• We are pleased to announce that the winner of our Feedback Prize Draw for the Winter 2024-25 session and winning £150 of gift vouchers is Zhao Liang Tay. Congratulations to Zhao Liang. If you fancy winning £150 worth of gift vouchers (from a major UK store) for the Summer 2025 exam sitting for just a few minutes of your time throughout the session, please see our website at https://www.acted.co.uk/further-info.html?pat=feedback#feedback-prize for more information on how you can make sure your name is included in the draw at the end of the session.
  • Please be advised that the SP1, SP5 and SP7 X1 deadline is the 14th July and not the 17th June as first stated. Please accept out apologies for any confusion caused.

September 2018Q2

D

Dar_Shan0209

Ton up Member
Hi tutors,
I would appreciate if you could please help me regarding the above mentioned question.

Part iii asks about "Describe the information SSSIC would need to model cyber risk." With this command verb (when compared to the command verb taxonomy), says about "Express, fully and clearly, the details / facts of".

As answer structure, I was thinking of: Process how to model - i.e., probability and severity making reference to any IT policy that the insurer has or any ERM documents such as risk register and risk reports. Then talking about frequency making use of GEV/GDP to quantify the probability and then talking about severity. Data sources (TRAINERS acronym) and any limitations (credibility vs reliability). This is how far i would have gone for 6 marks given the question talks about data to model cyber risk, but the solution mentions only types of event, data on previous cyber event and potential scale of losses only. Is there something I am missing here?

Part viii asks about "Discuss an alternative approach SSSIC might use to model the risk of significant loss from cyber risk". With the command verb (when compared to the command verb taxonomy), says about " Write about in some detail, taking into account different issues or points of view".

I was thinking of talking about EVT and discussing about fitting a GEV and GPD given the question talks about approach to model risk of such loss. However, the solution talks only about EVT and limitations about bulk of data. Is there something I am missing here?

Thanks for your time.
 
Hi Darshan,

Part (iii) asks you to describe data that would be needed. An answer to such a 'describe' instruction needs to refer to both generic and specific data requirements. Generically, as you say, data is needed on the past frequency and severity of such events. Specifically, the data needs to relate to cyber events such as denial of service etc , both at the company or at other companies in the industry.

The question doesn't ask for a comprehensive identification of data sources - it just asks what data is needed - although the examiners' solution does mention these at a high level (e.g. reinsurers' data). You also mention that you would add in limitations of various data sources, but that isn't required for a 'describe' instruction. It would have been appropriate had the instruction been 'discuss'.

The question doesn't ask what you would do with the data, so it isn't necessary to talk about how you would model, e.g. using an extreme value distribution.

In the tutorials we noted that a 'discuss' instruction should be responded to with a 'multi-dimensional' answer. As examples, sometimes this involves taking different stakeholder views ('different points of view') , and sometimes it involves considering advantages and disadvantages ('different issues').

Here in part (viii) we are asked to discuss 'an' (singular) alternative, and a good discussion of EVT or scenario analysis would have scored [3]. The question is not asking for a description of how we would do EVT or scenario analysis - so describing how we might fit a GEV or GPD distribution isn't required. The examiners' solution with respect to EVT focuses on data issues, but I expect that marks would have been awarded for a discussion of any other issues particularly associated with the application of EVT, e.g. the subjectivity involved in the fitting process.

OK?

Best wishes

David
 
You must log in or register to reply here.
Back
Top