A stochastic SIR model for cyber contagion: application to granular growth of firms and to insurance portfolio

TL;DR

This paper introduces a stochastic multi-group SIR model integrated with a granular firm growth model to assess the financial impact of cyber contagion on firms and insurance portfolios, validated with real ransomware data.

Contribution

It develops a novel stochastic contagion model that captures firm heterogeneity and environmental variability, enabling quantitative risk assessment for cyber insurance.

Findings

Model predicts insurer losses up to two days of revenue with 50% probability during a 100-day cyber event.

Application to LockBit ransomware shows the model's practical utility in real-world scenarios.

Framework provides immediate insights into financial severity of cyber incidents for insurers.

Abstract

This work evaluates the impact of contagious cyber-events, over a finite horizon, on firms' financial health and on a cyber insurance portfolio. Our approach builds on key empirical findings from economics and cybersecurity. In economics, firm size and growth-rate distributions are non-Gaussian and exhibit heavy tails. In cybersecurity, contagion dynamics strongly depend on firm size and environmental conditions. To capture these features, we propose a stochastic multi-group SIR model coupled with a granular model of firm growth. This framework allows us to quantify the financial impact of cyber-attacks on firms' revenues and on the insurer's portfolio. In the model, the arrival time and duration of cyber-attacks are driven by a combination of a Cox process and a Bernoulli random variable. The Cox process represents external contagion, with an intensity given by the force of infection derived from the stochastic SIR dynamics. The Bernoulli component captures contagion originating from an infected sister or subsidiary firm. Environmental variability enables stochastic scenario generation and the computation of aggregate exceedance probabilities, a standard metric in catastrophe modeling that provides insurers with immediate insight into the financial severity of an event. We apply the framework to the LockBit ransomware attacks observed between May and July 2024. For a portfolio of 2,929 firms located in Ile-de-France, the model predicts that, with 50% probability, the insurer will need to compensate losses equivalent to up to two days of revenue over a 100-day cyber incident.