Malicious hacking data breaches cause millions of dollars in financial losses each year, and more companies are seeking cyber insurance coverage. The lack of suitable statistical approaches for scoring breach risks is an obstacle in the insurance industry. We propose a novel frequency–severity model to analyze hacking breach risks at the individual company level, which would be valuable for underwriting purposes. We find that breach frequency can be modeled by a hurdle Poisson model, which is different from the negative binomial model used in the literature. The breach severity shows a heavy tail that can be captured by a nonparametric- generalized Pareto distribution model. We further discover a positive nonlinear dependence between frequency and severity, which our model also accommodates. Both the in-sample and out-of-sample studies show that the proposed frequency–severity model that accommodates nonlinear dependence has satisfactory performance and is superior to the other models, including the independence frequency–severity and Tweedie models.

恶意黑客数据泄露每年造成数百万美元的经济损失，越来越多的公司正在寻求网络保险。缺乏合适的统计方法来对违规风险进行评分是保险业的一个障碍。我们提出了一种新颖的频率-严重性模型来分析单个公司级别的黑客入侵风险，这对于承保目的很有价值。我们发现破坏频率可以通过障碍泊松模型进行建模，这与文献中使用的负二项式模型不同。违规严重性显示了一个可以被非参数广义帕累托分布模型捕获的重尾。我们进一步发现了频率和严重性之间的正非线性相关性，我们的模型也适应了这一点。