Introduction

In our first white paper, The Need for Efficient Risk Financing Strategies, we discussed the value that can be unlocked when firms view risks holistically and optimize their total cost of risk. Producing a portfolio view of risk requires one to first quantify risks on an individual basis. The best tools for such an analysis, as we reviewed, are stochastic risk models. We turn now to ground these concepts in a practical context. For the remainder of this series, we will walk through a case study involving a fictional company to show the risk quantification and subsequent analysis of selecting an optimal risk financing program.

As discussed in the prior white paper, to produce a portfolio view of risk requires not just quantifying risks individually but also understanding how they interact, an exercise that may reveal causal relationships between risks or unexpected correlations that are significant in risk quantification.

Cyber risk and directors & officers (D&O) liability are two lines whose interactions should be carefully analyzed. In recent years, extreme cyber losses, such as a large-scale data breach or an extended shutdown of operations, have led to shareholders filing securities class action lawsuits against several publicly traded U.S. firms. The typical allegations include the company’s misrepresentation of cybersecurity posture or withholding material information from a cyber incident. Going forward, the dependencies between D&O and cyber are expected to become even further intwined. In July 2023, the SEC adopted new rules requiring timely disclosures on material cyber incidents and annual disclosures regarding cybersecurity risk management plans, including the role and oversight of key managers and the board of directors.

In part to address this new risk landscape, Brown & Brown has recently released two new stochastic modeling frameworks, Cyber In-Site™ and D&O In-Site™. Both leverage heavily researched quantification methodologies to help companies assess their cyber and D&O risk profiles and evaluate risk financing strategies. Our case study will include an in-depth analysis of these two risks for illustrative purposes. Each presents its own challenges, underscoring the necessity for robust modeling approaches.

Case Study: Company XYZ – Quantifying Portfolio Risk

For our case study, we will focus on a simplified setting involving a fictitious company, Company XYZ. XYZ has approached Brown & Brown with the aim of better understanding its cyber and D&O risk profiles, whether its existing insurance program leaves the firm with a level of retained exposure within its corporate risk appetite and what alternative risk financing options are available to help optimize its total cost of risk considering all hazard risks. Historically, it has selected its insurance programs based exclusively on peer benchmarks for limits and retentions.

Before reviewing any risk financing options, we will first quantify XYZ’s risk profile for cyber and D&O separately and address any line-specific concerns. To quantify each risk, we utilize Brown & Brown’s corresponding stochastic modeling frameworks. Each considers various aspects of XYZ’s risk profile, runs an extensive Monte Carlo simulation and outputs probability distributions of potential losses.

Cyber Risk Quantification

Conducting a cyber risk quantification exercise that extends beyond just a qualitative judgment is critical for any company. Cyber risk quantification capabilities will be key to materiality assessments as part of the SEC 8-K incident disclosures. From this exercise, key stakeholders from XYZ, including the risk manager and chief information security officer, would like to answer the following questions:

• What is the overall level of cyber risk exposure, and which cyber risks pose the biggest threat to XYZ?
• How does the current cybersecurity posture impact cyber risk, and how should security investments be prioritized?
• What would be the financial impact of a largescale data breach or extended outage of a critical business unit?

To answer these questions and ultimately enable more informed risk financing decisions, we leverage Brown & Brown’s Cyber In-Site Quant™. This stochastic modeling framework covers the most common types of cyber loss scenarios, from massive data breaches to minor wire fraud scams. It considers relevant firmographics of XYZ, including the size of the company, its industry, the number of sensitive data records it holds and the state of its security control environment (e.g., Are critical controls such as multi-factor authentication in place?).

Caleb Blodgett

Analytics and R&D Actuary

Thomas Scott

Analytics and R&D Actuary