Emerging Risks | Research | Society of Actuaries

Emerging Cyber Risks

Winning NAAJ paper presents framework for measuring effects of cyber incidents

SOA Staff December 2024

Photo: Getty Images/Moor Studio

Digital technology is everywhere in contemporary life and offers unprecedented efficiencies and convenience. But it brings many risks, too. Faulty software updates, internet outages due to cyberattacks, customer data breaches, hacked email accounts—the wave of headlines about cyber incidents seems unrelenting. In May 2024, the Society of Actuaries (SOA) Research Institute surveyed risk managers, and respondents noted that cyber and network incidents ranked second in a list of top five emerging risks. However, consistent methods to assess these risks have been in short supply.

The North American Actuarial Journal (NAAJ) Editorial Board awarded the 2023 annual prize for the best paper to “The Economic Impact of Extreme Cyber Risk Scenarios.” Written by Martin Eling, Mauro Elvedi and Greg Falco, and published in Volume 27, Issue 3 of the NAAJ, the winning paper addresses the need for a standardized framework to analyze and compare the economic impacts of different cyber risk scenarios.

Addressing an Urgent Need

“Existing studies often lacked a standardized methodology, making it difficult to compare results or apply findings across different contexts,” said Eling, professor of Insurance Economics and chair for Insurance Management at the University of St. Gallen, Switzerland, and one of the paper’s coauthors. “The lack of historical data due to underreporting of cyber incidents further complicated risk assessments.”

It was these challenges, along with the growing interdependence of critical infrastructure across sectors, that inspired Eling and coauthors Falco, assistant professor at the Sibley School of Mechanical and Aerospace Engineering and the Systems Engineering Program at Cornell University, and Elvedi, who was a Ph.D. student at the Institute of Insurance Economics, University of St. Gallen, to systemically analyze cyber incidents and develop a consistent framework for others to use across sectors and regions.

Merging Complementary Skills During a Lockdown

Eling and Elvedi lived in Switzerland and Falco resided in California during the time they researched and wrote the paper. The COVID-19 pandemic lockdown further complicated this international collaboration. As with the rest of the world, technology, such as Zoom video calls, proved essential in enabling the team to continue their work while isolated at home.

For More Information

Learn more about the framework and methodology for analyzing cyber scenarios in the prize-winning NAAJ article, “The Economic Impact of Extreme Cyber Risk Scenarios.”
Read about the NAAJ 2021 prize-winning article and the 2022 prize-winning article in The Actuary.
A complete list of past NAAJ prize-winners is available at SOA.org. Members can access all other NAAJ content using their SOA login information.

Also, the team members applied their complementary expertise to reach their goals.

“I’m a cyber technical expert, so I brought the technological depth,” explained Falco. “We drew on some of my dissertation work that created methodologies to determine how someone might disrupt systems or how they might fail. Eling and Elvedi brought insight into putting numbers to the effects, quantifying the extent of these hypothetical failures.”

As a result, the team integrated qualitative scenario descriptions with quantitative economic impact analysis to provide a more holistic view of cyber risks.

“Our approach allows for the comparison of diverse scenarios within a standardized model,” added Eling. “This not only improves the accuracy of the economic impact estimates but also enhances the replicability and scalability of the results.”

Understanding Cyber Risks and More

The team was a bit surprised to find how much the economic impacts of different scenarios could vary within the standardized framework. Also, they found that even the severe economic outcomes of some scenarios were still less than those of natural disasters like earthquakes or tsunamis. This, in turn, suggested to the team that while cyber risks are significant, they might still be insurable.

The authors anticipate their paper will assist actuaries, insurance professionals, risk managers, policymakers and researchers in the fields of economics and cybersecurity. The methodology provides a way to understand the ripple effects of cyber incidents across sectors and includes sensitivity analysis.

Furthermore, because it’s both replicable and scalable, it can be useful for future research. It could have practical applications in risk management, potentially leading to the development of cyber insurance products. Finally, it is designed to be adaptable in different national and regional contexts, making the framework capable of comparing international incidents and developing global strategies.

“We hope our paper lays the groundwork for other sectors that never thought to quantify what the scale of the risk looks like,” said Falco. “We see AI risk and insurability as the next opportunity in this sector. We don’t have enough case studies to write a paper specifically about AI yet, but this is what people should expect soon.”

Martin Eling is a professor of Insurance Economics and chair for Insurance Management at the University of St. Gallen, Switzerland.

Greg Falco is assistant professor at the Sibley School of Mechanical and Aerospace Engineering and the Systems Engineering Program at Cornell University.

Mauro Elvedi is head of management assistance at Bank Frick, Liechtenstein.

Statements of fact and opinions expressed herein are those of the individual authors and are not necessarily those of the Society of Actuaries or the respective authors’ employers.