System for the Measurement and Automated Accumulation of Diverging
Cyber Risks, and Corresponding Method Thereof
Field of the Invention
The present invention relates to systems for measuring diverging cyber risks
associated with risk-exposed components. The components that are exposed to risk
comprise and/or are associated with electronic means for the processing of electronic
data and/or for executing electronic processing codes, and/or data-processingrelated
storage devices and execution devices a s well a s graphic representation
devices, wherein the cyber risk is associated with the operation of these electronic
means. The total cyber risk of the risk-exposed components comprises risk exposure to a
plurality of diverging cyber risks, wherein each of these cyber risks is related to the
occurrence of a corresponding cyber risk event.
Background of the Invention
The problems associated with cyber risk are well known from the prior art;
currently, a n issue that attracts great attention is the search for appropriate technical
solutions in order to minimize these risks or to manage these risks by other technical
means, such a s appropriate resource pooling systems that absorb the technical or
natural consequences of the occurrence of a cyber risk event a t risk exposure
components, e.g. a t industrial or technical facilities or other functional units. In both
cases, the risk exposure, i.e. the probability of the occurrence of a risk event and the
potential impact thereof on the operation of the risk exposure components are
important factors.
Cyber risks relate to at least these three fundamental cyber risk classes: (a)
damage to own digital assets - which are normally not considered tangible property
(e.g., data, software) and/or physical damage to assets incidental to the occurrence
of cyber risks; (b) business interruption triggered either by the above and/or by a lack or
impairment of external services; (c) liabilities arising from privacy issues, infringement of
intellectual property, virus transmission, or any other serious problem that may be
passed from first to third parties mainly via the web or other electronic networks or
operational environmental interaction possibility of the technical facilities or entities.
Risks falling under category (a) also comprise so-called "cyber security risks."
Cyber security risks typically comprise a variety of cyber incidents, including data
breaches, network damage, and cyber extortion. Resource pooling systems, such a s
automated insurance systems, a s classified under (c), are also referred to a s "cyber
liability coverage." Cyber liability coverage refers to insurance coverage for liability that
arises from the unauthorized (copyright violation) use of, or unauthorized access to,
electronic data or software within your network or business. Cyber liability risk-transfer
parameters, i.e. comprised in cyber liability policies, also provide coverage for liability
claims due to the spread of a virus or malicious code, computer theft, extortion, or any
inadvertent act, mistake, error, or omission committed by your employees in the course
of performing their duties. In general, various dedicated resource pooling and risktransfer
systems have been designed for capturing and for ceding risks and mitigating
losses due to such cyber incidents. In prior art, the classification of cyper risks is not
always clear and standardized. In general, the technical term cyber risk can be used to
describe any kind of risk covering direct or consequential losses to companies arising
from cyber-related incidents, such a s also e.g. business interruptions, destruction of data
and property, and harm to reputation.
Insurance system and associated risk-transfer parameters, a s e.g. defined
by business insurance policies, typically only cover so-called "tangible" assets. Electronic
data are not considered tangible assets under a typical policy definition. Therefore,
cyber insurance is a comparatively new field of coverage in the risk-transfer
technology, a s e.g. insurance business, that is aimed a t closing this gap. As the number
of risks is fast increasing and the networked world is becoming increasingly more
complex, the emergence and evolution of cyber liability policies in the near future will
probably involve fast changes and variability.
Many of the technical solutions of the prior art rely o n assessing, measuring,
technically reducing or otherwise managing (e.g. by means of resource pooling and
insurance systems) the cyber risks of enterprises and facilities in order to keep up the
operational capability of the unit. As a n example, US 2008/04701 A l discloses a system
for the quantified assessment of risk in IT architectures and cyber operations. Another
prior art document is e.g. US 2012/001 1077 A l , which provides for a system that is based
on business rules for monitoring and controlling compliance of cyber security and
associated risks in a cloud collaboration. WO 2006/065862 A2 discloses a system for a
computer-aided risk assessment for business enterprises related to cyber risks and a
determination of the impact in the event that such a cyber risk event occurs. Finally, US
2010/01 69127 A l discloses a system for managing and ceding the risk of a
manufacturer to a resource pooling system, based o n their exposure to damage
awards in patent litigation.
Some of the most important technical difficulties arise from capturing and
assessing the overall risk that is associated with cyber-related incidents, i.e. the
automated risk assessment. The capability of arriving a t a precise measurement of total
cyber risk exposure of a risk-exposed component or facility is fundamental, inter alia, for
the technical operation of risk-transfer systems or damage prevention/recovery systems,
such a s associated automated resource and risk pooling systems or automated
insurance systems. The associated problem extends to the fact that the overall risk is
typically spread over various single risks and/or associated treaties and, furthermore,
diverging concerning occurrences thereof in different areas of industry, geography or
lines of business. Correspondingly, it is possible for different fields to be triggered
differently by cyber risks: (i) damage to own digital assets - which are normally not
considered a s tangible property (e.g. data, software) and/or physical damage to
assets incidental to the occurrence of cyber risks; (ii) business interruption triggered
either by the above and/or by a lack or impairment of external services; (iii) liabilities
arising out of privacy issues, infringement on intellectual property, virus transmission, or
any other serious problem that may be passed from first to third parties mainly via the
web. Cyber risks can therefore cause losses and damages, and they can affect the
operational capability of a n enterprise in terms of all kinds of technical or financial
resources and means. Another problem is the fact that, according to the prior art,
cyber risks can trigger all kinds of risk transfer modalities of insurance systems (e.g.
traditional damage related to fire/explosion caused by cyber attack) without being
able to capture the underlying mechanisms thereof, i.e. any capturing of the total
cyber risk associated with a working unit. Moreover, while some insurance systems
implicitly have embedded therein some cyber risk features, such as, e.g., E&O (Errors &
Omissions; E&O insurance systems therein are also known a s Professional Liability
Insurance (PLI) systems, or Professional Indemnity Insurance (Pll) systems, which are
dedicated to a form of risk transfer of liability insurance that helps protect professional
advice and service providers, which can be individuals and companies, from bearing
the full cost of defending against a claim for negligence that may be brought by a
client, and against damages awarded in such a civil lawsuit) for IT (Information
Technology) companies and media liability, or they can even have mechanisms that
are specifically targeted at cyber risks (e.g. Information System Business Interruption
(ISBI) that cover or prevent business interruptions following non- material damage,
financial loss due to personal or financial information theft, personal injury, libel/slander.
These latter two aspects that involve the communication of false information about a
person, group, or entity, such a s a corporation. Libel is defined a s any defamation that
can be seen manifested in writing, print, effigy, movie, or sculptured representation,
etc. Slander is defined a s any defamation that is manifested by the spoken and
auditory word, etc. The overall associated cyber risk cannot be captured or weighed
by resource pooling systems a s envisioned by the prior art providing a n appropriate risk
transfer.
Summary of the Invention
It is a n object of the present invention to provide a system and method for
measuring, accumulating and monitoring diverging cyber risks in various areas of
industry and fields of technical applications, i.e. different use or application of technical
means, a s electronic means, processors, data generation, data capturing, data
exchange, networks access, data transfer, use of social or otherwise accessible media,
physical damage or malfunction of devices etc.. Further, it is also a n object of the
present invention to provide a system and method for risk sharing of cyber risks
associated with the operation of risk-exposed facilities by providing a dynamic selfsufficient
risk protection modality for the risk exposure components by means of a cyber
risk insurance system. The cyber risk insurance system, which is implemented a s a n
automated resource-pooling system, shall be completely or a t least partially
automated and self-adaptable/self-maintaining by its technical means, and it shall
provide the technical risk transfer basis which can be used by service providers in the
risk transfer or insurance technology field for the transfer of risks related to any kind of
cyber risk. A further object of the present invention envisions providing a way in which to
technically capture, manage and automate complex operations of the insurance
industry related to cyber risk transfer. Another object of the present invention provides
for synchronizing and adjusting such operations based o n technical means. In contrast
to standard approaches, the resource-pooling system shall be able to devise a
reproducible operation with the desired, technically based, repetitious accuracy that
relies on technical means, process flow and process control/operation and that is
independent of the technical field, region or line of business to which the risk-exposed
component relates. Therefore, it is also a n object of the present invention to provide a
risk and resource-pooling system that is able to cope with complex related diverging
cyber risk events.
According to the present invention, these objects are achieved,
particularly, by the features of the independent claims. In addition, further
advantageous embodiments can be derived from the dependent claims and related
descriptions.
According to the present invention, the above-mentioned objects related
to the measurement, accumulation and monitoring of diverging cyber risks are
achieved, particularly, in that the risk components comprise electronic means for
processing electronic data and/or executing electronic processing codes, and/or they
have related data-processing storage devices and/or execution devices and/or
graphic representation devices, and wherein the risk components are exposed to a
plurality of cyber risks by said electronic means, and wherein a cyber risk is related to
the probability for the occurrence of a cyber risk event to risk the components; in that
the system comprises a n accumulation device with a repository unit for segmenting the
total cyber risk of a risk component by means of parameterizable risk exposure
segments, and wherein the repository unit of the accumulation device comprises a
searchable trigger table with retrievably stored segmentation parameters, which are
each associated with corresponding measuring parameters for capturing the risk
exposure of a specific risk exposure segment by means of said associated measuring
parameters; in that the stored segmentation parameters comprise at least first
segmentation parameters for segmenting a first risk contribution associated with
measurements of operational interruption or service denial related to third party
exposure, and second segmentation parameters for segmenting a second risk
contribution associated with measurements of a data privacy breach on third party
ό
data, e.g. personal or financial, by means of the risk component, and third
segmentation parameters for segmenting a third risk contribution associated with
measurements of a material damage measuring parameters a s a consequence to the
failure of the electronic means of the risk component or associated with measurements
of a cyber attack, and fourth segmentation parameters for segmenting a fourth risk
contribution associated with measurements of a coordinated attack on scopes of
intellectual property, e.g. a s parametric data, defined for the risk component; in that
the system comprises a trigger module, and wherein the trigger module is connected to
the risk components by means of capturing devices, a s e.g. measuring sensors or datafiltering
and capturing means in data pathways, in order to detect and capture
measuring values for the measuring parameters related to the occurrence of cyber risk
events within the data pathway of said electronic means; and in that the accumulation
device accumulates the total risk of a risk component, segmentation unit by
segmentation unit, via the trigger module by sequentially selecting the segmentation
parameters from the trigger table, retrieving the associated measuring parameters for
each of the segmentation parameters, and triggering the trigger module based o n the
retrieved measuring parameters in order to capture measuring values for the retrieved
measuring parameters from the risk components by means of the capturing devices,
and wherein the accumulation of the total cyber risk is achieved by means of the
accumulation device for diverging cyber risks accumulating over all sequentially
selected segmentation parameters of the trigger table. The invention has, inter alia the
advantage that it allows for the implementation of a n automated system, for a
scenario-based cyber-risk determination of risk exposure of a risk-exposed component
or, e.g., a n overall insurance portfolio by means of the weighted accumulation of the
various exposures. The applicable and defined segmentation scheme allows for the use
of a n appropriate industry segmentation and/or geographic segmentation and/or
insurance lines of business (LoB) segmentation. Further, a total or maximum exposure for
a possible, connected insurance system can be automatically derived by the system by
summing up the different exposures per risk scenario and risk segment over all
accumulated contracts/treaty contracts in a portfolio. The present automated cyber
risk insurance system has the further advantage that it is capable of responding to all
varieties of cyber risks, thereby overcoming the problem that most prior art systems
suffer from, which is, namely, that they only allow for the capture or coverage of risks
and related losses or damages with regard to tangible property. Technically, these
systems are not able to capture data, software and other non-material damages, losses
or risks. Therefore, diverging cyber risks associated with financial loss/costs for damage
caused by the loss of data can neither be captured nor covered by the prior art
systems. The same applies also, e.g., for business interruption coverage regarding nonphysical
damage. With the inventive system, a s specified by the claims, it is possible to
parameterize and accumulate the total cyber risk in a controlled and reproducible
manner, which is not possible with the prior art systems. The segmentation, i.e. the risk
scenarios, can be dynamically adjusted, which allows the system to dynamically adapt
its operation and recognition to newly arising risks in the field of cyber risks. In contrast to
prior art systems, the present invention has the advantage that it is able to cover the
totality of possible cyber risks by means of its segmentation parameters; it is not only
triggered in view of only very limited aspects of the totality of occurring cyber risks, or
limited scenarios. An example of diverging cyber risks, which typically cannot be
captured and measured by a single system a s set forth according to the prior art, is, for
example, when a virus affecting the steering software of a cooling system occurs,
thereby causing overheating and a fire in a turbine case, which would be covered by
a fire policy. By way of another example, on the other hand, a n error in a program
code can trigger a denial of access to a website, thereby causing a third party loss to
a n IT company, which would be covered by a n E&O policy. Prior art systems are not
able to capture such diverging cyber risks and accumulate them to form a total
affecting cyber risk.
In one embodied variant, the above-mentioned objects for measurement
and accumulation of diverging cyber risks are achieved, particularly, in that the
electronic means for the processing of electronic data and/or executing of electronic
processing codes, and/or data-processing related storage devices and/or execution
devices and/or graphic representation devices are provided, and wherein the risk
components are exposed to a plurality of cyber risks, and wherein the cyber risks are
related to the real-time occurrence of cyber events that can be captured by
predefined measuring parameters associated with said electronic means; in that the
cyber risk of a risk component is segmented and accumulated by means of a n
accumulation device with a repository unit, and wherein the repository unit of the
accumulation device comprises a searchable trigger table with retrievably stored
segmentation parameters, each associated with defined measuring parameters for
capturing risk exposure of a specific risk exposure segment by means of said associated
measuring parameters; in that the stored segmentation parameters comprise a t least
first segmentation parameters for segmenting a first exposure value associated with
measurements of operational interruption or service denial, second segmentation
parameters for segmenting a second exposure value associated with measurements of
a data privacy breach o n third party data by means of the risk component, third
segmentation parameters for segmenting a third exposure value associated with
measurements of material damage measuring parameters a s a consequence of the
operation of the electronic means of the risk component or associated with
measurements of a cyber attack, and fourth segmentation parameters for segmenting
a fourth exposure value associated with measurements of coordinated attacks on
scopes of intellectual property, e.g. a s parametric data, defined for the risk
component; in that the segmentation parameters are sequentially selected by means
of a trigger module from the trigger table, and the associated measuring parameters
are retrieved for each of the segmentation parameters; in that the trigger module is
connected to the risk components by means of capturing devices, and wherein
measuring values for the measuring parameters related to the occurrence of cyber risk
events are detected and captured by means of the capturing devices within the data
pathway of said electronic means; and in that the accumulation device accumulates
the total risk of the risk component by means of the trigger module, and wherein the
accumulation device is triggered by the trigger module transmitting captured
measuring values by means of the measuring parameters, and wherein the
accumulation is achieved by the accumulation device accumulating over all
sequentially selected segmentation parameters from the searchable trigger table. This
embodied variant has the same advantages a s the preceding embodied variant by
giving a further adaptation for the interaction between the trigger module and the
accumulation device.
In one embodied variant, the accumulated cyber risk and/or the cyber risk
related to a specific segmentation are weighted by a weighting unit by means of
corresponding weighting factors based o n technological field factors of the risk
component and/or geographical allocation factors of the risk component. The
weighting factors can also be based simply on a intensity factor that is used is a
combination of a severity and frequency factor. Thus, the accumulation control
framework of the system of four defined cyber scenarios, i.e. segmentations, is
achieved, considering a weighted exposure approach, i.e. EML-type. Therefore, this
embodied variant has, inter alia, the advantage that it does not exhibit the
disadvantages of the pure limit accumulation systems, a s known in the prior art, thereby
reaching new technical levels precision. Further, redundancies can be easily
recognized and eliminated by the structure of the system.
In another embodied variant, the system comprises a signal generation
module for generating a n output signal that is based o n the measured and
accumulated total cyber risk of a risk component, and wherein the system comprises
a n interface module for transmitting the output signal to a n automated cyber risk
insurance system, and wherein the output signal comprises a t least the accumulated
cyber risk and a n identification of the risk component associated with the accumulated
cyber risk. In one embodied variant, the output signal additionally comprises a pooling
factor indicating a payment value that is needed for the pooling of the risk of the risk
exposure component based on the total accumulated cyber risk. This embodied
variant has the advantage of, furthermore, being easily integrated a s a steering or
controlling device, e.g. in a n automated resource pooling system for risk transfer of the
risk components, or the like. The steering and controlling capabilities can also be used
by transmitting a n output signal a s steering signaling for the automated insurance
portfolio management or a s a n input to a n automated risk portfolio management
system. Such a system can react dynamically in response to changing environmental
condition and condition parameters, respectively based on the adaptation capability
of the system. Therefore, in still another embodied variant, the trigger device further
comprises measuring devices that are coupled to the data pathway of said electronic
means and devices of the risk components, and wherein upon the occurrence of a
cyber risk event, said occurrence is detected automatically by means of the measuring
devices and transmitted by means of measuring parameters to the signal generation
module, therein generating a n appropriate output signal, which indicates the
occurrence, and transmitting the output signal to the automated cyber risk insurance
system. The advantages of this embodied variant are, inter alia,, that the system can be
used a s a fully automated insurance system, controlling and steering also the resource
pooling, e.g. financial data transfer to the pooling system, and loss coverage, payment
transfer back to a risk expose component in case of occurrence of a cyber risk event.
The system has the further advantage that it allows for stable operation of such a n
automated insurance system based o n a correctly measured total cyber risk based o n
the captured measuring and segmentation parameters.
In one embodied variant, the measuring and accumulation system, a s
described above, is implemented a s a n integral part of a cyber risk insurance system,
and wherein the cyber risk insurance system is based o n a resource-pooling system for
risk sharing of measured cyber risks of a variable number of risk exposure components
by providing a dynamic self-sufficient risk protection for the risk exposure components
by means of the resource-pooling system comprising a signaling system according to
claim 1 or 2, and wherein the risk exposure components are connected to the
resource-pooling system by means of a plurality of payment-receiving modules that are
configured for receiving and storing payments from the risk exposure components for
the pooling of their risks and resources, and wherein the resource-pooling system
comprises a n event-driven core engine comprising measuring devices that trigger in a
data flow pathway in order to provide risk protection for a specific risk exposure
component based o n received and stored payments of the risk exposure components;
and in that the accumulated total cyber risk of the pooled risk exposure components
comprises a first risk contribution of each pooled risk exposure component associated
with the risk of measuring operational interruption or service denial, a second risk
contribution of each pooled risk exposure component associated with the risk of
measuring a data privacy breach on third party data, a third risk contribution of each
pooled risk exposure component associated with the risk of measuring material
damage a s a consequence of a failure of the electronic means or the risk of measuring
a cyber attack, and a fourth risk contribution of each pooled risk exposure component
associated with the risk of measuring a coordinated attack on scopes of intellectual
property, e.g. a s parametric data, defined for the risk component; and in that the
system comprises a n accumulation device with a repository unit for segmenting and
accumulating the cyber risk of a risk component by means of parameterized risk
exposure segments, and wherein each of the risk contributions correspond to a
parameterized risk exposure segment, and wherein the repository unit of the
accumulation device comprises a searchable hash table with retrievably stored
segmentation parameters, each associated with defined measuring parameters for
capturing risk exposure of a specific risk exposure segment by means of said associated
measuring parameters, and wherein a cyber risk loss occurs a s a consequence of the
measurement of measuring parameters associated with the first, second, third or fourth
risk contribution; in that the system comprises a trigger device, and wherein the trigger
device sequentially selects the segmentation parameters from the searchable table by
retrieving the associated measuring parameters for each of the segmentation
parameters; in that the system comprises capturing devices connecting the trigger
device to the risk components for detecting and capturing measuring values for the
measuring parameters related to the occurrence of cyber risk events within the data
pathway of said electronic means and devices; in that the accumulation device
accumulates the total risk of the risk component by means of the trigger device, and
wherein the accumulation device is triggered by the trigger device transmitting
captured measuring values by means of the measuring parameters, and wherein the
accumulation is achieved by way of accumulating values over all sequentially selected
segmentation parameters from the searchable table; in that the payments from the risk
exposure components for the pooling of their risks and resources are determined based
on the total accumulated cyber risk; in that in case of a triggering of a n occurrence of
a cyber risk event associated with the first, second, third or fourth segmentation
parameter in the data flow pathway of a risk exposure component by means of the
measuring devices, a loss that is associated with first, second, third or fourth
segmentation parameter is distinctly covered by the resource pooling system by means
of a parametric transfer of payments from the resource-pooling system to the risk
exposure component. The resource-pooling system can e.g. comprise a n assembly
module in order to process risk-related component data and to provide the likelihood
of said risk exposure for one or a plurality of the pooled risk exposure components
based o n the risk-related component data, and wherein the receiving and
preconditioned storage of payments from risk exposure components for the pooling of
their risks is dynamically determinable based o n total accumulated cyber risk and/or
the likelihood of the risk exposure of the pooled risk exposure components. This
embodied variant has the advantage of being integrated a s a steering or controlling
device e.g. in a n automated resource pooling system for risk transfer relative to the risk
components. Such a system allows for fully automating the operation of such a
resource pooling system, thereby avoiding the problem of operational instability due to
a falsely or imprecisely measured total cyber risk associated with one or a plurality of risk
components. As a n embodiment variant, the system is recalibrated and/or selfadjusted
based on measuring of measuring parameters of the occurrence of a cyber
risk event, e.g. in comparison of the risk assessment provided by means of the system
prior to the occurrence.
In another embodied variant, the number of pooled risk exposure
components is dynamically adapted, by means of the resource-pooling system, to a
range where non-covarian†, occurring risks covered by the resource-pooling system
affect only a relatively small proportion of the total pooled risk exposure components a t
any given time. This variant has, inter alia, the advantage that it helps to improve the
operational and financial stability of the system.
In a further embodied variant, the segmentation parameters and/or related
measuring parameters are dynamically adapted by means of a n operating module
based o n time-correlated incidence data for a cyber risk condition indicating changes
in the technical condition or operation of the risk components. This variant has, inter
alia, the advantage that improvements in measurements and/or changing
environmental, condition and/or boundary parameters can be dynamically captured
by the system and dynamically affect the overall operation of the system based o n the
total risk of the pooled risk exposure components.
In yet another embodied variant, upon each triggering of a n occurrence of
measuring parameters indicating a cyber risk, a total parametric payment is allocated
with this triggering, and wherein the total allocated payment is transferable upon the
triggering of the occurrence of the cyber risk. In the embodied variant, the parametric
payment can be leveled with regard to a predefined total payment sum that is
determined a t least based o n the risk-related component data, and/or on the
likelihood of the risk exposure for one or a plurality of the pooled risk exposure
components based on the risk-related component data. The predefined total
payments can e.g. be leveled to any appropriate lump sum or any other sum related
to the total transferred risk and the amount of the periodic payments of the risk
exposure component. This variant has the advantage, inter alia, that the transfer of the
payment by the automated system, which depends on the measuring of a n
occurrence of a cyber risk event, allows for a n adapted payment of the total sum that
is dependent o n the determined impact of cyber risk event o n the risk component. In
one embodied variant, a periodic payment transfer from the risk exposure components
to the resource pooling system via a plurality of payment receiving modules is
requested by means of a monitoring module of the resource-pooling system, and
wherein the risk transfer or protection for the risk exposure components is interrupted by
the monitoring module, when the periodic transfer is no longer detectable by means of
the monitoring module. As a variant, the request for periodic payment transfers can be
interrupted automatically or waived by means of the monitoring module, when the
occurrence of indicators for a cyber risk event is triggered in the data flow pathway of
a risk exposure component. These embodied variants have, inter alia, the advantage
that the system allows for a further automation of the monitoring operation, especially
of its operation with regard to the pooled resources. In addition, a n independent
verification trigger of the resource pooling system is activated in cases of a triggering of
the occurrence of indicators for a cyber risk event in the data flow pathway of a risk
exposure component by means of the trigger module, and wherein the independent
verification trigger, additionally, is triggering for the occurrence of indicators regarding
the concerned cyber risk event in a n alternative data flow pathway with independent
measuring parameters from the primary data flow pathway in order to verify the
occurrence of the cyber risk event a t the risk exposure component. As a variant, the
transfer of payments is only assigned to the corresponding risk component if the
occurrence of the cyber risk event a t the risk exposure component is verified by the
independent verification trigger. These embodied variants have, inter alia, the
advantage that they help improve the operational and financial stability of the system.
In addition, the system is rendered less vulnerable relative to fraud and counterfeit.
Finally, in addition to the system, a s described above, and the
corresponding method, the present invention also relates to a computer program
product that includes computer program code means for controlling one or more
processors of the control system in such a manner that the control system performs the
proposed method; and it relates, in particular, to a computer program product that
includes a computer-readable medium containing therein the computer program
code means for the processors.
Brief Description of the Drawings
The present invention will be explained in more detail by way of example in
reference to the drawings in which:
Figure 1 shows a block diagram illustrating schematically a n exemplary
cyber risk contribution scheme to the total cyber risk covered by a n insurance or
reinsurance resource pooling system, and wherein reference number 1001 refers to
industry codes versus four segmentation accumulation, reference number 1002 refers to
lines of business versus four segmentation accumulation, reference number 1003 to
accumulation based o n single cyber risk accumulation and/or contract risk
accumulation, and reference number 1004 to the total risk exposure accumulated per
segmentation and contract.
Figure 2 shows a block diagram illustrating schematically a n exemplary
system for automated measurement and accumulation of diverging cyber risks, and
wherein risk components 2 1,22,23,... are exposed by electronic means 213, 223, 233 of
the risk components 2 1,22,23, ... to a plurality of cyber risks 5 1, 52, 53, 54. An
accumulation device 5 is used for segmenting the total cyber risk 50 of a risk
component 2 1, 22, 23, ... by means of parametrizable risk exposure segments, and
wherein, in a searchable trigger table 7, retrievably stored segmentation parameters
721 , 722, 723, 724 are associated with corresponding measuring parameters 7 1 1, 712,
7 13, 7 14 for capturing the risk exposure of a specific risk exposure segment. The system
comprises a trigger module 3 which is connected to the risk components 2 1, 22, 23, ...
by means of capturing devices 3 1, 32, 33 in order to dynamically detect and capture
measuring values for the measuring parameters 7 1 1, 712, 713, 714 related to the
occurrence of cyber risk events within the data pathway of said electronic means 2 13,
223, 233. By means of the accumulation device 5, the total risk 50 is accumulated,
segmentation by segmentation, by sequentially selecting the segmentation parameters
721 , 722, 723, 724 from the trigger table 7 and retrieving the associated measuring
parameters 7 1 1, 712, 713, 7 14 for each of the segmentation parameters 721 , 722, 723,
724, and triggering the trigger module 3 based on the retrieved measuring parameters
in order to capture measuring values for the retrieved measuring parameters 7 1 1, 712,
713, 714 from the risk components 2 1, 22, 23, ... by means of the capturing devices 3 1,
32, 33.
Detailed Description of the Preferred Embodiments
Figure 2 illustrates, schematically, a n architecture for a possible
implementation of a n embodiment of the system for measurement and accumulation
of diverging cyber risks, a s well a s a n architecture for a possible implementation of a n
embodiment of a n automated cyber risk insurance system based on a resourcepooling
system 1 for risk sharing of measured cyber risks of a variable number of risk
exposure components 2 1, 22, 23 Resource-pooling systems 1 are systems for
automated pooling of resources from assigned risk exposure components 2 1, 22, 23
thereby transferring a defined risk associated with the risk exposure components 2 1, 22,
23 to the resource-pooling systems, wherein the operation of the transferred risk is
defined by risk-transfer parameters, a s e.g. fixed by means of predefined risk-transfer
policies, and wherein in case of triggering the occurrence of the defined risk a t a risk
exposure component 2 1, 22, 23 a loss or operational damage of the concerned risk
exposure component 2 1, 22, 23, ... is distinctively covered by the resource-pooling
system 1 by triggering the specific transfer of resources from the resource-pooling
system 1 to the concerned risk exposure component 2 1, 22, 23, ... The operation of the
system 1 will be described in detail below. The risk-transfer parameters can e.g.
comprise parameters defining physical measuring parameters to detect the
occurrence of a risk event at the risk exposure component 2 1, 22, 23, ... by means of
the system 1 and/or time- or amount related threshold values. The risk exposure
components 2 1, 22, 23 can be any type of operational entity or enterprise, or any
unit/person associated with a n operational activity etc. The risk components 2 1, 22, 23,
... comprise and/or are associated with electronic means 2 13, 223, 233 for processing
electronic data and/or executing electronic processing codes, and/or data-processing
related storage devices and/or execution devices and/or graphic representation
devices, and wherein the risk components 2 1, 22, 23, ... are exposed to a plurality of
cyber risks 5 1, 52, 53, 54 by said electronic means 2 13, 223, 233 and/or are associated
with the operation of said electronic means. In that sense, risk components 2 1, 22, 23, ...
are understood a s functional and/or active entities a s part of modern industrial or
business environment and/or facilities, where the use of and/or external interaction with
electronic data and/or the internet is a part of the operational or business activity,
which a s a part of the external interaction and operational activity is, however,
associated with a range of particular risks, herein called cyber risks, i.e. the specific risks
that relate to the bidirectional technical use and interaction of computers, information
technology and virtual reality with external networks or electronic devices. A cyber risk
is related to the probability for the occurrence of a cyber risk event in relation to risk
components 2 1, 22, 23 Therefore, cyper risks, a s understood in this application, also
comprises the risks for secondary damage and/or consequential loss occurring a s a
consequence of the occurrence of a cyber risk described above. For example,
considering a cyber attack could trigger a fire, whereas the risk components 2 1, 22, 23,
also comprise components that are not per se electronic but e.g. steered by electronic
means, a s e.g. turbine not being itself electronic but cooled by a system that is
electronically steered. In other words, also consequential loss or operational damage of
a concerned risk exposure component 2 1, 22, 23, ... is captured and distinctively
covered by the resource-pooling system 1 by means of triggering the specific transfer of
resources from the resource-pooling system 1 to the concerned risk exposure
component 2 1, 22, 23, ... The system includes a t least a processor and associated
memory modules. The system 1 can also include one or more display units and
operating elements, such a s a keyboard, and/or graphic pointing devices, such a s a
computer mouse. The system is a technical device comprising electronic means that
can be used in the field of automated risk transfer or insurance technology with regard
to risk transfers that are related to cyber risks. The invention seeks to technically capture,
manage and automate complex related operations of monitoring devices and the
insurance industry. Another aspect involves synchronizing and adjusting such operations
based o n technical means. In contrast to standard approaches, the resource-pooling
system also achieves reproducible operations and reproducible risk assessment with the
desired technical, repetitious accuracy, because it relies completely o n technical
means, process flow and process control/operation. The system provides a scenariobased,
cyber-risk measurement and determination of the risk exposure of risk-exposed
components 2 1, 22, 23, ... or of a n insurance portfolio containing a plurality of riskexposed
components 2 1, 22, 23, ... by means of the weighted accumulation of the
various exposures. For the accumulation, a defined segmentation scheme is applied
using appropriate industry segmentation and/or geographic segmentation and/or
insurance lines of business (LoB) segmentation. The total or maximum exposure is
derived by summing up the different exposures per risk scenario and risk segment over
all accumulated contracts/treaty contracts in a portfolio.
The system comprises a n accumulation device 5 with a repository unit 8. The
accumulation device 5 segments the total cyber risk 50 of a risk component 2 1, 22, 23,
... by means of parametrizable risk exposure segments. The repository unit 8 of the
accumulation device 5 comprising a searchable trigger table 7, such a s e.g. a n
appropriately structured hash table, with retrievably stored segmentation parameters
721 , 722, 723, 724, each of which is associated with corresponding measuring
parameters 7 1 1, 7 12, 7 13, 7 1 for capturing the risk exposure of a specific risk exposure
segment by means of said associated measuring parameters 7 1 1, 712, 713, 714.
The stored segmentation parameters 721 , 722, 723, 724 capture four main
scenarios of cyber attacks. However, a person skilled in the art understands that further
scenarios and segments, respectively, related to cyper risks can easily be incorporated
in the inventive system without affecting one of the main concepts of the invention,
namely the scenario-based and/or segmentation-based capturing of and/or triggering
upon the cyper risk events and related losses._Correspondingly, the segmentation
parameters 721 , 722, 723, 724 comprise a t least first segmentation parameters 721 for
segmenting a first risk contribution 5 1 associated with measurements of operational
interruption or service denial. Further comprised are second segmentation parameters
722 for segmenting a second risk contribution 52 associated with measurements of a
data privacy breach on third party data by means of the risk component 2 1, 22, 23
Also comprised are third segmentation parameters 723 for segmenting a third risk
contribution 53 associated with measurements of material damage measuring
parameters a s a consequence of a failure of the electronic means of the risk
component 2 1, 22, 23, ... or associated with measurements of a cyber attack. And
finally comprised are fourth segmentation parameters 724 for segmenting a fourth risk
contribution 54 associated with measurements of a coordinated attack on scopes of
intellectual property parametric data defined for the risk component 2 1, 22, 23 In
other words, for the present inventive system, four different risk scenarios of cyberrelated
incidents are available; i.e.,, segments of the total cyber risk are defined,
namely, a s a first segment 5 1 or scenario concerning the risk related to denial of service
or interruption of operations, a second segment 52 concerning the risk related to a
data privacy breach with regard to personal or financial data, a third segment 53
concerning the risk related to the material consequence of a n IT failure or cyber attack,
and a fourth segment 54 concerning the risk related to a coordinated attack o n
intellectual property. However, these scenarios can also be defined in other ways, or
expanded to include additional scenarios, without affecting the fundamental idea
underlying the present invention a s specified by Exposure (Sa) = ^Exposure (single
contracts) + ^Exposure (treaty contracts). The Exposure (Sa) is the exposure for i-†h
scenario (i = 5 1, 52, 53, 54), i.e. i-†h cyber risk segment. The fragmentation of the totality
of occurring cyber risk allows for capturing and monitoring all possible kinds of cyber
risks and cyber risk transfers, especially referring to any policy covering one or more of
the following: (i) damage to own digital assets - which are normally not considered a s
tangible property (e.g. data, software) and/or physical damage to assets incidental to
the occurrence of cyber risks; (ii) business interruption triggered either by the above
and/or by a lack or impairment of external services; (iii) liabilities arising out of privacy
issues, infringement on intellectual property, virus transmission, or any other serious
problems that may be passed from first to third parties mainly via the web. In that sense,
it is important to note dependencies and interconnections with regard to other risks
related to possible damage or losses to the risk components 2 1, 22, 23 since
traditional risks for losses can be triggered by cyber risks (e.g. traditional damage
related to fire/explosion that is caused by a cyber attack). The present system provides
a technical framework for cyber risk accumulation control, thereby allowing for
monitoring all possible and future portfolios concerned with cyber risks with respect to
cyber coverage granted a s part of the existing risk transfers. Further, the system provides
a technical framework, which allows for realistic and flexible growth for the purpose of
possibly amending boundary conditions in the future. Finally, the inventive system also
allows the capturing and monitoring of the real impact of the total cyber risk, rather
than trying to empirically adapt the limits of other risk transfer mechanisms without
having control over the underlying total cyber risk.
The four accumulation segments or scenarios, a s well a s any further
imaginable cyper risk related segments, a s well a s appropriate weighting factors, can
e.g. be generated based o n information that is obtained from filtering historical data.
For the filtering o n a single risk basis, each industry ("occupancy") can contribute to one
or more scenarios with low, medium of high intensity. The intensity factor used is a
combination of severity and frequency. On a treaty basis, assumptions can be made
based o n the lines of business covered, the geographical scope and the type of
underlying risk (personal lines, commercial or global). Each line of business can
contribute to the scenarios with a multiplication factor that is between 0 (no
contribution, e.g. when cyber risk is excluded) to 1 (total contribution, e.g. when the
policy explicitly covers cyber risk). Contribution factors between 0 and 1 are also
possible, in particular for lines that cover cyber a s a secondary scenario (e.g. pure
financial loss coverage for a general liability or E&O of a technology company).
Exposure information needed for the accumulation is automatically captured by
means of the system; therefore, no additional work for the underwriting process, i.e.
parameter definition of the risk transfer parameters, is needed. However, periodic
monitoring of the historical data can help to dynamically adjust the scenario exposure
and control limit consumption. The overall severity and frequency of the scenarios can
be determined by calibrating the bottom-up aggregation of the total exposure with
top-down market share in a n iterative manner. The technical framework also allows for
refining the underlying frequency model and the concerned parameters, based o n
cost monitoring and by extrapolating from occurring claims information.
As described previously, the four main segments, i.e. scenarios, a s captured
by the monitoring and risk accumulation system are: (i) non-physical damage, denial of
service (DOS) / interruption of operations (IO); (ii) non-physical damage, malicious
attack on personal (Pll) / financial data (F ); (iii) physical damage (STUX); and (iv) nonphysical
damage by malicious attack o n intellectual property (IP). The scenarios allow
for independently capturing the related cyber risk, or a t least for capturing the same
with minimal overlap. The system allows, combined with a minimum amount of
information o n a risk transfer contract or portfolio, for measuring the impact of a re
insurance-based risk transfer on one or more scenarios. Figure 1 illustrates,
schematically, the allocation of the total cyber risk, wherein reference number 1001
refers to industry codes versus four segmentation accumulation, reference number 1002
refers to lines of business versus four segmentation accumulation, reference number
1003 refers to accumulation based o n single cyber risk accumulation and/or treaty risk
accumulation, and reference number 1004 refers to the total risk exposure
accumulated per segmentation and treaty.
The system further comprises a trigger module 3. The trigger module 3 is
connected to the risk components 2 1, 22, 23, ... by means of capturing devices 3 1, 32,
33 in order to detect and capture measuring values for the measuring parameters 7 1 1,
712, 713, 714 related to the occurrence of cyber risk events within the data pathway of
said electronic means 2 13, 223, 233 of the assigned risk exposure components 2 1, 22,
23 The data flow pathway 2 13, 223, 233 can e.g. be monitored by the system,
capturing component-related measuring parameters of the data flow pathway 2 13,
223, 233 a t least periodically and/or within predefined time periods. The data flow
pathway 213, 223, 233 can, for example, also be dynamically monitored by the
resource-pooling system 1, by triggering component-measuring parameters of the data
flow pathway 213, 223, 233 transmitted from associated measuring systems. Triggering
the data flow pathway 2 13, 223, 233, which comprises dynamically recorded measuring
parameters of the concerned risk exposure components 2 1, 22, 23 the system 1 is
also able to detect the occurrence of a cyber risk event and dynamically monitor the
different stages throughout the occurrence of the cyber risk event in order to provide
appropriately adapted and gradated risk protection for a specific risk exposure
component 2 1, 22, 23 Such a risk protection structure can be based o n received
and stored payments 214, 224, 234 from the related risk exposure component 2 1, 22, 23,
.... and/or related to the total risk of the resource-pooling system 1 based o n the overall
transferred cyber risks of all pooled risk exposure components 2 1, 22, 23
The accumulation device 5 accumulates the total risk 50 of a risk
component 2 1, 22, 23 segmentation by segmentation, by means of the trigger
module 3 by sequentially selecting the segmentation parameters 721 , 722, 723, 724
from the trigger table 7 and retrieving the associated measuring parameters 7 1 1, 7 12,
7 13, 7 14 for each of the segmentation parameters 721 , 722, 723, 724. Furthermore, the
accumulation device 5 triggers the trigger module 3 based on the retrieved measuring
parameters in order to capture measuring values for the retrieved measuring
parameters 7 1 1, 712, 713, 714 from the risk components 2 1, 22, 23, ... by means of the
capturing devices 3 1, 32, 33. The total cyber risk 50 is accumulated by means of the
accumulation device 5 for the diverging cyber risks that accumulate over all
sequentially selected segmentation parameters 721 , 722, 723, 724 of the trigger table 7.
As one embodied variant, the accumulated cyber risk is weighted by a
weighting unit 9 by means of corresponding weighting factors 9 1, 92, 93, 94, thus
accounting for technological field conditions and/or geographical allocation
conditions of a risk component 2 1, 22, 23 Therefore, the accumulation control
framework that involves four defined cyber scenarios of the inventive system allows for
using a weighted exposure approach (EML-type instead of pure limit accumulation, a s
in prior art systems). Furthermore, time frame-based periodic monitoring of the exposure
development of the defined four cyber scenarios/segments allows for implementing a
dynamic adaptation of the overall technical operation of the system. The generation or
calibration of the weighting factors can e.g. be achieved by filtering historical data, a s
described above.
The system can further comprise a signal generation module for generating
a n electronic output signal based on the measured and accumulated total cyber risk
of a risk component 2 1, 22, 23 For transmitting the output signal to a n automated
cyber risk insurance system, the system can e.g. comprise a n interface module. The
output signal comprises a t least the accumulated cyber risk 50 and a n identification of
the risk component 2 1, 22, 23, ... associated with the accumulated cyber risk. However,
the output signal also can comprise a pooling factor indicating a payment value
needed for the pooling of the risk of the risk exposure component 2 1, 22, 23, ... based
on the total accumulated cyber risk 50.
As a n embodied variant, the trigger module 3 can comprise measuring
devices 3 1, 32, 33 that are coupled to the data pathway of said electronic means 2 13,
223, 233 of the risk components 2 1, 22, 23 Upon the occurrence of a cyber risk
event, the occurrence is automatically detected by means of the measuring devices
3 1, 32, 33 and transmitted to the signal generation module, thereby generating a n
appropriate output signal, which indicates the occurrence, and transmitting the output
signal to the automated cyber risk insurance system. In that way, the measurement and
monitoring system becomes a complete event-driven resource-pooling system for risk
sharing in terms of cyber risks associated with the operation of electronic means 213,
223, 233.
As a further embodied variant, the measurement and accumulation system
for diverging cyber risks of a single risk exposed component 2 1, 22, 23 or a portfolio of
risk exposed components 2 1, 22, 23 can be implemented a s a n integral part of a
automated cyber risk event-driven insurance system, i.e. automated resource pooling
systems that is triggered by the occurrence of cyber risk events within the boundary
conditions of the predefined applicable framework, i.e. the predefined risk transfer
framework. Such a n automated cyber risk insurance system can be embodied based
on a resource-pooling system 1 for risk sharing of measured cyber risks of a variable
number of risk exposure components 2 1, 22, 23 thereby providing dynamic selfsufficient
risk protection for the risk exposure components 2 1, 22, 23, ... by means of the
resource-pooling system 1. Self-sufficient means in the context of this application, that
the system 1 is adapting the amount of pooled resources in a way, that the operation
of the system 1 can be up-held to cover losses in case of the occurrence of risk events
during the defined time-period of risk-transfer, especially it means that the operation of
the risk-transfer system 1 can be up-held without human interaction or human
adjustment. In this sense, in Figure 2, reference numeral 1 refers to the resource-pooling
system for risk sharing of the risk exposure components 2 1, 22, 23... The resource-pooling
system 1 provides dynamic self-sufficient risk protection and a corresponding risk
protection structure for a variable number of risk exposure components 2 1, 22, 23, i.e.
operational units, enterprises etc., by its means. The system 1 includes a t least one
processor and associated memory modules. The system 1 can also include one or more
display units and operating elements, such a s a keyboard, and/or graphic pointing
devices, such a s a computer mouse. The resource-pooling system 1 is a technical
device comprising electronic means that can be used by service providers in the field
of risk transfer or insurance technology for risk transfer tasks related to cyber risks. The
invention seeks to technically capture, manage and automate complex related
operations in the insurance industry. Another aspect provides for synchronizing and
adjusting such operations based on technical means. In contrast to the standard
approaches, the resource-pooling system also achieves reproducible operations with
the desired technical, repetitious accuracy, because it relies completely on technical
means, process flow and process control/operation. The resource-pooling system 1 can
be implemented a s a technical platform, which is developed and implemented for
providing cyber risk transfer through a plurality of (but a t least one) payment receiving
modules 4. The risk exposure components 2 1, 22, 23, etc. are connected to the
resource-pooling system 1 by means of the plurality of payment receiving modules 4
that are configured to receive and store payments 214, 224, 234 from the risk exposure
components 2 1, 22, 23 for the pooling of their risks in a payment data store 6. In one
variant of the system 1, the number of pooled risk exposure components 2 1, 22, 23, ...
can e.g. be dynamically adaptable by means of the resource-pooling system 1 within a
range where non-covariant, occurring risks covered by the resource-pooling system 1
affect only a relatively small proportion of the totally pooled risk exposure components
2 1, 22, 23, ... at any given time. The resource-pooling system comprises a n automated
measuring, accumulation and monitoring system, a s described above. The resourcepooling
system 1 comprises a n event-driven trigger module 3 comprising capturing
devices 3 1, 32, 33 triggering in a data flow pathway 2 13, 223, 233 to provide risk
protection for a specific risk exposure component 2 1, 22, 23, ... based o n received and
stored payments 214, 224, 234 of the risk exposure components 2 1, 22, 23
The accumulated total cyber risk 50 of the pooled risk exposure
components 2 1, 22, 23, ... comprises a first risk contribution 5 1 of each pooled risk
exposure component 2 1, 22, 23,... associated with the risk of measuring operational
interruption or service denial, a second risk contribution 52 of each pooled risk exposure
component 2 1, 22, 23,... associated with the risk of measuring a data privacy breach
on third party data, a third risk contribution 53 of each pooled risk exposure component
2 1, 22, 23,... associated with the risk of measuring material damage a s a consequence
of a failure of the electronic means or the risk of measuring a cyber attack, and a fourth
risk contribution 54 of each pooled risk exposure component 2 1, 22, 23,... associated
with the risk of measuring a coordinated attack on scopes of intellectual property, e.g.
a s parametric data, a s defined for the risk component 2 1, 22, 23, ...
The automated cyber risk event-driven resource pooling system further
comprises a n accumulation device 5 with a repository unit 8 for the segmentation and
for accumulating the cyber risk 50 of a risk component 2 1, 22, 23, ... according to the
risk contributions 5 1, 52, 53, 54 by means of parameterized risk exposure segments. Each
of the risk contributions 5 1, 52, 53, 54 is associated with a parameterized risk exposure
segment, and wherein the repository unit 8 of the accumulation device 5 comprises a
searchable trigger table 7 with retrievably stored segmentation parameters 721 , 722,
723, 724, each of which is associated with defined measuring parameters 7 1 1, 712, 713,
714 for capturing the risk exposure of a specific risk exposure segment 5 1, 52, 53, 54 by
means of said associated measuring parameters 7 1 1, 712, 7 13, 714. Accordingly, a
cyber risk loss occurs a s a consequence of the capturing measuring parameters 7 1 1,
712, 713, 714 associated to a first, second, third or fourth risk contribution 5 1, 52, 53, 54.
The stored segmentation parameters 721 , 722, 723, 724 and/or associated measuring
parameters 7 1 1, 712, 713, 714 can e.g. be dynamically adapted by means of a trigger
module 3, particularly based on time-correlated incidence data for cyber risk
segmentation conditions and/or cyber risk measurement conditions indicating changes
in technical measurement devices or applicable cyber risk segmentation 5 1, 52, 53, 54.
The retrievably stored segmentation parameters 721 , 722, 723, 724 of the searchable
trigger table 7 can e.g. comprise or be based on corresponding predefined or
dynamically adapted parameter tables. The parameter tables can e.g. include (i) a
table of amount a t stake parameters capturing which amount from the risk transfer
parameters, a s for example defined by policy parameters, has to be taken a s basis for
a maximum loss calculation (this can be e.g. the loss associated with the total
transferred risk i.e. the sum insured, a sub limit, etc..) by means of the system 1; (ii) table
of country parameters giving a grading of regions (e.g. mature market, developing
market, emerging market) with a higher factor where legislation and cyber practice
makes the third partly exposure higher; (iii) table of industry code parameters capturing
facts a s e.g. the fact that hospitals and banks factors will be higher for the personal
data scenario because they have more sensitive data - a s opposed to say construction
companies; (iv) table of intensity parameters reflecting a specific treaty type or loss/risk
transfer structure (e.g. so proportional treaties with numerous policies will have a higher
factor than non proportional); (v) table of lines of business combination parameters,
which is used to identify a n amount at stake for treaties that combine several lines e.g.
if risk transfer is based upon motor and casualty risk exposure, most premium origin from
motor, which is not exposed to cyber risks, therefore the system 1 has to consider this
fact; and (vi) table of lines of business factors, wherein e.g. cyber products have a
factor of 1 while other incidental coverage have scaling factors applied whether they
cover the risk or not (e.g. aviation will have a small impact while accident will have zero
because not covered). Therefore, the segmentation parameters 721 , 722, 723, 724,
respectively the parameters of the parameter tables provide inter alia the means for
parameterizing and/or generating the likelihood and for generating the corresponding
impact. As a n embodiment variant, each parameter is generated by further assigning
a n appropriate value in a defined range to its assigned area. The assigned value can
then be multiplied by a fixed weighting for each parameter. Such a n approach
enables the system 1 to generate a score for each likelihood and impact parameter.
Such generated likelihood and impact scores can then e.g. be added together to
generate overall likelihood and impact scores. The likelihood weightings for each
parameter, can, if applied, take any appropriate form or values, a s e.g. 10 for very
significant, 7 -9 for significant, 4-6 for moderate, and 1-3 for low. For this embodiment
variant, each of the parameters for likelihood is multiplied by the corresponding
likelihood weighting which results in a n overall score for a likelihood. Further, the
parameters capturing impact weightings can e.g. comprise a s values 10 for critical, 7-9
for high, 4-6 for moderate and 1-3 for low, or any other appropriate scaling. For this
embodiment variant, the impact parameters are multiplied by the corresponding
impact weighting resulting a n overall impact score. The weightings can e.g. be applied
to both the overall likelihood and impact scores to produce a scaled score. This scaled
scores can e.g. be used to generate categories of likelihood and impact of a particular
area, wherein the categories can e.g. be determined by assigning a range of values to
each category. In this way, the system can define weighting categories which
correspond to risk classifications and/or parameterized risk exposure segments
capturing the risk contributions 5 1, 52, 53, 54.
The trigger module 3 sequentially selects the segmentation parameters 721 ,
722, 723, 724 from the searchable trigger table 7 by retrieving the associated measuring
parameters 7 1 1, 712, 713, 714 for each of the segmentation parameters 721 , 722, 723,
724. The capturing devices 3 1, 32, 33 connect the trigger module 3 to the risk
components 2 1, 22, 23, ... to detect and capture measuring values for the measuring
parameters 7 1 1, 712, 713, 714 that are related to the occurrence of cyber risk events
within the data pathway of said electronic means 2 13, 223, 233.
The accumulation device 5 accumulates the total risk 50 of the risk
component 2 1, 22, 23, ... by means of the trigger module 3, and wherein the
accumulation device 5 is triggered by the trigger module 3 transmitting captured
measuring values by means of the measuring parameters 7 1 1, 712, 713, 714, and
wherein the accumulation is achieved by accumulating over all sequentially selected
segmentation parameters 721 , 722, 723, 724 from the trigger table 7.
The payments 214, 224, 234 from the risk exposure components 2 1, 22, 23, ...
for the pooling of their risks and resources is determined by means of the accumulation
device 5, based on the total accumulated cyber risk 50 of the risk exposure
components 2 1, 22, 23, ... As one embodied variant, the accumulation device 5
comprises a n assembly module for processing risk-related component data 2 1 1, 221 ,
231 and providing the likelihood 2 12, 222, 232 of said risk exposure for one or a plurality
of the pooled risk exposure components 2 1, 22, 23, ... based o n the risk-related
component data 2 1 1, 221 , 231 , and wherein the receiving and preconditioned storage
6 of payments 214, 224, 234 from risk exposure components 2 1, 22, 23, ... for the pooling
of their risks can be dynamically determined based on total accumulated cyber risk 50
and/or the likelihood of risk exposure of the pooled risk exposure components 2 1, 22, 23,
.... The storage of the payments can be implemented by transferring and storing
component-specific payment parameters. The payment amount can be determined
dynamically by means of the resource-pooling system 1 based o n total cyber risk of the
overall pooled risk exposure components 2 1, 22, 23. For the pooling of the resources,
the resource-pooling system 1 can comprise a monitoring module that requests a
periodic payment transfer, a s e.g. premium parameter transfer, from the risk exposure
components 2 1, 22, 23, etc. to the resource-pooling system 1 by means of the one or
more payment transfer control modules 4, and wherein the risk protection for the risk
exposure components 2 1, 22, 23 e.g. can be interrupted by the monitoring module,
when the periodic transfer is no longer detectable by the monitoring module. The
payment transfer control module 4 can, a s a n input device, comprise one or more
data processing units, displays and other operating elements, such a s a keyboard
and/or a computer mouse or another pointing device. The receiving operation of the
payments with regard to the risk exposure components 2 1, 22, 23 can be monitored
based o n the stored component-specific payment parameters in the payment data
store 6. The different components of the resource-pooling system 1, such a s e.g. the
payment transfer control module 4 with the trigger module 3 and the accumulation
device 5, can be connected via a network for signal transmission. The network can
comprise, e.g., a telecommunications network, such a s a hard-wired or wireless
network, e.g., the internet, a GSM network (Global System for Mobile Communications),
a n UMTS network (Universal Mobile Telecommunications System) and/or a WLAN
(Wireless Local Area Network), a Public Switched Telephone Network (PSTN) and/or
dedicated point-to-point communication lines. The payment transfer control module 4
and/or trigger module 3 and the accumulation device 5 can also comprise a plurality
of interfaces for connecting to the telecommunications network, adhering to the
respective transmission standard or protocol. As one embodied variant, the payment
transfer control module 4 can also be implemented in the manner of a n external
device relative to the resource-pooling system 1 providing the risk transfer service via
the network for signal transmission, e.g. by a secured data transmission line.
As also illustrated, schematically, in Figure 2, the monitoring system a s well a s
the resource-pooling system 1 includes a data storing module for capturing the riskrelated
component data and multiple functional modules; e.g., namely the payment
transfer control module 4, the trigger module 3 with the measuring devices 3 1, 32, 33,
e.g. measuring sensors, the accumulation device 5 or the assembly module. The
functional modules can be implemented a t least partly a s programmed software
modules and stored on a computer readable medium, connected a s fixed or
removable to the processor(s) of system 1 or to associated automated systems. One
skilled in the art understands, however, that the functional modules can also be
implemented fully by means of hardware components, units and/or appropriately
implemented modules. As illustrated in Figure 2, the system can be connected via a
network, such a s a telecommunications network, to the payment transfer control
module 4. The network can include a hard-wired or wireless network; e.g., the internet,
a GSM network (Global System for Mobile Communication), a n UMTS network (Universal
Mobile Telecommunications System) and/or a WLAN (Wireless Local Region Network),
and/or dedicated point-to-point communication lines. In any case, the technical
electronic money scheme for the present system comprises adequate technical,
organizational and procedural safeguarding means to prevent, contain and detect
threats to the security of the scheme, particularly counterfeiting threats. The system
comprises, furthermore, all the necessary technical means for electronic money transfer
and association, e.g. initiated by one or more associated payment transfer control
modules 4 via a n electronic network. The monetary parameters can be based on all
possible electronic and transferable means, such a s e.g. e-currency, e-money,
electronic cash, electronic currency, digital money, digital cash, digital currency, or
cyber currency, etc., which can only be exchanged electronically. The payment data
store 6 provides the means for associating and storing monetary parameters associated
with single items of the pooled risk exposure components 2 1, 22, 23. The present
invention can involve the use of any of the mentioned networks, such a s e.g. computer
networks or telecommunication networks, and/or the internet and digital stored value
systems. Electronic funds transfer (EFT), direct deposit, digital gold currency and virtual
currency are further examples of electronic monetary modalities. Also, the transfer can
further involve technologies, such a s financial cryptography and technologies enabling
the same. For the transaction of the monetary parameters, it is preferable for hard
electronic currency to be used, particularly without the technical possibility for disputing
the same or reversing any charges. The system supports, for example, non-reversible
transactions. The advantage of this arrangement is that the operating costs of the
electronic currency system are greatly reduced by not having to resolve payment
disputes. However, this way, it is also possible for electronic currency transactions to
clear instantly, making the funds available immediately to the system 1. This means that
the use of hard electronic currency is more akin to a cash transaction. However, also
conceivable is the use of soft electronic currency, such a s currency that allows for the
reversal of payments, for example having a "clearing time" of 72 hours, or the like. The
modality of the electronic monetary parameter exchange applies to all connected
systems and modules related to the system 1 of the present invention, such a s e.g. the
payment transfer control module 4. The monetary parameter transfer to the resourcepooling
system 1 can be initiated by a payment-transfer control module 4 or upon
request by the system 1.
If a n occurrence of a cyber risk event is triggered that is associated with the
first, second, third or fourth segmentation parameter 7 1, 72, 73 in the data flow
pathway 2 13, 223, 233 of a risk exposure component 2 1, 22, 23 by means of the
measuring devices 3 1, 32, 33, a loss associated with first, second, third or fourth
segmentation parameter 7 1, 72, 73 is distinctly covered by the resource pooling system
1, particularly by means of a transfer of payments from the resource-pooling system 1 to
the risk exposure component 2 1, 22, 23 As embodied variant provides that upon
each triggering of a n occurrence of measuring parameters indicating a cyber risk 7 1 1,
712, 7 13, 714, a total parametric payment is allocated with the triggering, and wherein
the total allocated payment is transferable upon a triggering of the occurrence of a
cyber risk event according to the segmentation parameters 721 , 722, 723, 724 and
captured by the measuring values of the measuring parameters 7 1 1, 712, 713, 714.
Claims
1. A system for the measurement, accumulation and monitoring of
diverging cyber risks, and wherein risk components (21 , 22, 23, ...) comprise electronic
means (213, 223, 233) for processing electronic data and/or executing electronic
processing codes, and/or data-processing related storage devices and/or execution
devices and/or graphic representation devices, and wherein the risk components (21 ,
22, 23, ...) are exposed to a plurality of cyber risks (51 , 52, 53, 54) by said electronic
means (213, 223, 233), and wherein a cyber risk is related to the probability for the
occurrence of a cyber risk event to risk components (21 , 22, 23, ...), characterized,
in that the system comprises a n accumulation device (5) with a repository
unit (8) for the segmentation of the total cyber risk (50) of a risk component (21 , 22, 23,
...) by means of parametrizable risk exposure segments, and wherein the repository unit
(8) of the accumulation device (5) comprises a searchable trigger table (7) with
retrievably stored segmentation parameters (721 , 722, 723, 724), each of which is
associated with corresponding measuring parameters (71 1, 712, 713, 714) for capturing
the risk exposure of a specific risk exposure segment by means of said associated
measuring parameters (71 1, 712, 713, 714),
in that the stored segmentation parameters (721 , 722, 723, 724) comprise at
least first segmentation parameters (721 ) for segmenting a first risk contribution (51 )
associated with measurements of operational interruption or service denial, and
second segmentation parameters (722) for segmenting a second risk contribution (52)
associated with measurements of a data privacy breach o n third party data by means
of the risk component (21 , 22, 23, ...), and third segmentation parameters (723) for
segmenting a third risk contribution (53) associated with measurements of material
damage measuring parameters a s a consequence of a failure of the electronic means
of the risk component (21 , 22, 23, ...) or associated with measurements of a cyber
attack, and fourth segmentation parameters (724) for segmenting a fourth risk
contribution (54) associated with measurements of coordinated attack o n scopes of
intellectual property a s defined for the risk component (21 , 22, 23, ...),
in that the system comprises a trigger module (3), wherein the trigger
module (3) is connected to the risk components (21 , 22, 23, ...) by means of capturing
devices (31 , 32, 33) in order †o detect and capture measuring values for the measuring
parameters (71 1, 712, 713, 714) related to the occurrence of cyber risk events within the
data pathway of said electronic means (213, 223, 233), and
in that the accumulation device (5) accumulates the total risk (50) of a risk
component (21 , 22, 23, ...), segmentation by segmentation, by means of the trigger
module (3) by sequentially selecting the segmentation parameters (721 , 722, 723, 724)
from the trigger table (7) and retrieving the associated measuring parameters (71 1, 712,
713, 714) for each of the segmentation parameters (721 , 722, 723, 724), and by
triggering the trigger module (3) based o n the retrieved measuring parameters to
capture measuring values for the retrieved measuring parameters (71 1, 712, 713, 714)
from the risk components (21 , 22, 23, ...) by means of the capturing devices (31 , 32, 33),
and wherein the accumulation of the total cyber risk (50) is achieved by means of the
accumulation device (5) for the diverging cyber risks that accumulates over all
sequentially selected segmentation parameters (721 , 722, 723, 724) of the trigger table
(7).
2. The system according to claim 1, characterized in that the accumulated
cyber risk is weighted by a weighting unit (9) using corresponding weighting factors (91 ,
92, 93, 94) relative to accounting technological field conditions and/or geographical
allocation conditions of a risk component (21 , 22, 23, ...).
3. The system according to claim 1 or 2, characterized in that the system
comprises a signal generation module for generating a n output signal based o n the
measured and accumulated total cyber risk of a risk component (21 , 22, 23, ...), and
wherein the system comprises a n interface module for transmitting the output signal to
a n automated cyber risk insurance system, and wherein the output signal comprises at
least the accumulated cyber risk (50) and a n identifier of the risk component (21 , 22, 23,
...) associated with the accumulated cyber risk.
4. The system according to claim 3, characterized in that the output signal
further comprises a pooling factor indicating a payment value that is needed for the
pooling of the risk of the risk exposure component (21 , 22, 23, ...) based o n the total
accumulated cyber risk (50).
5. The system according to any one of the claims 1 to 4, characterized in
that the trigger module (3) further comprises measuring devices (31 , 32, 33) that are
coupled to the data pathway of said electronic means (213, 223, 233) of the risk
components (21 , 22, 23, ...), and wherein, upon the occurrence of a cyber risk event,
the occurrence is automatically detected by means of the measuring devices (31 , 32,
33) and transmitted to the signal generation module that generates a n appropriate
output signal, which indicates the occurrence, and transmits the output signal to the
automated cyber risk insurance system.
6. A method for the measurement and accumulation of diverging cyber
risks, wherein risk components (21 , 22, 23, ...) comprise electronic means (213, 223, 233)
for the processing of electronic data and/or executing electronic processing codes,
and/or data-processing related storage devices and/or execution devices and/or
graphic representation devices, and wherein the risk components (21 , 22, 23, ...) are
exposed to a plurality of cyber risks, and wherein the cyber risks are related to the
occurrence of cyber events in real time, capturable by predefined measuring
parameters (71 1, 712, 713, 714) associated with said electronic means (213, 223, 233),
characterized,
in that the cyber risk of a risk component (21 , 22, 23, ...) is segmented and
accumulated by means of a n accumulation device (5) with a repository unit (8), and
wherein the repository unit (8) of the accumulation device (5) comprises a searchable
trigger table (7) with retrievably stored segmentation parameters (721 , 722, 723, 724)
each of which is associated with defined measuring parameters (71 1, 712, 713, 714) for
capturing the risk exposure of a specific risk exposure segment by means of said
associated measuring parameters (71 1, 712, 713, 714),
in that the stored segmentation parameters (721 , 722, 723, 724) comprise a t
least first segmentation parameters (721 ) for segmenting a first exposure value (51 )
associated with measurements of operational interruption or service denial, second
segmentation parameters (722) for segmenting a second exposure value (52)
associated with measurements of a data privacy breach o n third party data by means
of the risk component (21 , 22, 23, ...), third segmentation parameters (723) for
segmenting a third exposure value (53) associated with measurements of material
damage measuring parameters in consequence of the operation of the electronic
means (213, 223, 233) of the risk component (21 , 22, 23, ...) or associated with
measurements of a cyber attack, and fourth segmentation parameters (724) for
segmenting a fourth exposure value (54) that is associated with measurements of a
coordinated attack on scopes of intellectual property a s defined for the risk
component (21 , 22, 23, ...),
in that the segmentation parameters (721 , 722, 723, 724) are sequentially
selected by means of a trigger module (3) from the trigger table (7), and the
associated measuring parameters (71 1, 712, 7 13, 714) are retrieved for each of the
segmentation parameters (721 , 722, 723, 724),
in that the trigger module (7) is connected to the risk components (21 , 22,
23, ...) by means of capturing devices (31 , 32, 33), and wherein measuring values for
the measuring parameters (71 1, 712, 713, 714) that are related to the occurrence of
cyber risk events are detected and captured by means of the capturing devices (31 ,
32, 33) within the data pathway of said electronic means(213, 223, 233), and
in that the accumulation device (5) accumulates the total risk (50) of the
risk components (21 , 22, 23, ...) by means of the trigger module (7), and wherein the
accumulation device (5) is triggered by the trigger module (7) and transmits captured
measuring values by means of the measuring parameters (71 1, 712, 713, 714), and
wherein the accumulation is achieved by the accumulation device (5) that
accumulates overall the sequentially selected segmentation parameters (721 , 722, 723,
724) from the searchable trigger table (7).
7. The method according to claim 6, characterized in that the
accumulated cyber risk is weighted by a weighting unit by means of corresponding
weighting factors that are based o n technological field factors of the risk component
(21 , 22, 23, ...) and/or geographical allocation factors of the risk component (21 , 22, 23,
. . .) .
8. The method according to claim 6 or 7, characterized in that the system
comprises a signal generation module for generating a n output signal that is based o n
the measured and accumulated total cyber risk (50) of a risk component (21 , 22, 23,
...), and wherein the system comprises a n interface module for transmitting the output
signal †o a n automated cyber risk insurance system, and wherein the output signal
comprises at least the accumulated cyber risk (50) and a n identifier of the risk
component (21 , 22, 23, ...) that is associated with the accumulated cyber risk (50).
9. Method according to claim 8, characterized in that the output signal
further comprises a pooling factor indicating a payment value that is needed for
pooling the risk of the risk exposure components (21 , 22, 23, ...) based o n the total
accumulated cyber risk (50).
10. The method according to any one of the claims 6 to 9, characterized in
that the comprised measuring devices (31 , 32, 33) are coupled to the data pathway of
said electronic means (213, 223, 233) of the risk components (21 , 22, 23, ...), and
wherein, upon the occurrence of a cyber risk event, the occurrence is automatically
detected by means of the measuring devices (213, 223, 233) and transmitted by means
of measuring parameters to the signal generation module that generates a n
appropriate output signal, which indicates the occurrence, and transmits the output
signal to the automated cyber risk insurance system.
11. An automated cyber risk insurance system based o n a resource-pooling
system ( 1 ) for risk sharing of measured cyber risks of a variable number of risk exposure
components (21 , 22, 23, ...) by providing dynamic self-sufficient risk protection for the
risk exposure components (21 , 22, 23, ...) by means of the resource-pooling system ( 1 )
comprising a n accumulation system according to claim 1 or 2, and wherein the risk
exposure components (21 , 22, 23, ...) are connected to the resource-pooling system ( 1 )
by means of a payment transfer control module (4) that is configured to receive and
store (6) payments (214, 224, 234) from the risk exposure components (21 , 22, 23, ...) for
the pooling of their risks and resources, and wherein the resource-pooling system ( 1 )
comprises a n event-driven trigger module (3) comprising capturing devices (31 , 32, 33)
that trigger in a data flow pathway (213, 223, 233) to provide risk protection for a
specific risk exposure component (21 , 22, 23, ...) based on received and stored
payments (214, 224, 234) of the risk exposure components (21 , 22, 23, ...), characterized
in that the accumulated total cyber risk (50) of the pooled risk exposure
components (21 , 22, 23, ...) comprises a first risk contribution (51 ) of each pooled risk
exposure component (21 , 22, 23,...) associated with the risk of measuring operational
interruption or service denial, a second risk contribution (52) of each pooled risk
exposure component (21 , 22, 23,...) associated with the risk of measuring a data
privacy breach o n third party data, a third risk contribution (53) of each pooled risk
exposure component (21 , 22, 23,...) associated with the risk of measuring material
damage a s a consequence of a failure of the electronic means or the risk of measuring
a cyber attack, and a fourth risk contribution (54) of each pooled risk exposure
component (21 , 22, 23,...) associated with the risk of measuring a coordinated attack
on scopes of intellectual property defined for the risk component (21 , 22, 23, ...),
in that the system comprises a n accumulation device (5) with a repository
unit (8) for segmenting and accumulating the cyber risk (50) of a risk component (21 ,
22, 23, ...) according to the risk contributions (51 , 52, 53, 54) by means of parameterized
risk exposure segments, and wherein each of the risk contributions (51 , 52, 53, 54) is
associated with a parameterized risk exposure segment, and wherein the repository unit
(8) of the accumulation device (5) comprises a searchable trigger table (7) with
retrievably stored segmentation parameters (721 , 722, 723, 724) each of which is
associated with defined measuring parameters (71 1, 712, 7 13, 714) for capturing the risk
exposure of a specific risk exposure segment (51 , 52, 53, 54) by means of said
associated measuring parameters (71 1, 712, 713, 714), and wherein a cyber risk loss
occurs a s a consequence of capturing measuring parameters (71 1, 712, 713, 714)
associated with a first, second, third or fourth risk contribution (51 , 52, 53, 54),
in that the trigger module (3) sequentially selects the segmentation
parameters (721 , 722, 723, 724) from the searchable trigger table (7) by retrieving the
associated measuring parameters (71 1, 712, 7 13, 714) for each of the segmentation
parameters (721 , 722, 723, 724),
in that the capturing devices (31 , 32, 33) connect the trigger module (3) to
the risk components (21 , 22, 23, ...) to detect and capture measuring values for the
measuring parameters (71 1, 712, 713, 714) related to the occurrence of cyber risk
events within the data pathway of said electronic means (213, 223, 233),
in that the accumulation device (5) accumulates the total risk (50) of the
risk component (21 , 22, 23, ...) by means of the trigger module (3), wherein the
accumulation device (5) is triggered by the trigger module (3) and transmits captured
measuring values by means of the measuring parameters (71 1, 712, 713, 714), and
wherein the accumulation is achieved by accumulating overall sequentially selected
segmentation parameters (721 , 722, 723, 724) from the trigger table (7),
in that the payments (214, 224, 234) from the risk exposure components (21 ,
22, 23, ...) for the pooling of their risks and resources is determined based o n the total
accumulated cyber risks (50) of the risk exposure components (21 , 22, 23, ...),
in that in case that a n occurrence of a cyber risk event is triggered that is
associated with the first, second, third or fourth segmentation parameter (71 , 72, 73) in
the data flow pathway (213, 223, 233) of a risk exposure component (21 , 22, 23) by
means of the measuring devices (31 , 32, 33), a loss associated with the first, second,
third or fourth segmentation parameter (71 , 72, 73) is distinctly covered by the resource
pooling system ( 1 ) by means of a transfer of payments from the resource-pooling
system ( 1 ) to the risk exposure component (21 , 22, 23, ...).
12. The cyber risk insurance system according to claim 11, wherein the
accumulation device (5) comprises a n assembly module for processing risk-related
component data (21 1, 221 , 231 ) and for providing the likelihood (21 2, 222, 232) of said
risk exposure for one or a plurality of the pooled risk exposure components (21 , 22, 23,
...) based o n the risk-related component data (21 1, and wherein the receiving and
preconditioned storage (6) of payments (214, 224, 234) from risk exposure components
(21 , 22, 23, ...) for the pooling of their risks can be dynamically determined based on
the total accumulated cyber risk (50) and/or the likelihood of the risk exposure of the
pooled risk exposure components (21 , 22, 23, ...).
13. The cyber risk insurance system according to one of the claims 11 or 12,
wherein the number of pooled risk exposure components (21 , 22, 23, ...) can be
dynamically adapted by means of the resource-pooling system ( 1 ) to a range where
non-covariant, occurring risks covered by the resource-pooling system ( 1 ) affect only a
relatively small proportion of the totality of pooled risk exposure components (21 , 22, 23,
...) at a given time.
14. The cyber risk insurance system according to one of the claims 11 to 13,
wherein the stored segmentation parameters (721 , 722, 723, 724) and/or the associated
measuring parameters (71 1, 712, 713, 714) are dynamically adapted by means of a
trigger module (3) based on time-correlated incidence data for cyber risk
segmentation conditions and/or cyber risk measurement conditions indicating changes
in technical measurement devices or applicable cyber risk segmentation (51 , 52, 53,
54).
15. The cyber risk insurance system according to any one of the claims 11 to
14, wherein, upon each triggering (31 ) of a n occurrence with regard to measuring
parameters indicating a cyber risk (71 1, 712, 713, 714), a total parametric payment is
allocated along with the triggering, and wherein the total allocated payment is
transferable when the occurrence of a cyber risk according to the segmentation
parameters (721 , 722, 723, 724) and captured measuring values of the measuring
parameters (71 1, 712, 713, 714) is triggered.