Entity-Specific Cyber Risk Assessment Using Insurtech-Empowered Risk Factors

The lack of high-quality public cyber incident data limits empirical research and predictive modeling for cyber risk assessment. This challenge persists because companies are reluctant to disclose incidents that could damage their reputation or investor confidence. From an actuarial perspective, potential resolutions include these: the enhancement of existing cyber incident datasets and the implementation of advanced modeling techniques to optimize the use of the available data. A review of existing data-driven methods highlights a significant lack of entity-specific organizational features in publicly available datasets. To address that gap, we propose a novel insurtech framework that enriches cyber incident data with entity-specific organizational features. We develop various machine learning (ML) models: a multilabel classification model to understand the occurrence of cyber incident types (e.g., privacy violation, data breach, fraud and extortion, IT error, and others) and a multi-output regression model to estimate their annual frequencies. While classifier and regressor chains are also implemented to explore dependencies among cyber incident types, no significant correlations are observed in our datasets. We also apply multiple interpretable ML techniques to identify and cross-validate potential risk factors developed by insurtech across ML models. We find that compared with conventional risk factors, insurtech-empowered features enhance occurrence and frequency estimation robustness. The framework generates transparent, entity-specific cyber risk profiles, supporting customized underwriting and proactive cyber risk mitigation. It provides insurers and organizations with data-driven insights to support decision-making and compliance planning.