Small Businesses and the New Frontier of Cyber Catastrophe Modeling

We are pleased to share Small Businesses and the New Frontier of Cyber Catastrophe Modeling. This report is the result of joint research between Guy Carpenter’s Cyber Center of Excellence and At-Bay, a leading InsurSec provider to small- and medium-size businesses (SMBs), to explore the current limitations in the cyber CAT modeling of the SMB segment and to propose a way to adjust model output based on security control information.

Key takeaways include:

• Small and medium businesses (SMBs) now represent 45% of the cyber market exposure, an increase of 45% over the last 5 years. The increased share of SMBs in the cyber insurance market makes accurate quantification of their aggregation potential critical to capacity deployment and risk management.
• Compared to the overall SMB segment, SMBs with cyber insurance coverage generally exhibit stronger security postures. This separates the security posture of such SMBs significantly from the general population, and it is very important to incorporate this security posture gap in cyber modeling analyses to accurately quantify the appropriate aggregation risk for the corresponding portfolio.
• Due to the lack of credible data, cyber catastrophe (CAT) models can struggle to reflect the disparities of cybersecurity postures in the SMB space. Adjusting CAT model outputs to reflect the impacts of fundamental security controls allows for more accurate and precise differentiation of SMB risks. Model adjustment is therefore a crucial step in establishing a robust view of modeled loss potential to support the growth in a market segment poised for continued expansion.
• An example of CAT model adjustment for SMB risks using At-Bay data shows a 17% reduction in CAT only tail losses on the 250-year return period when multi-factor authentication (MFA) and endpoint detection and response (EDR) security controls are accounted for in the model.