Commerce continues to embrace the Internet and to become dependent upon it and on related internal enterprise networks. Companies buy and sell and settle payments over the Internet. Companies attract prospects over the Internet and retain customers using the Internet. Companies communicate with customers, suppliers, and employees over the Internet. The more financial services companies, insurers, and other enterprises come to depend on the Internet as critical business infrastructure, the greater the cost of risk to business from perils on the Internet. Consequently, a novel method is needed (and presented here) to quantify Internet risks in order to rationally price financial risk-transfer instruments developed to mitigate business losses resulting from such Internet business risks.
Business operational risks must be quantified and rationalized for a commercial enterprise to safeguard its interest in maintaining its continuity of service for its customers and for its own success in the face of perils, including those that may be considered perhaps unacceptable hazards, and of anomalies. From this principle, insurance and surety and performance bonds have become routine risk transfer instruments for most commercial enterprises, covering business liabilities and fortuitous risks. Those instruments are based on actuarial tables and actuarial matrices informed by decades and sometimes centuries of event data and cost estimates, and for the restoration of losses (in the case of Surety and Performance bonds). Insurance companies characterize a covered party to categorize it within a cohort (a group of parties with similar risks), and then they calculate the realized risks based on that cohort's experience over time, and the costs of restoring the losses consequential to adverse events that will possibly visit a member of a described cohort. This process allows the insurance companies to discover a rational price for a policy premium. Bond issuers, likewise, assess the risks to an enterprise based on actuarial data (for performance bonds) and the underwritten company's financial data (for debt instruments) to rate its risks and thereby arrive at a market price and, subsequently a yield that will attract a market for a bond issue.
For a commercial enterprise to manage computer network risk with the same level of rationality it would apply to conventional business risk, risks related to the network (such as the Internet or an enterprise-managed internetwork) would have to be quantified in correlation to the infrastructure that the commercial enterprise engages when it joins a specific logical network topology (such as when it interoperates with the Internet or any other internetwork). Further, the characterization of that topology and quantification of its performance and that topology's inherent risks must be kept current since risks on the Internet are contemporaneous to conditions, which can change from moment to moment. Enterprise use of the Internet is susceptible to the same congestion, misconfigurations, accidents, natural disasters, terrorism, and vandalism that can affect anything else on the Internet. Outsourcing, for example of Information Technology (IT) tasks, call center, accounting, etc., requires additional network connectivity because frequently the staff to whom tasks are outsourced are not on site, but rather in a distant state or even country. Thus outsourcing introduces counterparty risk including not only the outsourced unit, but also the intervening components of the Internet (Internet Service Providers, exchanges, routers, and links) and the various governmental jurisdictions through which those components pass.
Internet risks include both those targeted at a specific enterprise, and those that are not targeted. Targeted risks include denial of service (DoS) attacks, unauthorized intrusion, theft of data and services, and terrorist attacks. Untargeted disasters may nonetheless be risks to enterprises. Such untargeted risks include equipment failure, power outages, cable cuts, congestion, routing misconfiguration, hurricanes, floods, and other natural disasters. Worms and viruses may be either targeted or untargeted. Untargeted Internet disasters are also known as cyberhurricanes.
Targeted risks may be somewhat ameliorated by intrusion detection and intrusion prevention. But untargeted risks can have effects outside the enterprise that are beyond the reach of intrusion detection and prevention. For both kinds, but especially for untargeted risks, insurance is an answer.
To date, however, the insurance industry and commercial finance houses have had no systematic regimen to recruit Internet performance event data and distill them into usable actuarial tables or actuarial matrices of any kind for Internet perils or Internet performance or Internet connectivity anomalies. The Internet performance insurance policies that have been developed over the past 10 years are considered to be market priced. This leaves uncertainty about the rationality of the premium prices that are charged for them. Those policies are typically named peril policies with detailed lists of exclusions and what are believed to be substantially up-priced premiums. Reinsurance companies have resisted entering the so-called Internet risk insurance market, given the uncertainty of the risks and the serious doubts surrounding the rationality of the prices on their premiums. That absence of wholesale market participation, meanwhile, is severely limiting the retail insurance carriers' ability to grow their markets for Internet risk insurance policies. At the same time, catastrophe bonds (or catastrophe-indexed notes or catastrophe-linked securities) have gained footholds in markets to hedge weather risk and re-insurer life insurance risk. Such bonds would be ideal risk-transfer instruments for Internet risk, and could supplement reinsurance carriers' participation. Yet Internet catastrophe bonds are stymied for lack of performance data or event data that could inform their underwriting regimens. Without regimens of the kind that are used to construct actuarial tables and matrices, the product lines for Internet risk policies will continue to be severely impeded and underwriters of Internet risk bonds will not have the actuarial tools required for issuing relevant hedge instruments.
New phenomena require new actuarial tables and new formulae for calculation of risk based on real event data. None currently exist for Internet risk.
Thus there is a long-felt need for a method, system, and ongoing service for quantifying Internet operational risk and for formulaic interpretation of those risks into probability models which insurers and bond underwriters can use in underwriting risk-transfer instruments such as insurance policies and bonds.