The problems associated with cyber risk are well known from the prior art; currently, an issue that attracts great attention is the search for appropriate technical solutions in order to minimize these risks or to manage these risks by other technical means, such as appropriate resource pooling systems that absorb the technical or natural consequences of the occurrence of a cyber risk event at risk exposure components, e.g. at industrial or technical facilities or other functional units. In both cases, the risk exposure, i.e. the probability of the occurrence of a risk event and the potential impact thereof on the operation of the risk exposure components are important factors.
Cyber risks relate to at least these three fundamental cyber risk classes: (a) damage to own digital assets—which are normally not considered tangible property (e.g., data, software) and/or physical damage to assets incidental to the occurrence of cyber risks; (b) business interruption triggered either by the above and/or by a lack or impairment of external services; (c) liabilities arising from privacy issues, infringement of intellectual property, virus transmission, or any other serious problem that may be passed from first to third parties mainly via the web or other electronic networks or operational environmental interaction possibility of the technical facilities or entities.
Risks falling under category (a) also comprise so-called “cyber security risks.” Cyber security risks typically comprise a variety of cyber incidents, including data breaches, network damage, and cyber extortion. Resource pooling systems, such as automated insurance systems, as classified under (c), are also referred to as “cyber liability coverage.” Cyber liability coverage refers to insurance coverage for liability that arises from the unauthorized (copyright violation) use of, or unauthorized access to, electronic data or software within your network or business. Cyber liability risk-transfer parameters, i.e. comprised in cyber liability policies, also provide coverage for liability claims due to the spread of a virus or malicious code, computer theft, extortion, or any inadvertent act, mistake, error, or omission committed by your employees in the course of performing their duties. In general, various dedicated resource pooling and risk-transfer systems have been designed for capturing and for ceding risks and mitigating losses due to such cyber incidents. In prior art, the classification of cyber risks is not always clear and standardized. In general, the technical term cyber risk can be used to describe any kind of risk covering direct or consequential losses to companies arising from cyber-related incidents, such as also e.g. business interruptions, destruction of data and property, and harm to reputation.
Insurance system and associated risk-transfer parameters, as e.g. defined by business insurance policies, typically only cover so-called “tangible” assets. Electronic data are not considered tangible assets under a typical policy definition. Therefore, cyber insurance is a comparatively new field of coverage in the risk-transfer technology, as e.g. insurance business, that is aimed at closing this gap. As the number of risks is fast increasing and the networked world is becoming increasingly more complex, the emergence and evolution of cyber liability policies in the near future will probably involve fast changes and variability.
Many of the technical solutions of the prior art rely on assessing, measuring, technically reducing or otherwise managing (e.g. by means of resource pooling and insurance systems) the cyber risks of enterprises and facilities in order to keep up the operational capability of the unit. As an example, US 2008/047016 A1 discloses a system for the quantified assessment of risk in IT architectures and cyber operations. Another prior art document is e.g. US 2012/0011077 A1, which provides for a system that is based on business rules for monitoring and controlling compliance of cyber security and associated risks in a cloud collaboration. WO 2006/065862 A2 discloses a system for a computer-aided risk assessment for business enterprises related to cyber risks and determination of the impact in the event that such a cyber risk event occurs. Finally, US 2010/0169127 A1 discloses a system for managing and ceding the risk of a manufacturer to a resource pooling system, based on their exposure to damage awards in patent litigation.
Some of the most important technical difficulties arise from capturing and assessing the overall risk that is associated with cyber-related incidents, i.e. the automated risk assessment. The capability of arriving at a precise measurement of total cyber risk exposure of a risk-exposed component or facility is fundamental, inter alia, for the technical operation of risk-transfer systems or damage prevention/recovery systems, such as associated automated resource and risk pooling systems or automated insurance systems. The associated problem extends to the fact that the overall risk is typically spread over various single risks and/or associated treaties and, furthermore, diverging concerning occurrences thereof in different areas of industry, geography or lines of business. Correspondingly, it is possible for different fields to be triggered differently by cyber risks: (i) damage to own digital assets—which are normally not considered as tangible property (e.g. data, software) and/or physical damage to assets incidental to the occurrence of cyber risks; (ii) business interruption triggered either by the above and/or by a lack or impairment of external services; (iii) arising out of privacy issues, infringement on intellectual property, virus transmission, or any other serious problem that may be passed from first to third parties mainly via the web. Cyber risks can therefore cause losses and damages, and they can affect the operational capability of an enterprise in terms of all kinds of technical or financial resources and means. Another problem is the fact that, according to the prior art, cyber risks can trigger all kinds of risk transfer modalities of insurance systems (e.g. traditional damage related to fire/explosion caused by cyber attack) without being able to capture the underlying mechanisms thereof, i.e. any capturing of the total cyber risk associated with a working unit. Moreover, while some insurance systems implicitly have embedded therein some cyber risk features, such as, e.g., E&O (Errors & Omissions; E&O insurance systems therein are also known as Professional Liability Insurance (PLI) systems, or Professional Indemnity Insurance (PII) systems, which are dedicated to a form of risk transfer of liability insurance that helps protect professional advice and service providers, which can be individuals and companies, from bearing the full cost of defending against a claim for negligence that may be brought by a client, and against damages awarded in such a civil lawsuit) for IT (Information Technology) companies and media liability, or they can even have mechanisms that are specifically targeted at cyber risks (e.g. Information System Business Interruption (ISBI) that cover or prevent business interruptions following non-material damage, financial loss due to personal or financial information theft, personal injury, libel/slander. These latter two aspects that involve the communication of false information about a person, group, or entity, such as a corporation. Libel is defined as any defamation that can be seen manifested in writing, print, effigy, movie, or sculptured representation, etc. Slander is defined as any defamation that is manifested by the spoken and auditory word, etc. The overall associated cyber risk cannot be captured or weighed by resource pooling systems as envisioned by the prior art providing an appropriate risk transfer.
US 2013/0117812 A1 show a monitoring system for supervising the security of a computer system with various computer components. A supervision device (DS) captures measurement data representative of states of the computer components. A specified unit determines security indicators of different types for each computer components according to its respective functions and predefined security indicators. The indicators relate to the availability, the intrusion, the vulnerability and the compliance to a security policy. However, such a system does not allow distinctively threat analogous risks in different types of cyber-risk exposed components, and thus does not allow for structured capturing and measurements of diverging cyber risks in different components. Further, U.S. Pat. No. 6,839,850 B1 shows an other prior art system disclosing a security indications—and warning system usable in conjunction with an audit agent, wherein the audit agent forwards audit messages captured by a statistical module, which provides a statistical representation of the number of audit events per user, per session and per node. When a predetermined number of audits within a criteria set are triggered, on indicator is generated providing indications of potential security threads. Also the system of disclosed by U.S. Pat. No. 6,839,850 B1 does not allow distinctively threat analogous risks in different types of cyber-risk exposed components, and thus does not allow for structured capturing and measurements of diverging cyber risks in different components by on automated system.