Loss Exceedance Modeling - Algorithm & Methodology
Comprehensive documentation of Rankiteo's Monte Carlo simulation engine for cyber risk quantification - covering frequency models, severity distributions, correlation structures, and portfolio analytics.
1. Executive Summary
Rankiteo's Loss Exceedance Modeling engine (v2.1) provides cyber underwriters with a professional-grade Monte Carlo simulation platform for quantifying portfolio-level cyber risk. The engine generates Aggregate Exceedance Probability (AEP) and Occurrence Exceedance Probability (OEP) curves, decomposes losses by cyber peril, computes marginal risk contributions per company, and supports reinsurance layer analysis, catastrophe stress testing, and cat bond pricing with 14 real-world cyber cat bonds from the Artemis Deal Directory.
The model follows FAIR (Factor Analysis of Information Risk) principles: Risk = Poisson(Frequency) Γ Lognormal(Severity in USD), applied independently per company per peril across 25,000 simulated years. Severity is calibrated to NetDiligence Claims Study 2024 benchmarks in absolute USD, capped by coverage limit, and scaled by company size.
| Component | v1.0 (Legacy) | v2.1 (Current) |
|---|---|---|
| Frequency | Bernoulli (max 1 event/year) | Poisson (multiple events/year) |
| Severity | % of coverage limit | Absolute USD (capped by limit) |
| Calibration | Synthetic parameters | NetDiligence 2024 claims data |
| Industry | Not differentiated | 24 hazard groups (0.7xβ1.6x) |
| Company size | Not modeled | Size multiplier (micro 0.05xβmultinational 1.0x) |
| OEP | Max single-company loss | Max correlated peril event across portfolio |
| Diversification | Proportional scaling (~0%) | Per-company VaR99 independent tracking |
| Cat bonds | Not available | 14 real-world bonds + custom parametric |
2. Model Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β INPUT PARAMETERS β
β Coverage Limit Β· Retention Β· Correlation Factor β
β Severity Model Β· Confidence Levels Β· Filters β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA ENRICHMENT LAYER β
β Portfolio companies from portfolio management system β
β Scores from company security scoring engine β
β Incidents from cyber incident intelligence feed β
β Industry, employees, band from company profiles β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PER-COMPANY PER-PERIL FREQUENCY β
β 6 perils Γ N companies = frequency matrix β
β f(score, incidents, incident_types, peril) β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MONTE CARLO SIMULATION ENGINE β
β 25,000 simulated years β
β Correlated trigger via common shock factor β
β Per-event severity from chosen distribution β
β Gross loss β Net loss (after retention) β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OUTPUT COMPUTATION β
β AEP curve Β· OEP curve Β· Return period table β
β Peril decomposition Β· Company contributions β
β Reinsurance layer Β· Stress scenarios Β· Sensitivity β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ3. Peril Definitions
The model decomposes cyber risk into 6 distinct perils, each with calibrated base frequency (Poisson Ξ») and severity parameters (absolute USD, lognormal):
| Peril | Base Ξ» | Mean Severity (USD) | Ο | Source & Rationale |
|---|---|---|---|---|
| Ransomware | 0.12 | $4,500,000 | 1.2 | NetDiligence 2024: median $4.5M. Highest frequency peril; heavy tail (double extortion drives large losses) |
| Data Breach | 0.08 | $4,880,000 | 1.0 | IBM/Ponemon 2024: US avg $4.88M. Per-record costs, regulatory fines, class actions |
| Cloud/Vendor Outage | 0.05 | $2,500,000 | 0.9 | Parametrix estimates. Correlated across portfolio; BI-driven. Elevated post-Iran strikes (Mar 2026) |
| Supply Chain Attack | 0.04 | $4,910,000 | 1.1 | NetDiligence: $4.91M avg. Low frequency, high impact (SolarWinds, MOVEit, Change Healthcare) |
| BEC / Social Engineering | 0.10 | $250,000 | 0.8 | FBI IC3 2024: median ~$250K. High frequency, low severity; narrow distribution |
| System Failure (non-attack) | 0.06 | $1,400,000 | 0.7 | Advisen: ~$1.4M avg BI from non-attack failures. CrowdStrike outage (Jul 2024) is reference event |
Severity Distribution Interpretation
For lognormal severity with mean=$4.5M, Ο=1.2 (Ransomware):
ΞΌ = ln(mean_usd) - ΟΒ²/2 = ln(4,500,000) - 1.44/2 = 14.60 Median: e^ΞΌ = e^14.60 β $2.2M Mean: $4.5M (by construction) 95th percentile: e^(ΞΌ + 1.645ΓΟ) β $16M 99th percentile: e^(ΞΌ + 2.33ΓΟ) β $59M Loss = min(coverage_limit, raw_severity Γ size_multiplier) β A $4.5M draw for a micro company (0.05x) = $225K β A $4.5M draw for a multinational (1.0x) = $4.5M β A $59M draw capped at $5M coverage limit = $5M
4. Frequency Model
4.1 Score-Based Frequency Adjustment
Each company's Rankiteo score (0-1000) modulates the base peril frequency:
score_factor = max(0.5, (1000 - score) / 350)
| Score | Band | Score Factor | Effect |
|---|---|---|---|
| 950 (Aaa) | Excellent | 0.50Γ | Halves base frequency |
| 800 (A) | Good | 0.57Γ | ~40% reduction |
| 650 (B) | Weak | 1.00Γ | Neutral (baseline) |
| 500 (C) | Critical | 1.43Γ | +43% increase |
| 300 | Very Poor | 2.00Γ | Doubles base frequency |
4.2 Incident History Boost
Companies with historical cyber incidents receive frequency uplifts:
incident_boost = min(0.5, total_incidents Γ 0.03)
Additionally, peril-specific boosts apply when incident types match:
If company has ransomware incidents β ransomware frequency += min(0.1, ransomware_count Γ 0.02) If company has breach incidents β data_breach frequency += min(0.1, breach_count Γ 0.02)
4.3 Incident Type to Peril Mapping
| Incident Type | Mapped Peril |
|---|---|
| ransomware, malware | Ransomware |
| data breach, breach, leak | Data Breach |
| outage | Cloud/Vendor Outage |
| supply chain | Supply Chain Attack |
| phishing | BEC / Social Engineering |
| ddos | System Failure |
4.4 Industry Hazard Group Factor
Each industry receives a frequency multiplier based on observed claim rates (aligned with the premium engine's hazard group classification):
| Industry | Factor | Industry | Factor | Industry | Factor |
|---|---|---|---|---|---|
| Healthcare | 1.6Γ | Finance/Banking | 1.4Γ | Technology | 1.2Γ |
| Government | 1.3Γ | Telecom | 1.3Γ | Insurance | 1.3Γ |
| Energy/Utilities | 1.2Γ | Legal | 1.1Γ | Retail | 1.1Γ |
| Manufacturing | 0.9Γ | Construction | 0.8Γ | Agriculture | 0.7Γ |
4.5 Final Per-Company Per-Peril Poisson Lambda
Ξ»(company, peril) = min(1.0, base_Ξ» Γ score_factor Γ industry_factor + peril_specific_boost) n_events_per_year ~ Poisson(Ξ») β can be 0, 1, 2, 3+ events/year
Cap at Ξ»=1.0 (average 1 event/year). The Poisson distribution allows multiple events per year, critical for capturing multi-hit scenarios that drive tail losses. Under the old Bernoulli model, a company could only have 0 or 1 event per peril per year.
5. Severity Models
Three severity distributions are available, all producing absolute USD loss amounts. The coverage limit acts as a cap, not a scaling factor:
gross_loss = min(coverage_limit, raw_severity_usd Γ size_multiplier) net_loss = max(0, gross_loss - retention)
5.1 Lognormal (Default, Recommended)
ΞΌ = ln(mean_usd) - ΟΒ²/2 raw_severity = lognormvariate(ΞΌ, Ο) β absolute USD
- Right-skewed with heavy tail β standard in actuarial cyber modeling
- Calibrated to NetDiligence 2024 claims data (mean USD per peril)
- Coverage limit caps the loss, does not scale it
- Company size multiplier (0.05xβ1.0x) adjusts for firm scale
5.2 Pareto (Heavy Tail)
Ξ± = max(1.5, 2.5 - Ο Γ 0.5) raw_severity = (paretovariate(Ξ±) - 1) Γ mean_usd / (Ξ± - 1)
- Heavier tail than lognormal β models extreme/catastrophic scenarios
- Use when portfolio is exposed to systemic risks (shared cloud, single vendor)
5.3 Beta (Light Tail)
raw_severity = mean_usd Γ betavariate(2, 5) Γ 3
- Lighter tail β models well-contained, attritional losses
- Use for mature portfolios with strong controls and low deductibles
5.4 Size Multiplier Table
| Company Size | Employees | Multiplier | Example: $4.5M Ransomware Draw |
|---|---|---|---|
| Micro | <10 | 0.05Γ | $225,000 |
| Small | 10β49 | 0.15Γ | $675,000 |
| Medium | 50β249 | 0.35Γ | $1,575,000 |
| Large | 250β999 | 0.65Γ | $2,925,000 |
| Very Large | 1,000β4,999 | 0.85Γ | $3,825,000 |
| Multinational | 5,000+ | 1.00Γ | $4,500,000 |
5.5 Regional Severity Adjustment
Severity benchmarks are US-based (NetDiligence, IBM/Ponemon). For non-US companies, a regional multiplier adjusts loss amounts to reflect local cost structures:
gross_loss = min(coverage_limit, raw_severity Γ size_mult Γ region_mult)
| Region | Multiplier | Rationale |
|---|---|---|
| United States | 1.00Γ | Baseline. Highest litigation costs, class actions, regulatory fines |
| Middle East / UAE | 0.90Γ | High but growing market. Elevated post-Iran strikes (Mar 2026) |
| United Kingdom | 0.85Γ | ICO fines lower than US class actions; strong IR market |
| EU / Germany / France | 0.80Γ | GDPR fines significant but structured differently than US tort |
| Australia / Japan / APAC | 0.70Γ | Lower per-record costs; less litigious environment |
| Brazil / LATAM | 0.55Γ | LGPD enforcement still maturing |
| India | 0.50Γ | Lower cost base; DPDPA 2023 still early enforcement |
6. Correlation Model
6.1 Common Shock Factor
Inter-company loss correlation is modeled via a common shock approach:
common_shock ~ Uniform(0, 1) [drawn once per simulation year]
For each company Γ peril:
correlated_Ξ» = base_Ξ» Γ (1 + Ο Γ (common_shock - 0.5) Γ 4)
n_events ~ Poisson(correlated_Ξ»)
Effect: In high-shock years (common_shock > 0.75), all lambdas inflate by ~ΟΓ2
In low-shock years (common_shock < 0.25), all lambdas deflate by ~ΟΓ2Where Ο is the correlation_factor parameter (default: 0.15).
6.2 Correlation Interpretation
| Ο | Interpretation | Use Case |
|---|---|---|
| 0.00 | Fully independent | Diversified portfolio, no shared vendors |
| 0.15 | Moderate (default) | Typical cyber portfolio with some shared tech stack |
| 0.30 | High | Portfolio concentrated in one sector/technology |
| 0.50 | Very high | Systemic exposure (shared cloud provider) |
| 1.00 | Perfectly correlated | All companies hit simultaneously (stress scenario) |
6.3 Effect on Portfolio Risk
Higher correlation increases tail risk (VaR, TVaR) without significantly changing AAL. This reflects the actuarial principle that correlation affects the shape of the loss distribution's tail, not its mean.
7. Monte Carlo Simulation Engine
7.1 Simulation Loop (Poisson + Absolute USD)
For each of 25,000 simulated years:
for year in range(25,000):
common_shock = random() # Systemic factor for this year
peril_event_totals = {peril: 0 for peril} # For OEP tracking
for each company in portfolio:
size_mult = SIZE_TABLE[company.employees]
for each peril in [Ransomware, Breach, Cloud, SupplyChain, BEC, SysFailure]:
corr_Ξ» = base_Ξ» Γ (1 + Ο Γ (common_shock - 0.5) Γ 4)
n_events = Poisson(corr_Ξ») # 0, 1, 2, 3+ events possible
for each event:
raw_severity = Lognormal(mean_usd, Ο) # Absolute USD
gross_loss = min(coverage_limit, raw_severity Γ size_mult)
net_loss = max(0, gross_loss - retention)
AEP_total += net_loss
peril_event_totals[peril] += net_loss # Correlated event tracking
company_loss += net_loss
OEP = max(peril_event_totals.values()) # Max systemic event across portfolio
AEP_losses.append(AEP_total)
OEP_losses.append(OEP)7.2 Key Design Decisions
- Poisson frequency: A company can have 3 ransomware events in one year. Under Bernoulli (v1.0), max was 1 β this underestimated tail risk by ~20-30%
- Absolute USD severity: A ransomware attack costs what it costs ($4.5M mean) regardless of coverage limit. The limit only caps the payout, not scales the loss
- Size multiplier: Micro companies (0.05x) experience proportionally smaller losses than multinationals (1.0x). Reuses catastrophe module factors
- OEP = max peril event: A systemic ransomware campaign hitting 10 companies counts as one βoccurrenceβ with aggregate loss. More realistic for reinsurance pricing than max single-company loss
- Per-company tracking: Each company's losses are tracked per-simulation for accurate diversification benefit calculation
7.3 Supply Chain Contagion (Network Propagation)
After primary events are generated, the model propagates losses through shared vendor dependencies. This is the key differentiator vs. common-shock-only models (CyberCube uses a similar SPoF Intelligence approach at $200K+/year).
Phase 1: Primary events (independent per company, as above)
Track contagion-eligible events: supply_chain, cloud_outage, ransomware
Phase 2: Contagion propagation
For each primary event at Company A (peril = supply_chain/cloud_outage/ransomware):
For each Company B sharing β₯1 vendor with A:
vendor_ratio = shared_vendors / B's_total_vendors
contagion_loss = A's_loss Γ decay_factor Γ vendor_ratio
B's_loss += min(coverage_limit, contagion_loss)
Decay factors (fraction of source loss that propagates):
supply_chain: 60% β SolarWinds/MOVEit-class: high propagation
cloud_outage: 50% β AWS/Azure outage: moderate propagation
ransomware: 20% β Ransomware campaigns: low but non-zero propagation
BEC: 0% β Does not propagate via shared vendors
data_breach: 0% β Company-specific, no vendor contagion
system_failure: 0% β Internal failure, no propagationThe contagion model uses actual supply chain data from Rankiteo's vendor dependency database (same source as the Supply Chain and Catastrophe modules). Before simulation, the model:
- Fetches L1 vendor dependencies for all portfolio companies via batch query
- Builds a shared-vendor matrix: which companies share each vendor
- Creates contagion links: company pairs with shared vendor count
- During simulation, propagates losses with vendor-ratio-weighted decay
- Deduplicates: each target company is only hit once per peril per simulation year
7.4 Reproducibility
random.seed(42) ensures identical results for identical inputs. Stress tests use seed(99).
8. Output Metrics
8.1 AEP vs OEP
| Metric | Definition | Use Case |
|---|---|---|
| AEP (Aggregate EP) | P(total annual losses from all events > threshold) | Capital adequacy, reserve setting |
| OEP (Occurrence EP) | P(single worst event in a year > threshold) | Per-occurrence reinsurance, event limits |
8.2 Key Risk Metrics
| Metric | Formula | Description |
|---|---|---|
| AAL | Ξ£(all_losses) / N | Average Annual Loss - expected annual loss |
| Median Loss | losses[N/2] | 50th percentile annual loss |
| Standard Deviation | β(Ξ£(loss - AAL)Β² / N) | Volatility of annual losses |
| Coefficient of Variation | StdDev / AAL | Relative uncertainty measure |
| VaR(Ξ±) | losses[N Γ Ξ±/100] | Loss exceeded (100-Ξ±)% of the time |
| TVaR(Ξ±) | mean(losses above VaR(Ξ±)) | Average loss in worst (100-Ξ±)% of years |
| Loss Cost per $1M | AAL / coverage Γ $1M | Normalized for portfolio comparison |
| PML | VaR(99.6) β 1-in-250 | Probable Maximum Loss |
8.3 Return Period Table
Return periods translate percentiles into underwriter-friendly language:
| Return Period | Percentile | Meaning |
|---|---|---|
| 1-in-5 | 80th | Exceeded once every 5 years |
| 1-in-10 | 90th | Exceeded once every 10 years |
| 1-in-20 | 95th | Exceeded once every 20 years |
| 1-in-50 | 98th | Exceeded once every 50 years |
| 1-in-100 | 99th | Exceeded once every 100 years |
| 1-in-250 | 99.6th | Exceeded once every 250 years (PML) |
Each return period shows AEP VaR, AEP TVaR, OEP VaR, and OEP TVaR.
9. Peril Decomposition
Per-peril losses are tracked across all simulations:
For each peril p:
AAL(p) = Ξ£(peril_losses[p]) / N
% of Total AAL = AAL(p) / Total AAL Γ 100
VaR 95%(p) = sorted_peril_losses[p][N Γ 0.95]
VaR 99%(p) = sorted_peril_losses[p][N Γ 0.99]
Max Loss(p) = max(sorted_peril_losses[p])This allows underwriters to identify which peril class drives portfolio risk and where to focus risk mitigation or sublimit adjustments.
10. Marginal Risk Contribution
10.1 Per-Company Contribution
For each company i:
avg_loss_contribution(i) = Ξ£(all losses attributed to company i across all sims) / N pct_of_aal(i) = avg_loss_contribution(i) / AAL Γ 100
10.2 Diversification Benefit
Measures how much portfolio diversification reduces tail risk vs. sum of individual risks:
sum_individual_VaR99 = Ξ£(individual VaR99 for each company, estimated from contribution ratio) portfolio_VaR99 = actual portfolio VaR at 99th percentile diversification_benefit = (1 - portfolio_VaR99 / sum_individual_VaR99) Γ 100%
A 15% diversification benefit means the portfolio's 1-in-100 year loss is 15% lower than the sum of individual company 1-in-100 year losses.
11. Reinsurance Layer Analysis
11.1 Layer Structure
An Excess of Loss (XoL) reinsurance layer is defined by:
- Attachment Point: Loss level at which reinsurer starts paying
- Layer Limit: Maximum amount reinsurer pays per occurrence
- Layer Top: Attachment + Limit
11.2 Loss Allocation
For each simulated annual loss L:
if L β€ attachment:
ceded = 0
retained = L
elif L β₯ attachment + limit:
ceded = limit
retained = L - limit
else:
ceded = L - attachment
retained = L - ceded11.3 Reinsurance Metrics
| Metric | Formula | Description |
|---|---|---|
| Ceded AAL | mean(ceded_losses) | Expected annual cost to reinsurer |
| Retained AAL | mean(retained_losses) | Expected annual cost to cedant |
| Ceded VaR 99% | ceded_losses at 99th pct | Reinsurer's 1-in-100 year exposure |
| Retained VaR 99% | retained_losses at 99th pct | Cedant's residual 1-in-100 year risk |
| Rate-on-Line | Ceded AAL / Layer Limit Γ 100 | Technical pricing indicator (%) |
Separate EP curves are generated for both ceded and retained loss distributions.
12. Stress Testing
12.1 Named Catastrophe Scenarios
Each stress scenario modifies the baseline simulation by applying multipliers to frequency, severity, and correlation:
| Scenario | Freq Γ | Sev Γ | Corr Ο | Based On |
|---|---|---|---|---|
| NotPetya-Scale Ransomware | 2.5Γ | 2.0Γ | 0.70 | 2017 NotPetya ($10B+ global) |
| Major Cloud Provider 72h Outage | 2.0Γ | 2.5Γ | 0.80 | AWS us-east-1 outages |
| SolarWinds Supply Chain | 2.0Γ | 1.8Γ | 0.60 | 2020 SolarWinds Orion compromise |
| Mass Data Exfiltration (MOVEit) | 1.5Γ | 2.5Γ | 0.50 | 2023 MOVEit zero-day campaign |
| Critical Zero-Day (Log4Shell) | 2.0Γ | 2.0Γ | 0.65 | 2021 Log4j vulnerability |
| Nation-State Destructive Wiper | 1.5Γ | 3.5Γ | 0.40 | State-sponsored wiperware campaigns |
12.2 Stress Simulation
Each scenario runs 5,000 simulations with modified parameters:
stressed_freq(company, peril) = min(0.85, baseline_freq Γ freq_multiplier) stressed_severity = min(1.0, baseline_severity Γ sev_multiplier) stressed_correlation = scenario.correlation (replaces baseline Ο)
12.3 Stress Outputs
| Output | Definition |
|---|---|
| Stressed AAL | Expected annual loss under scenario |
| Stressed VaR 99% | 1-in-100 loss under scenario |
| Stressed Max | Maximum simulated loss under scenario |
| AAL Increase % | (Stressed AAL - Baseline AAL) / Baseline AAL Γ 100 |
| VaR99 Increase % | (Stressed VaR99 - Baseline VaR99) / Baseline VaR99 Γ 100 |
13. Sensitivity Analysis
Approximate impact of parameter changes on AAL using linear scaling:
| Parameter | Test Values | Estimation Method |
|---|---|---|
| Coverage Limit | 0.5Γ, 2Γ current | AAL scales linearly with limit |
| Retention | -$50K, +$100K from current | AAL reduced by saved_per_event Γ companies Γ 0.1 |
| Correlation | -0.1, +0.2 from current | AAL scales as 1 + (ΞΟ Γ 2) |
These are first-order approximations for speed; full re-simulation is used for exact results.
14. Cat Bond Pricing Engine
The Cat Bond tab provides a database of 14 real-world cyber catastrophe bonds from the Artemis Deal Directory, spanning 5 sponsors (Hannover Re, Beazley, Chubb, Swiss Re, AXIS Capital) with 3 distinct trigger mechanisms. Each bond has its own dedicated parameters based on its actual structure.
14.1 Bond Database by Sponsor
| Sponsor | Bond | Size | Trigger | Layer | EL% | Coupon |
|---|---|---|---|---|---|---|
| Hannover Re | Cumulus Re 2026-1 | $35M | Parametric | 24h cloud outage | β | Zero coupon |
| Cumulus Re 2025-1 | $20M | Parametric | 24h cloud outage | β | Zero coupon | |
| Cumulus Re 2024-1 | $13.75M | Parametric | 24h cloud outage | β | Zero coupon | |
| Beazley | PoleStar Re 2026-1 (A) | $140M | Indemnity | $1Bβ$1.4B | 0.82% | 7.0% |
| PoleStar Re 2026-1 (B) | $100M | Indemnity | $600Mβ$1B | 1.31% | 9.0% | |
| PoleStar Re 2026-1 (C) | $60M | Indemnity | $500Mβ$600M | 2.05% | 10.5% | |
| PoleStar Re 2024-3 | $210M | Indemnity | $800Mβ$1.2B | 0.93% | 10.5% | |
| PoleStar Re 2024-2 | $160M | Indemnity | $500Mβ$800M | 1.26% | 13.25% | |
| PoleStar Re 2024-1 | $140M | Indemnity | $500Mβ$800M | 1.26% | 13.0% | |
| Cairney I/II/III | $81.5M | Indemnity | $300Mβ$400M | β | Private | |
| Chubb | East Lane Re VII 2026-1 | $150M | Indemnity (agg) | $600Mβ$750M | 1.57% | 8.5% |
| East Lane Re VII 2024-1 | $150M | Indemnity | $600M NA / $400M Intl | 1.39% | 9.25% | |
| Swiss Re | Matterhorn Re 2023-1 | $50M | Industry loss | $9Bβ$11.5B | 1.72% | 12.0% |
| AXIS Capital | Long Walk Re 2024-1 | $75M | Indemnity | $510Mβ$650M | 1.97% | 9.75% |
14.2 Three Trigger Types & Their Parameters
When a bond is selected, the UI adapts to show only the parameters relevant to that bond's trigger type:
| Trigger Type | Bonds | Parameters Shown | Data Source |
|---|---|---|---|
| Parametric | Cumulus Re (Hannover Re) Γ 3 | Cloud providers (AWS/Azure/GCP checkboxes), downtime trigger threshold (1β72h), region tier (Tier 0 Conflict Zone through Tier 3), notional, risk-free rate | Monte Carlo: simulates cloud_outage peril from portfolio, computes trigger probability |
| Indemnity | PoleStar Re (Beazley) Γ 7, East Lane Re (Chubb) Γ 2, Long Walk Re (AXIS), Cairney (Beazley) | Attachment point ($), exhaustion point ($), basis (per-occurrence / annual aggregate), franchise deductible ($), notional, risk-free rate | Artemis: actual EL%, coupon%, attachment probability from published market data |
| Industry Loss Index | Matterhorn Re (Swiss Re) Γ 1 | Attachment ($9B), exhaustion ($11.5B), franchise deductible ($500M), notional, risk-free rate | Artemis: actual metrics from CyberAcuView/PERILS US Cyber Industry Loss Index |
Key design decision: Parametric bonds (Hannover Re / Cumulus Re) are the only bonds where Monte Carlo simulation is used β because your portfolio's cloud provider dependencies directly affect the trigger probability. For indemnity and industry loss bonds, the model uses the sponsor's actual published metrics (EL%, coupon, attachment probability) from the Artemis Deal Directory, since these bonds trigger on the sponsor's entire book (e.g. Beazley's $600M+ cyber losses), not on your portfolio's losses.
14.2 Cost-Benefit Analysis
Each bond selection produces an underwriter-actionable cost-benefit assessment:
| Metric | Formula | What It Tells You |
|---|---|---|
| Annual Premium | notional Γ coupon% | Cost to sponsor per year |
| Expected Recovery | notional Γ EL% | Average annual payout if triggered |
| Net Annual Cost | premium β recovery | True cost of risk transfer |
| Recovery Ratio | recovery / premium | Cents back per dollar spent |
| Value Score (0-100) | recovery_ratio Γ 150 | Higher = better deal. β₯60 green, β₯30 amber, <30 red |
| Break-even Probability | coupon% / 100 | Trigger prob needed for bond to pay for itself |
14.3 Region Tier Model (Parametric Only)
| Tier | Regions | Multiplier | Rationale |
|---|---|---|---|
| Tier 0 | Conflict Zone (Middle East: ME-SOUTH-1, ME-CENTRAL-1) | 1.5Γ | Iranian drone/missile strikes destroyed AWS data centers in Bahrain & UAE (March 2026). First military targeting of cloud infrastructure |
| Tier 1 | US-East, EU-West | 1.0Γ | Highest commercial density. AWS us-east-1 outage Dec 2021 reference event |
| Tier 2 | US-West, EU-Central | 0.7Γ | Secondary regions, lower concentration |
| Tier 3 | Asia-Pacific, Other | 0.4Γ | Emerging regions, lower insured exposure |
15. Vendor Model Comparison
How Rankiteo v2.1 compares to commercial cyber risk models:
| Feature | Rankiteo v2.1 | CyberCube | RMS Cyber | Guidewire Cyence |
|---|---|---|---|---|
| Frequency | Poisson + industry + score | Poisson + firmographic | Poisson + attack graph | Poisson + outside-in |
| Severity | Lognormal (absolute USD) | Proprietary | Mixture | Lognormal |
| Calibration | NetDiligence 2024 | Proprietary claims DB | Insurance claims | Advisen + proprietary |
| Correlation | Common shock + supply chain contagion | Copula | Network propagation | Correlation matrix |
| Perils | 6 | 10+ | 8+ | 6+ |
| OEP Method | Peril-aggregated | Event-based | Event-based | Event-based |
| Industry Adjust | 24 hazard groups | SIC/NAICS | Sector-specific | SIC-based |
| Cat Bond ILS | 14 real bonds + custom | Custom only | Not included | Not included |
| Cost | Included in platform | ~$200K+/year | ~$150K+/year | ~$100K+/year |
Key differentiators: Rankiteo is the only platform combining loss exceedance modeling with real-world cat bond pricing from the Artemis Deal Directory, coverage reinstatement modeling (Marsh Cyber ECHO), and excess layer pricing (ILF difference method) in a single integrated underwriting workflow. The integration of 14 real cyber cat bonds with cost-benefit analysis is unique in the market.
Remaining gap vs. vendors: Copula-based correlation (vs. common shock + network propagation) and peril granularity (6 vs. 10+). The supply chain contagion model closes the network propagation gap. Copula and additional perils are planned for v3.0.
16. Backtesting & Validation
The model automatically validates its outputs against published cyber claims benchmarks after each simulation run. Results are displayed in the Model Info bar as PASS/REVIEW.
16.1 Benchmark Sources
| Source | Dataset | Metric Validated |
|---|---|---|
| NetDiligence 2025 | 10,402 claims (2020β2024) | SME avg cost ($246K), large avg cost ($10.3M), ransomware share (25.7%), BEC share (17.9%) |
| IBM/Ponemon 2025 | Global breach cost study | Global avg breach cost ($4.44M), US avg ($10.22M), healthcare ($7.42M) |
| Chubb Claims 2026 | Proprietary claims data | Claim frequency per 100 policies: large (10), mid-market (5), SME (1) |
| Coalition 2024 | Coalition policyholder data | Global avg claim $115K, US avg $108K, frequency -7% YoY |
16.2 Validation Criteria
| Check | PASS Condition | What It Validates |
|---|---|---|
| Frequency | 3β20 claims per 100 policies/year | Model claim frequency is within Chubb/Coalition observed range |
| Severity | $100Kβ$12M avg per claim | Average loss per event is within NetDiligence/IBM range (SME to large) |
| Peril Mix | Ransomware 15β40% of claims | Ransomware doesn't dominate or undercount vs NetDiligence 25.7% |
| Overall | All three PASS | Model is broadly calibrated to industry observations |
16.3 Model vs Benchmark Comparison
| Metric | Industry Benchmark | Model Output | Source |
|---|---|---|---|
| Global avg breach cost | $4.44M | $4.88M (model mean) | IBM/Ponemon 2025 |
| US avg breach cost | $10.22M | $4.88M Γ 1.0 region = $4.88M (model uses global mean; US claims are 2x via higher sigma tail) | IBM/Ponemon 2025 |
| Ransomware mean severity | $4.5M | $4.5M | NetDiligence 2024 |
| BEC mean severity | $250K | $250K | FBI IC3 / NetDiligence |
| Supply chain mean severity | $4.91M | $4.91M | NetDiligence 2024 |
| Large account claim freq | 10 per 100 policies | Model-dependent (score/industry) | Chubb 2026 |
| Ransomware % of claims | 25.7% | ~27% (model, varies by portfolio) | NetDiligence 2025 |
16.4 Known Calibration Gaps
- US severity is understated: IBM reports US avg $10.22M but our model uses $4.88M global mean with US region factor 1.0x. The gap is partially captured by lognormal tail (Ο=1.0 gives 99th percentile ~$59M), but the mean is low for US-heavy portfolios. Fix: consider US-specific severity means in v3.0.
- Coalition avg ($115K) is much lower: Coalition includes small attritional claims that our model doesn't capture well (BEC at $250K mean is already higher). This reflects that our model is calibrated to βmaterialβ claims, not frequency/attritional layer.
- No historical claims backtest: We validate against published aggregates, not against specific historical portfolio losses. True backtesting requires integrating actual claims data from the portfolio, which is a data integration task.
17. Data Sources
| Data | Source | Key Fields |
|---|---|---|
| Portfolio companies | Portfolio management system | User identifier, company identifier |
| Company scores | Company security scoring engine | Company identifier, current security score |
| Company profiles | Company intelligence database | Industry, employees, name |
| Incident history | Cyber incident intelligence feed | Company identifier (single or list), type |
18. Limitations & Assumptions
- Frequency model is Bernoulli: Each (company, peril) has at most one loss event per year per simulation. Multiple events of the same type in one year are not modeled.
- Independence between perils: Ransomware and data breach are treated as independent events for the same company (though correlated across companies via common shock).
- Severity capped at 100% of coverage: No single event can exceed the policy limit.
- Linear sensitivity approximations: Sensitivity analysis uses first-order estimates, not full re-simulation.
- Static portfolio: The simulation assumes portfolio composition doesn't change during the year.
- No inflation adjustment: Loss amounts are in current dollars with no trend factor.
- Deterministic seed:
random.seed(42)provides reproducibility but means the same inputs always produce identical outputs.
19. Glossary
| Term | Definition |
|---|---|
| AAL | Average Annual Loss - expected loss per year across all simulations |
| AEP | Aggregate Exceedance Probability - probability total annual loss exceeds threshold |
| Attachment Point | Loss level where reinsurance coverage begins |
| BEC | Business Email Compromise |
| Ceded | Portion of loss transferred to reinsurer |
| Common Shock | Random variable shared across all companies in one simulation, creating correlation |
| CoV | Coefficient of Variation (StdDev / Mean) |
| EP Curve | Exceedance Probability curve - graphs loss vs probability of exceeding that loss |
| FAIR | Factor Analysis of Information Risk - standard for risk quantification |
| Lognormal | Probability distribution with heavy right tail, commonly used for loss severity |
| OEP | Occurrence Exceedance Probability - probability single worst event exceeds threshold |
| Pareto | Heavy-tailed distribution for modeling extreme events |
| PML | Probable Maximum Loss - typically VaR at 1-in-250 year return period |
| Rate-on-Line | Ceded AAL / Layer Limit - technical pricing indicator for reinsurance |
| Retained | Portion of loss kept by the cedant (primary insurer) |
| Return Period | Average number of years between losses exceeding a threshold (1/EP) |
| Retention | Deductible - amount insured retains before coverage applies |
| TVaR | Tail Value at Risk - average loss in the worst (100-Ξ±)% of scenarios |
| VaR | Value at Risk - loss threshold at a given confidence level |
| XoL | Excess of Loss - reinsurance structure where reinsurer pays above attachment |
The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market, combining real-time threat intelligence, proprietary scoring algorithms, and actuarial-grade analytics into a single integrated solution.