A Theory to Estimate, Bound, and Manage Systemic Cyber-Risk

Pal, Ranjan; Duan, Konnie; Sequeira, Rohan

Author(s)

Pal, Ranjan; Duan, Konnie; Sequeira, Rohan

Download3726301.3728400.pdf (2.422Mb)

Publisher with Creative Commons License

Terms of use

Creative Commons Attribution https://creativecommons.org/licenses/by/4.0/

Metadata

Show full item record

Abstract

The market to manage critical infrastructure cyber-risks using cyber insurance (CI) has been growing steadily (but not fast enough) as it is still skeptical of the extent of economic and societal impact of systemic risk across networked supply chains in interdependent IT-driven enterprises. To demystify this skepticism, we first study in this paper the role of (a) the statistical nature of multiple enterprise cyber-risks contributing to aggregate supply chain risk and (b) the graph structure of the underlying enterprise supply chain network, in the statistical spread of aggregate cyber-risk. We provide statistical tail bounds on the aggregate cyber-risk that a risk managing firm such as a cyber insurer is exposed to in a supply chain. Subsequently, we study the problem of aggregate cyber-risk management by cyber re-insurance firms via portfolio design to optimally diversify aggregate/systemic cyber-risk sourced from multiple CIs insuring enterprises on a supply chain. We propose the first mathematical framework for re-insurers to test the operational sustainability of systemic cyber-risk diversification portfolios with respect to the standard Value-at-Risk (VaR) metric for general aggregate cyber risk distributions. We also propose a statistical copula methodology to make systemic cyber-risk portfolio diversification sustainable for re-insurers in scenarios where the sustainability test fails. We validate our theory via Monte Carlo simulations.

Description

SIGSIM-PADS ’25, Santa Fe, NM, USA

Date issued

2025-06-22

URI

https://hdl.handle.net/1721.1/164783

Department

Sloan School of Management; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Publisher

ACM|39th ACM SIGSIM Conference on Principles of Advanced Discrete Simulation

Citation

Ranjan Pal, Konnie Duan, and Rohan Sequeira. 2025. A Theory to Estimate, Bound, and Manage Systemic Cyber-Risk. In Proceedings of the 39th ACM SIGSIM Conference on Principles of Advanced Discrete Simulation (SIGSIM-PADS '25). Association for Computing Machinery, New York, NY, USA, 70–80.

Version: Final published version

ISBN

979-8-4007-1591-4

Collections

MIT Open Access Articles