For natural catastrophe risk, individual policy exposures can be aggregated within geographic zones. Similarly, cyber exposures can be aggregated using CRA-Zones.™ Cyber Risk Accumulation Zones (CRA-Zones™) were established to provide an easy to use open framework to measure and understand catastrophic cyber risk exposure. The CRA-Zones™ framework defines the minimal elements needed to provide a view of aggregated cyber exposure. CRA-Zones™ allow for analysis across multiple portfolios of risks and monitoring of exposure trends. The framework also supports regulatory efforts for setting a standard for data collection for cyber exposure management.
Geographic location is still important when assessing cyber catastrophe risk, however, two additional elements must be taken into account to properly assess cyber risk aggregation - industry sector and company size. The foundation of the CRA-Zones™ is built on acquired historical data and continuous analysis of millions of cyber incidents worldwide. Analysis has shown significant correlation between companies from the same location and industry tending to use the same third-party service providers and technologies, leaving them exposed to corresponding cyber attacks. Additionally, the analysis demonstrated that entity size has a direct correlation to technologies used, cyber preparedness, security policies, cybersecurity spending, and level of sophistication of cyber attacks.
Overview:
CRA-Zones are made up of the following elements:
Location - Country-level worldwide and state granularity in the US -based on the ISO-3166 Alpha-2 Standard.
Industry - Industry classification breakdown based on the SIC classification system with additional granularity options.
Entity Size - Based on commonly used revenue bands. The framework is built to accommodate users with various levels of data. In cases with insufficient data, an automated data extrapolation technique can be applied for cyber exposure analysis using CRA-Zones. Zones can be viewed in low or high granularity. The views are built to accommodate the ability to use the platform despite varying quality of data within a group of risks.
Advantages of implementing CRA-Zones
Open framework - No need to license a model
Understand your cyber risk accumulation
Facilitate portfolio risk diversification
Easily track portfolio aggregation trends
Gain a view of risk that reflects risk accumulation across multiple portfolios
Benefits of Applying Additional Data Layers on CRA-Zones™
Detect correlation between risk accumulation & cyber attacks trends
Monitor compliance with defined risk appetite
Support regulatory reporting obligations
Financially quantify probable maximum loss (PML) events
Benchmark to average losses and average industry exposure per zone