Modeling Malicious Hacking Data Breach Risks

Malicious hacking data breaches cause millions of dollars in financial losses each year, and more companies are seeking cyber insurance coverage. The lack of suitable statistical approaches for scoring breach risks is an obstacle in the insurance industry. We propose a novel frequency-severity model to analyze hacking breach risks at the individual company level, which would be valuable for underwriting purposes. We find that breach frequency can be modeled by a hurdle Poisson model, which is different from the negative binomial model used in the literature. The breach severity shows a heavy tail that can be captured by a nonparametric- generalized Pareto distribution model. We further discover a positive non-linear dependence between frequency and severity, which our model also accommodates. Both the in-sample and out-of-sample studies show that the proposed frequency-severity model that accommodates nonlinear dependence has satisfactory performance and is superior to the other models, including the independence frequency-severity and Tweedie models.