4 Key Takeaways From “Small Businesses and the New Frontier of Cyber CAT Modeling” White Paper

Recently, global risk and reinsurance specialist Guy Carpenter joined with At-Bay to publish a white paper titled “Small Businesses and the New Frontier of Cyber Catastrophe Modeling.” This co-authored paper explains how a lack of historical data about the technology adoption and security postures of small and medium businesses (SMBs) makes it difficult for cyber catastrophe (CAT) models to properly assess SMB cyber aggregation.

The paper uses At-Bay’s portfolio data to apply the impacts of fundamental security controls (multi-factor authentication (MFA) and endpoint detection and response (EDR)) to the cyber CAT model, resulting in more accurate modeling of SMB risk — an adjustment that could be applied to any vendor model. 

Following are the key takeaways from the white paper.

1. Accurately Quantifying SMB Risk Is Crucial for Capacity Deployment and Risk Management

In a 2023 study by NetDiligence, 98% of cyber claims from the last five years came from businesses with under $2B in revenue. As a result, more and more SMBs are seeking cyber insurance coverage, now representing 45% of the cyber market exposure — an increase of 45% over the last five years¹.

Additionally, recent attack trends have shown threat actors targeting common entry points to maximize efficiency, and the typical ransomware attack can now be considered an opportunistic aggregation attack rather than a targeted attack. This opportunistic attack method impacts the frequency of cyber claims of SMBs more than large businesses due to resource constraints that lead SMBs to adopt security controls less often. In fact, according to Coveware, 67% of organizations impacted by ransomware in Q4 2023 were SMBs with fewer than 1,000 employees.

The increased share of SMBs in the cyber insurance market, coupled with increased ransomware attacks affecting SMBs, mean that accurate quantification of their aggregation potential is critical for capacity deployment and risk management.

2. SMB Security Postures Are More Heterogeneous Than Large Businesses

Security controls have been evolving at a rapid pace to match the progression of threat actors, and these modern security products have proven to mitigate the impact of attacks. For this reason, today’s cybersecurity landscape emphasizes sophisticated and comprehensive risk controls, which are unattainable for many SMBs due to limited security budgets and personnel.

However, compared to the overall SMB segment, SMBs with cyber insurance coverage generally exhibit stronger security postures. This separates the security posture of small businesses with cyber insurance or cybersecurity significantly from the general population, and it’s very important to incorporate this security posture gap in models to accurately quantify the appropriate cyber aggregation risk for the corresponding SMB portfolio.

3. Cyber CAT Models Still Struggle to Reflect SMB Risks

Cyber catastrophe (CAT) models can struggle to reflect the disparities of cybersecurity postures in the SMB space due to:

• A lack of publicly available historical incident data about attacks on SMBs
• A lack of credibility in public data due to the complex, dynamic nature of ransomware
• Insufficient information on SMBs, their tech stacks, and the technological dependencies within their networks
• Interdependencies among SMBs, which tend to rely heavily on critical infrastructure and third-party software services, making them especially vulnerable to widespread disruptions

The insurance industry needs to deepen its understanding of internal security controls within the defensive aspect of cyber risk so this inside-out information can then be effectively overlaid to improve model accuracy.

4. Including Security Controls in CAT Models Enables Efficient Capital Allocation

Adjusting vendor CAT model outputs to reflect the impacts of fundamental security controls allows for the differentiation of SMB risks. A robust view of modeled loss potential that includes key differentiators will support confident growth in a market segment poised for continued expansion. 

This paper proposes a framework of how modelers can improve vendor model accuracy. An example using At-Bay data for EDR and MFA security controls shows significant impact on the return period gross loss ratio – a 17% reduction in CAT-only tail losses on the 250-year return period in At Bay’s portfolio when MFA and EDR security controls are accounted for in the model. The adjustment modifies the ground-up loss simulation per policy and can be applied to any vendor model.

Current vendor CAT models have been playing an important role in the capital allocation decision process, and this adjustment to SMB risk modeling could help attract capital at scale in the SMB segment. 

Click here to get your copy of the white paper →

¹ According to proprietary information from GC CyberExplorer DataLake®

All statements for At-Bay, Inc., companies. The information contained in this document is intended for general informational purposes only and is not intended to provide legal or other expert advice. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Neither At-Bay nor its employees shall be liable for the use of any information or statements made or contained in any information provided herein.