<a href="https://colab.research.google.com/github/jhmartel/fp/blob/master/_notebooks/2022-03-25-Insurance.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# "Cyber Risk and (Un)Insurability"

> "Brief intro to the problem of cyber insurance..."

- toc: false
- branch: master
- badges: true
- comments: true
- categories: [cyber insurance]
- hide: false
- search_exclude: true


The market for cyber insurance appears relatively small compared to other conventional insurance markets. This raises the very interesting question "Is Cyber Risk Insurable?".

In an extreme sense, all events are insurable. However the insurer might be driven to ruin and lose everything. So more specifically, not all events can be _consistently profitably insured_. Insurance policies are wagers about future-costs of variable goods and services. A profitable insurance policy requires accurate forecasts of expected future costs. Moreover the distribution of these losses and events need to be reasonably non-correlated. This is the difficult with insuring houses in flood zones, since a flood typically floods _all_ the houses in a given region, and not a house "here and there". On the other hand, house fires don't typically affect multiples houses at once (although fires ``spread" of course).

The question of which events _are_ profitably insurable was considered by Baruch Berliner in various articles. Berliner's insurability criteria is the following:



We are influenced by deFinetti's definition of probability in terms of Dutch books and wagers. It's not enough to say that an event has 50% probability, for everyone is entitled to their opinion on the probabilities, but to _show_ that you believe the event has 50% probability means you will _wager_ on the outcome for anything better than 1:1 odds, i.e. you will happily sell bets where the odds are less than 50%, and will buy bets where the odds are greater than 50%. 

The story of insurance starts with a basic equation: $$Price=Cost+Profit.$$ The equation is almost tautological, simply expressing that "profit" is _defined_ as the difference between "price" and "cost".

For noninsurance companies, the production cost is known before the product is sold, and the initial price can be set to achieve a profit. This ensures that price is greater than cost, and the profit is positive ($>0$). 

Insurance is much riskier. _"Insurance is a product which promises to do something in the future if certain events take place during a specified time period."_

Thus insurance needs to set a price _now_ to cover a cost that might arise in the _future_ during a specified time interval.

Ex. Insurance promises to pay for rebuilding a home in case of fire; or promises to pay for medical treatment if a worker is injured on the job.

Insurance is a type of _futures contract_, offering products and services in the future if a predetermined set of events occur. However it's difficult for insurance to be profitable if, for example, the costs of the services are subject to change in the future. Thus insurance needs estimate the expected cost of its policies, and needs set prices which will cover all expected costs. This is the business of _rate-making_.

Ratemaking in insurance has the goal of setting rates such that the premiums are expected to cover all costs and achieve the target underwriting profit. Some equivalent definitions:

* A profitable rate provides for all costs associated with the transfer of risk.
*  A profitable rate is an estimate of the expected value of future costs. 

Ratemaking is difficult when the costs are not known at the point of sale and need be estimated. 

N.B. Historic costs only used to the extent that they provide valuable information for estimating future costs.

Similar to the futures and options financial markets, the most profitable position is to be a net seller to the market, being involved in both buying and selling of insurance contracts. Thus insurance firms also buy and sell insurance contracts between themselves in order to diversify their own risks, and as a means of locking in profit by transferring their risk to third parties. This is the business of _under writing_. 


Are there uninsurable risks? 

Yes, according to the insurance companies, any risk that is _not measurable_ is considered uninsurable. 

Why? 

Because the insurance company cannot set rates with a reasonable expectation of profit. For example, it's recently reported that up to 10% of houses risk becoming uninsurable due to the increase of local flooding, c.f. ["‘Many, many’ Canadian homes could become uninsurable"](https://renx.ca/newsletter/residential-real-estate-news-2013-07-09/) and ["Uninsurable"](https://thenewdaily.com.au/finance/finance-news/2022/03/06/insurance-floods-climate/).


In otherwords, the actuaries are faced with a new reality, where the historical records are no longer relevant. Moreover, flooding typically threatens multiple houses simultaneously, and this compounded risk (or dependancy) is risky for the insurer.


Ratemaking is related to estimates on the value at risk, or VaR. 

Ex. An asset may have a 3% one month VaR of 2% representing a 3% chance of the asset declining in value by 2% during the one-month time frame.

The VaR formalism introduces the notion of _confidence interval_. [Incomplete].



So what about cyber security and cyber risk?

The goal of cyber insurance should be to transfer risk.

Claim: cyber insurance is essentially different from _indemnity insurance_. [how?].



1.   Unlike motor insurance, or home insurance, or life insurance, any firm offering cyber insurance has its own proper cyber risk. (I.e. there is operational cyber risk with the insurance company itself). For example, one rarely needs consider whether your car insurance is at risk of being in an accident, or whether your home insurance provider will have their offices destroyed. But any cyberinsurance company  and it's proper IT structure will always face cyber risk themselves.

2.   Motor insurance is protection for uncorrelated risks. Likewise home insurance claims do not usually result in simultaneous neighbouring claims, except in catastrophic natural events like hurricanes, floods, etc.. Likewise a vehicular accident usually involves a minimal number of secondary vehicles (although, of course this does also happen). But cyberrisks are significantly correlated with each other [ref].

Quote: " Two properties distinguish cyber-risk from conventional risk. First, nowadays ICT resources are not isolated machines, but interconnected in a network. Their value largely emerges from this interconnection, therefore the analysis of risk and potential losses must take into account the inter-dependencies between connected nodes. Second, most ICT resources are universal automatons and thus have a dual nature: if operational,they generate value for its operators and therefore become loss sources when they malfunction; moreover, when abused or “taken over” by malicious attackers, benign nodes can become threats to other nodes." 

[Extract from [ref]]
Def: We thus define cyber risk as “operational risks to information and
technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems” (Cebula and Young, 2010). In contrast to the property and liability category it is notable that cyber risk is a mixture of short- and long-tail risks, which can be of a first- and third-party nature. Cyber risk thus is a combination of both categories. In contrast to the terror and cat risk one striking result is that cyber is a low frequency/high severity risk with respect to extreme scenarios, but it also has a high frequency component, which we could call the cyber risks “of daily life” (e.g., hacker attacks). Again it seems that unlike other risk categories, that cyber is a mix of categories.









["Four Uninsurable Cyber Risks"](https://www.canadianunderwriter.ca/insurance/four-uninsurable-cyber-risks-1004214054/)



The following is taken from the above link [ref]. 

“Historically, in property insurance, damages caused by war have been seen as uninsurable,” said Tim Zeilman, vice president and global product owner-cyber, Hartford Steam Boiler, during an A.M. Best Company Inc. webinar. “I think the same is true for cyber.”

"Munich Re would deem a risk as insurable if it is measurable – if you are able to quantify what your exposure is, said Annamaria Landaverde, senior vice president and cyber team lead for Munich Re U.S.". 

Munich Re generally considers the following three categories of events as insurable:

a widespread malware event;
a cloud outage;
a widespread data breach.
This is because the reinsurer could quantify its maximum probable loss, said Landaverde.

On the other hand, she said, the following three categories of widespread critical infrastructure outages are generally uninsurable:

satellite communications
the Internet; and
the electrical grid.

Munich Re would deem them uninsurable because – at least under a cyber policy – the reinsurer could not quantify the maximum probable loss, she suggested.

Then there is the category of war losses.

“I think it is just a question of adequately defining what war means from a cyber perspective. War has changed. Thinking about old-fashioned kinetic war may not make sense for cyber,” said Zeilman.

[Top Five Uninsurable Risks](https://riskandinsurance.com/top-five-uninsurable-risks/)

# Notes on Hubbard's Book.

The following are some notes based on my reading of "How to Measure Anything in Cybersecurity and Risk". They are basically direct quotations from the text.

Measurement is an observation that quantitatively reduces uncertainty. 
Equivalently, a measurement is a quantitatively expressed reduction of uncertainty on one or more observations. [p.21].

Probability: idea from Shannon we use probabilities because we lack perfect information. Quote from Ron Howard [p.25] "...The whole idea of probability is to be able to describe by numbers your ignorance, or equivalently your knowledge. So no matter how knowledgeable or ignorant you are, that's going to determine what probabilities are consistent with that."

Example: to want performance metrics for IT security. but, "what do you mean by 'IT security'?". Ask enough questions and they mean things like a reduction in intrusions and virus infections. These things impact the organization through fraud, lost productivity, or potential legal liabilities (i.e. if a laptop is stolen that contains private information for alot of people!). 

If X is something that we care about, then X by definition, must be detectable in some way. How could we care about an undetectable event. If the event is detectable, then we can measure "more of it" or measure "less of it" along a relative scale. 

Terms which initially vague like "threat capability" or "reputation to damage" or "customer confidence" seem immeasurable at first, but these terms can be decomposed into lists of more specific things.

Measure of uncertainty: a set of probabilities assigned to a set of possibilities: "There is a 20% chance we will have a data breach sometime in the next five years."

Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcomes. 

Measurement of Risk: a set of possibilities, each with quantified probabilities and quantified losses. "We believe there is a 10% chance that a data breach will result in a legal liability exceeding $10 million."

Need unlearn the term "statistically significant". 

Measuring with very small random samples of a very large population.

Measuring when many other, even unknown, variables are involved. E.g. we can estimate how much a new security control reduced risk even when there are many other factors affecting whether or not losses due to cyberattacks occur.

Measuring the risk of rare events.
Measuring subjective preferences and values.


# Hubbard and Rule of Five:

Consider a random sample of five of anything. E.g., time spent by employees on websites, a survey of firms in some industry reporting cybersecurity budgets. 

_What is the chance that the median of the entire population is between the largest and smallest of that sample of five?_

The answer is 93.75%. 

For the sample population to not contain the median in its convex hull requires that all the samples live either below or above the median. And this amounts to flipping a fair coin five times such that all outcomes are HHHHH or TTTTT. 

Here are the hypotheses: 
1. No matter how complex or "unique" your measurement problem seems, assume it has been measured before. 

2. If you are resourceful, you can probably find more sources of data than you first thought.

3. You probably need less data than your intuition tells you -- this is actually even more the case when you have alot of uncertainty now.



Instead of rating the likelihood on a scale of 1 to 5, Hubbard method substitutes: Estimating the probability of the event occurring in a given period of time (e.g. 1 year). "Event X has a 10% chance of occurring in the next 12 months". 

Rating impact on a scale of 1 to 5: substitute "Estimating a 90% confidence interval for a monetized loss". "If event X occurs, there is a 90% chance the loss will be between 1 million and 8 million."

Plotting likelihood and impact scores on a risk matrix: substitute using the quantitative  likelihood and impact to generate a "loss exceedance curve" using a Monte Carlo simulation.

Further dividing the risk matrix into risk categories or red/yellow/green: Compare the loss exceedance curve to a risk tolerance curve and prioritizing actions based on return on mitigation.

Events | Assigned Probabilities | Range of Losses.

Risk Curves, Loss Exceedance Curves.

To a subjectivist, a probability merely describes what a person knows, whether or not the uncertainty involves a fixed fact, such as the true mean of a population, as long as it is unrevealed to the observer. Using probabilities (and confidence intervals) as an expression of uncertainty is the practical approach for making risky decisions.

Note by JHM: "Here we diverge somewhat from Hubbard in his interpretation of the subjectivist view. For what is the confidence interval ? What does it mean to have a 90% confidence that X occurs ? 

Enter deFinetti's definition of operational probabilities, namely as the wagering rate for the event. If a person has 90% confidence that X happens, then are they willing to take an 8:1 bet on the outcome of event X happening? So here perhaps the event X is not repeatable, but then we can imagine a population of bettors who are looking to wager on the event X, having their _own_ subjective probabilities. 

