Quantar combines multiple sources of data, together with cyber-security, and corporate risk management into a unique cyber risk analytics platform that quantifies the financial impact of cyber risks posed to enterprises
Using Quantar’s cyber valuation platform provides your enterprise with client-specific and aggregated data across multiple levels for developing cyber product and service development. Having data at a micro and macro level facilitates growth strategies for the cyber segment. Understanding the total cyber portfolio within the book is critical in hedging or transferring excess exposure for long-term stability and compliance.
Using Quantar’s cyber valuation platform provides your enterprise with client-specific and aggregated data across multiple levels for developing cyber product and service development. Having data at a micro and macro level facilitates growth strategies for the cyber segment. Understanding the total cyber portfolio within the book is critical in hedging or transferring excess exposure for long-term stability and compliance.
Unlike most actuarial models that use easily accessible authoritative sources of data, for cyber, there is an absence of any meaningful information to draw from. For general P&C underwriting, the picture is clear, with little variance over a considerable period of time. Even in the case of modelling natural disasters, the models have sufficient data to undertake analysis to determine overall exposures with high confidence levels.
Loss events or near misses are generally well reported for mainstream risks, but the information security sector estimates that more than 50% of data breaches go unreported, despite there being mandatory breach reporting laws in the US and now the EU. The reasons are obvious, aside from the direct cost of informing customers and providing backup services for their financial and identity security. Customer churn rates have been proven to increase post-breach report, with confidence in a breached company falling over a sustained period.
For cases of near misses, or even simple threat data and vulnerabilities posed to a customer, the probability of them informing a potential cyber insurer is close to zero. As such, there is a fundamental asymmetry of relevant data, with a consequent increased risk of adverse selection by an underwriter. Unlike other forms of P&C products, for cyber products there is reliance upon the judgement and experience of the underwriter.
For cyber risks, the key issue is the sheer number of attributes that affect impact, whether immediately, or into long-run periods that may not be comprehended at the time of a risk event. Discovery of a data breach may take place at a far later time, with multiple impacts, raging from legal fees to a severe negative market reaction.
Variables that must be considered at the very least for cyber include degree of cyber security maturity, risk appetite and risk management posture, IT topology, in-house versus external contracted skill sets, employee training and profiles, location and time zones and physical infrastructure.
Even when attempting to account for as many of the variables as possible is undertaken, much of the data has a lower relevance in future periods due to the volume and type of threat constantly evolving. To what degree does an underwriter attach a level of weighting to cyber risks? What models should be used to account for the voluminous parameters?
Quantar developed CyCalc® purely to provide financial institutions and large enterprises with the capability to calculate, model and manage cyber risks through the use of multiple data and actuarial and operational models. See how your enterprise can use our platform for insightful underwriting data.
Quantar supports underwriters through the provision of proprietary client cyber risk data in many forms.
This ranges from actual attacks experienced by an enterprise, to modelling of mitigation actions to identify the most effective means of reducing or eliminating financial risk exposure.
Using CyCalc® provides you with the means of both aiding the assessment and pricing process and also as an added-value service to your clients for corporate risk management and data breach law compliance.
Quantar has been the the business of valuing cyber risks since 1999, with our first patents applied for in 2003. Since then, our systems and valuation processes have been protected by a series of patents, which continues today. We are uniquely positioned to offer the deep insight you need to correctly assess, price and manage customer cyber financial exposures.
Our cyber threat quantification & valuation expertise allows your business to focus on your real underwriting & pricing needs. Quantar has you covered with bespoke cyber threat valuation predictive analytics solutions.
Quantar’s application Suite is composed of three modules that operate to capture threat data, analyze and value the risks of your company being connected to the internet.
The IPTAP data acquisition systems acquires, aggregates and identifies those cyber and privacy threats posed to your business, taking actual cyber threat data and utilizes industry-standard methods of prioritizing and calculating targeted assets owned by your enterprise.
Our patented system technology acts covertly and does not penetrate your confidential and proprietary data.
Taking actual company-specific cyber threat data ensures accuracy and appropriateness when analyzing and predicting current and future trends. Quantar’s applications comprise two multi-model analytic modules for threat data analysis.
The first of these solutions, Network Operational Risk Manager (n-ORM),identifies which business processes would be affected by a successful attack and calculates the financial losses that would result.
The cost-benefit assessment function enables financial evaluation of implementing various cyber risk mitigation options.
The second module of the analytics suite, Predictive Analytics Engine (PAE), allows users to use different statistical analysis methods for the same sets of cyber threat data.
This enables your business to set your enterprises risk appetite or regulatory compliance thresholds and actively monitor actual and ongoing cyber/privacy threat exposure levels. Each module has a print to store functionality for all cyber and privacy risk data plus financial exposure over any period selected.
Quantar’s application reporting provides easy to understand cyber risk exposure report, together with any risk reduction actions over a user-defined period.
The applications suite enables your enterprise to optimize all cyber and business continuity programs.
Built-in RAG (Red; Amber; Green) warning systems enable a simple visual check of the current cyber risk exposure level and whether this is still within the defined limits prescribed by senior management or by the regulatory environment.
With CyCalc Suite, we can assist your business to:
Quantar CyCalc Suite is composed of 3 modules; Network Operational Risk Manager (n-ORM); Predictive Analytics Engine (PAE), and Internet Protocol Threat Assessment System (IPTAP)
Network Operational Risk Manager (n-ORM)
Quantar’s Network Operational Risk Manager (n-ORM) combines four distinct functionalities into a consolidated tool to enable all businesses to measure and generate a cyber financial value at risk for the interconnectivity between corporate networks and the internet.
n-ORM delivers traffic capture, packet analysis, process mapping, and an algorithmic engine into a single, easy to use product, for the benefit of senior management, I.T. security teams, risk management and/or business continuity teams, plus audit and compliance units.
Configuration is divided into automated determinants, as well as manual inputs from the user, to derive a cyber threat financial value-at-risk. The ability of the application to import previous scenarios, multiple business process maps and handle multiple languages results in a quick and efficient method of ensuring an organization’s risk exposure is aligned with the stated levels of risk appetite set by senior management and can also be utilized for ensuring compliance with current and emerging regulations.
From n-ORM V4.3 onwards has had a multi-language capability option, including Cyrillic character sets such as Arabic and can therefore be utilized in multi-locations where there are differences in local languages.
n-ORM also benefits from the “what-if” functionality for capital budgeting and cost-benefit analysis of independent risk management mitigation actions. This component of the application delivers an easy to understand, visual representation of how a cyber threat value-at-risk exposure may be reduced by single or consecutive mitigation actions until the desired cyber threat value at risk for your organization is
Predictive Analytics Engine (PAE)
Network operational risks are those associated with virus attacks, targeted attacks (hacking) and physical attacks (damaging or immobilizing technology infrastructure).
Quantar’s Predictive Analytics Engine (PAE) uses quantitative modeling techniques, enabling a quantification of risk metrics for such attacks. These are then utilized in the calculation of the cyber threat Value at Risk, risk-capital measures and also the associated cost of mitigation insurance.
For the first time, your organization has the financial loss exposure caused by cyber threats actually experienced available to risk manage such potential financial losses. Predictive analytics of your network attack data creates forward looking financial values at risk, facilitating pro-active cyber risk management strategies and pre-emptive actions to be formulated.
Having current and future predictive values provides the means to evaluate capital allocation efficiencies for cyber threat management. Having a current I.T. security capability today does not mean it will remain static against future cyber threats. PAE gives you the power to forecast security requirements into future periods.
PAE analytics provide greater stochastic modeling capabilities than those within n-ORM and are able to compute a wider range of analytical measures aimed at meeting new and emerging requirements for stress testing of risk models.
The system comprises a primary three-phase approach to modeling, with these being a time-series component, a risk calculation component and a post processing layer. Within phase one, there are a number of optional features that may be enabled or disabled by the end-user, these being:
Within the second phase, a Monte Carlo simulation model is utilized which takes a range of input and configuration data and computes risk distributions.
The calculation engine generates probability distribution functions, enabling various statistics to be drawn and utilized within the system in deriving the financial quantification of the cyber threats experienced by your organization as those for future periods.
Internet Protocol Threat Assessment Program
Quantar’s Internet Protocol Threat Assessment Program (IPTAP) acquires threat and risk data specific to your enterprise, utilizing our patented methodologies, to ensure accuracy and appropriateness of data for effective cyber threat risk management.
Internet Protocol Threat Assessment Program captures inbound network traffic and detects and stores attack information. Placement of the system is external to your organization’s network security perimeter within the DMZ.
With this location, it is important that the system is not compromised; the system is not directly addressable. Quantar patented a methodology in 2002 that enables the system to be managed remotely, without being placed in the position of being attacked.
Other vendors utilize cloud-based application hosting, leaving potential for compromise in a number of ways. Indeed cloud threats are one of the drivers for the need to accurately value cyber threats. For this reason, out back-end systems are NOT connected to your organization’s network directly and constantly.
IPTAP generates temporal profiles of attacks and these are exported in xml file format via fileswap or web for use by n-ORM; PAE or third party applications for inputs of your organization’s actual threat events exposure. Quantar’s applications and methodologies utilize your organization’s proprietary data in deriving your cyber value at risk, combined with other external data.
The IPTAP system does not capture and store the content within packet data, since this can create regulatory compliance and privacy issues – particularly for organizations operating or servicing the E.U. market.
The output data of IPTAP can also be used for fine-tuning perimeter defenses and as historic OpRisk data for audit and compliance.
