A stochastic SIR model for cyber contagion: application to granular growth of firms and to insurance portfolio

This work evaluates the impact of contagious cyber-events, over a finite horizon, on firms' financial health and on a cyber insurance portfolio. Our approach builds on key empirical findings from economics and cybersecurity. In economics, firm size and growth-rate distributions are non-Gaussian and exhibit heavy tails. In cybersecurity, contagion dynamics strongly depend on firm size and environmental conditions. To capture these features, we propose a stochastic multi-group SIR model coupled with a granular model of firm growth. This framework allows us to quantify the financial impact of cyber-attacks on firms' revenues and on the insurer's portfolio. In the model, the arrival time and duration of cyber-attacks are driven by a combination of a Cox process and a Bernoulli random variable. The Cox process represents external contagion, with an intensity given by the force of infection derived from the stochastic SIR dynamics. The Bernoulli component captures contagion originating from an infected sister or subsidiary firm. Environmental variability enables stochastic scenario generation and the computation of aggregate exceedance probabilities, a standard metric in catastrophe modeling that provides insurers with immediate insight into the financial severity of an event. We apply the framework to the LockBit ransomware attacks observed between May and July 2024. For a portfolio of 2,929 firms located in Ile-de-France, the model predicts that, with 50% probability, the insurer will need to compensate losses equivalent to up to two days of revenue over a 100-day cyber incident.