Catastrophe Scenarios Highlight Need to Better Understand Cyber Risk
As the cyber insurance market has continued its rapid growth, its loss vulnerabilities have become increasingly clear.
A new report from Guy Carpenter and CyberCube Analytics has identified potential loss scenarios in the current market that run in the billions of dollars. A long-lasting outage at a major cloud service provider could produce a $14.3 billion loss, for example, whereas a large-scale data loss could surpass $22 billion. Widespread data theft from one of the larger email service providers might generate a $19 billion loss, their report found.
The report, “Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study,” examines key drivers of cyber catastrophe scenarios and provides a data-driven view on the potential insured loss figures for the standalone cyber insurance market. It also highlights particular vulnerabilities that could be exploited to execute a cyberattack and explores the volatility around the frequency and severity of those attacks.
Robert Bentley, CEO, Global Strategic Advisory at Guy Carpenter, said in prepared remarks that the report points to a greater need for insurers and reinsurers to “develop a much more granular understanding of the potential impact of systemic events.” He urged the industry to carry out more work similar to what Guy Carpenter has done with CyberCube to help reinsurers and insurers “make sound and informed risk tolerance decisions and help create a cyber market sufficiently robust to withstand these catastrophic events.”
Pascal Milliare, CyberCube’s CEO, offered a similar endorsement of using better data and enhanced analytics in order for carriers to adequately prepare for cyber insurance loss risks.
“Through improved data and enhanced analytics [insurers and reinsurers] can gain a much more granular understanding of these high-impact scenarios, enabling them to allocate capital appropriately and develop more nuanced underwriting strategies,” Milliare said in prepared remarks. “Only by adopting a robust, modeled, forward-looking view of cyber catastrophe risk can we ensure the ongoing development of a sustainable and profitable cyber insurance market.”
The study found the total annual cyber catastrophe insured loss figure for a 1-in-100-year return period was $14.6 billion, climbing to more than $16 billion for a 1-in-200-year event. It also determined that widespread data theft from a major email service provider was the most likely catastrophe loss scenario. The second most likely scenario: large-scale ransomware at a leading cloud service provider.
From an analysis of 23 catastrophe loss scenarios, ranging from attacks on critical infrastructure to breaches affecting the cloud environment, the study revealed that the highest potential loss value generators were:
- Long-lasting outage at a leading cloud service provider – $14.3 billion loss
- Large-scale cloud ransomware at a leading cloud services provider – $11.5 billion loss
- Widespread data loss from a leading operating system provider – $23.8 billion loss
- Widespread theft from a major e-mail service provider – $19.1 billion loss
- Large-scale data loss from a cloud service provider – $22.2 billion loss
While the widespread data loss from a leading operating system provider is the costliest cyber catastrophe scenario modeled, the likelihood of this occurring was the lowest – beyond the 1-in-300-year return period, according to the report.
Business interruption costs factored heavily in the insured loss figures. Specifically, they made up 94.4 percent of the insured costs associated with a widespread data loss from a leading operating system. That number was 92 percent for a longer outage at a major cloud service provider.
Financial firms were most impacted during systemic cyber events, leading to 20 percent of the overall insured loss.
Researchers conducted their analysis based on a hypothetical $2.6 billion portfolio built using standard cyber insurance policy characteristics. CyberCube Analytics, using additional cyber security information and analytics, created a series of realistic catastrophe scenarios, applying frequencies and severities to build a probabilistic model. In total, the study analyzed 23 catastrophe loss scenarios.
Source: Guy Carpenter, CyberCube Analytics