Cyber risk has become a major theme in information security research. Yet relatively little is known about its statistical features and how it evolves over time. This paper utilizes three cyber databases to examine the empirical properties of cyber risk. We first deal with report delays with an extended two-stage model and then identify structural changes in the frequency and severity of different cyber risk categories. We document that for malicious events the frequency has grown exponentially in the past two decades and the financial loss distribution has shifted toward greater severity since 2018. The increasing trends for other categories are slower in frequency and less clear in severity. We also explore the tail dynamics and find that the heavy-tailedness of cyber risk is persistent. Finally, we discuss the implications of the documented empirical features and show that they lead to lower insurance demand and potentially higher risk levels for firms.
Event Title
16th International Conference of the ERCIM WG on Computational and Methodological Statistics, 17th International Conference on Computational and Financial Econometrics