the World Economic Forum over two- and 10-year periods. Across the insurance industry, there is much discussion about the possibility of a catastrophic cyber incident resulting in significant simultaneous losses across many organizations or critical infrastructure, leading some insurers to claim that cyber risk is uninsurable. Unfortunately, the message these insurers deliver is clear: they don’t fully understand the risk, and organizations that purchase cyber insurance from them will get increasingly restrictive coverage or none.
By contrast, we believe (and are demonstrating) that (most) cyber risk is insurable and that the insurance industry is uniquely positioned and capable of mitigating and protecting organizations from this emerging risk. However, it will take a new, active approach, leading us to introduce our Active Cyber Risk Model, a practical framework for understanding cyber risk aggregation.
How did we get here?
The horrific terrorist attacks on September 11, 2001, resulted in an immeasurable loss of human life and catastrophic economic losses. The attacks also reshaped the insurance industry. Many insurers faced massive, business-ending losses as they assisted the victims and the rebuilding of Manhattan and other areas impacted by the attacks.
In hindsight, insurers realized they couldn’t anticipate or sustain catastrophic terrorism risk, and they responded with significant PR and lobbying efforts to establish a government backstop for the industry. This backstop, known as the Terrorism Risk and Insurance Act (TRIA), is funded through a tax added to every commercial insurance policy. But, more importantly, TRIA set a precedent for insurers to push ill-understood risks onto their customers and taxpayers rather than develop new means to underwrite and mitigate them. Many are now calling for a similar government backstop for catastrophic cyber attacks.
If we set aside acts of cyber terrorism, already backstopped by TRIA, which could conceivably spill over across many lines of insurance, causing catastrophic damage akin to 9/11, the leading cause for concern across the cyber (re)insurance industry is cyberattacks that could impact many organizations at once.
Cyber is a different kind of risk
With the widespread adoption of digital technology, cyber insurers fear a single event could cause losses across many policyholders due to shared technology infrastructure, such as cloud computing, or vulnerabilities in ubiquitous software and hardware products. Although the insurance industry has yet to experience a systemic cyber event resulting in catastrophic financial loss, this hasn’t stopped the ill- and uninformed from pushing narratives of fear, uncertainty, and doubt, most notably claiming that cyber is "uninsurable."
Some legacy insurance companies make this claim primarily because they lack the technology and expertise to assess cyber risk. Instead, they would prefer to push responsibility onto their customers or the taxpayer rather than innovate to develop new underwriting capabilities.
They also fail to recognize that cyber risk fundamentally differs from terrorism risk. Unlike terrorism, a vulnerability or failure of a particular technology is measurable, and the probability and breadth of exploitation or failure can be predicted. While many insurers claim they don’t have enough data to assess cyber risk, the irony is that there has never been more data in history to do so than there is now. Moreover, more data exists to quantify cyber risk than almost any other. Yet, most insurers simply don’t have or use it. What separates active cyber insurers from legacy insurers are the right tools and systems to measure risk and dramatically mitigate its impact on organizations.
New risks require a new approach
Today we’re releasing our Active Cyber Risk Model. We built a bottom-up, technology- and threat-specific model that provides an ongoing view into organizations' cyber risks and identifies preventative measures to protect organizations from new threats.
Built on our proprietary data collection platform and knowledge graph, which captures over 48 trillion events per month, our ground-up model gives us a more accurate picture of cyber risk for individual organizations and whole economies. We built this data collection technology in-house to actively monitor the security of all internet addressable devices and the ever-changing landscape of cyber attack vectors. Instead of relying on historical threat data, we actively monitor actual vulnerabilities and attacks as they are happening across hundreds of thousands of companies.
The report, released alongside this new model, explains the concept of aggregation technologies and vendors (ATVs), the shared technology infrastructure that fuels aggregate cyber risk. While our knowledge graph allows us to observe the ATVs of an organization individually, the model helps us understand our exposure at a portfolio level.
Cyber risk is insurable if you have the correct data and approach.
The model demonstrates that ATVs and cyber risks aren't as interconnected as often assumed, indicating that the failure of an ATV–even one that, at surface level, is ubiquitous–will likely be localized. For example, imagine an outage of a cloud computing provider such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. Each of these ATVs operates hundreds of thousands of physical servers and millions of virtual machines across an equally large number of network segments from data centers around the globe. However, the infrastructure and operations of each ATV are highly segmented, preventing a failure of any one element from spilling over to another.
If a cloud services provider were to go down, it’s improbable (if not nearly impossible outside of an extinction event) that this would happen globally; more likely, it would impact a specific service segment and all of the organizations reliant on that segment. But, more importantly, our platform allows us to actively determine which organizations would be affected by an outage in a given segment (be that a particular data center or network segment) and appropriately manage our portfolio to our risk parameters.
In other words, our model allows us to determine the technologies each individual organization employs and understand how an attack vector or technology failure could aggregate across our portfolio. Make no mistake; we believe a cyber event could be very large, although we also believe it will be manageable.
Comprehensive protection with Active Insurance
While our Active Cyber Risk Model gives us the unique capability to measure aggregate risk, our Active Insurance capabilities allow us to prevent and contain attacks before, after, and even as they happen, which means we can stop the impact of even widespread vulnerabilities. We continuously monitor our customers' vulnerabilities, technology configurations, and risk exposures. In 2022 alone, we sent over 43,000 notifications of critical vulnerabilities that, left unaddressed, would have dramatically increased the loss frequency across our portfolio.
To fix the issues we identify, we send detailed security recommendations and provide self-service resolution methods and on-demand access to our security support team. As a result, in 2022 alone, we observed a 43% reduction in customers with critical vulnerabilities. Should an incident occur, we also maintain a team of in-house security professionals available 24/7/365 to help our policyholders respond to and contain losses. The result is that our policyholders report claims at a considerably lower frequency than the industry average, and when they occur, they tend to be less severe.
Simply put, organizations purchasing cyber insurance from Coalition are less likely to experience a loss, and our Active Insurance capabilities allow us to mitigate the impact of even widespread vulnerabilities.
The way forward for the insurance industry is Active Cyber Risk Modeling
While many of our capabilities are proprietary, we’re releasing our Active Cyber Risk Model now to help light the path forward for the entire industry. We’re demonstrating that most cyber risk is, in fact, insurable, and certainly as it is affirmatively covered in cyber insurance policies. Active Cyber Risk Modeling and Active Insurance capabilities give us and (re)insurance partners the clarity and confidence to meet our customers' ongoing needs, protect organizations of all sizes, and expand into new markets. We call upon and look forward to collaborating with our partners and peers to continue improving the Active Cyber Risk Model and developing new technologies to underwrite and manage cyber risk.
Download the Active Cyber Risk Aggregation Modeling Report today.











