Developing tools to measure commercial exposure to cyber threats

Credit: Markus Spiske/Unsplash

The Cambridge Centre for Risk Studies (CCRS) is at the forefront of research into cyber risk insurance products and cyber risk management internationally, and has been influential in helping companies in various sectors, notably insurance, to manage new or newly recognised risks.

CCRS was founded in 2009 to study systemic risk; specifically, to bring research into systemic risk into focus in corporations across all sectors and to provide business-ready frameworks and tools to manage systemic risks.

It has done so by engaging directly with organisations to produce research outputs that are immediately applicable to those sectors engaged in assessing and managing cyber risks.

For instance, researchers provided important analysis which demonstrated that physical damage to power generators could be engineered at a mass scale, causing blackouts to millions of people along the East Coast of the USA over a prolonged period. This has had substantial and ongoing impact for risk regulation of insurance companies. Further work showed the potential for cyber terrorists to inflict physical damage to industrial plants and commercial real estate.

CCRS’s research has provided a disciplined approach to building threat taxonomies and populating cyber risk categories with scenarios and models to recognise and then quantify commercial exposure to cyber threats.

This has been used by a number of organisations across the sector, namely: a risk modelling company, Risk Management Solutions (RMS), to build and sell cyber catastrophe risk models to the cyber insurance industry; an insurance company, Pool Re, to underpin its new, since 2018, cover of cyber terror insurance; and an insurance regulator and market facilitator, Lloyd’s of London, to manage the financial risk reporting of its syndicate members regarding cyber insurance products.

“We quickly recognised CCRS [Cambridge Centre for Risk Studies] as one of the leading thinkers in the emerging threat area of cyber and since then, we have worked together in understanding, quantifying and scoping the threat of cyber-terrorism.”

– Chief Underwriting Officer, Pool Re