Guy Carpenter and CyberCube Analytics released the findings of a joint report that explores the size and shape of potential cyber catastrophes and the resulting financial impact on the U.S. cyber insurance market.
The report, “Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study,” examined some of the key drivers of cyber catastrophe scenarios and provided a data-driven view on the potential insured loss figures for the standalone cyber insurance market. It also highlighted particular vulnerabilities that could be exploited to execute a cyberattack and explored the volatility around the frequency and severity of those attacks.
The industry-wide analysis was based on a synthetic USD 2.6 billion portfolio constructed using anonymized cyber insurance policy characteristics. This was extrapolated to provide a broad representation of the U.S. standalone cyber insurance market. This data, plus additional cyber security information and analytics, allowed CyberCube Analytics to create a series of realistic catastrophe scenario narratives and apply frequencies and severities to them to build a probabilistic model.
From a total of 23 catastrophe loss scenarios analyzed, ranging from attacks on critical infrastructure to breaches affecting the cloud environment, the study revealed that the highest potential loss value generators were:
- Long-lasting outage at a leading cloud service provider – USD 14.3 billion loss
- Large-scale cloud ransomware at a leading cloud services provider – USD 11.5 billion loss
- Widespread data loss from a leading operating system provider – USD 23.8 billion loss
- Widespread theft from a major e-mail service provider – USD 19.1 billion loss
- Large-scale data loss from a cloud service provider – USD 22.2 billion loss
For each of these scenarios, the analysis considered the size of loss, single point of failure (SPOF) targeted to execute the attack and the implications of these findings for the (re)insurance market.
While the study showed that widespread data loss from a leading operating system provider was the costliest cyber catastrophe scenario modeled, it also revealed that the likelihood of this occurring was the lowest – beyond the 1-in-300-year return period.
According to the findings, the total annual cyber catastrophe insured loss figure for a 1-in-100-year return period was USD 14.6 billion, rising to USD 16.1 billion for a 1-in-200-year event. Furthermore, the most likely catastrophe loss scenario was widespread data theft from a major email service provider. Large-scale ransomware at a leading cloud service provider was the second most likely scenario.
While the cost components of each scenario varied, the study showed that business interruption (BI) costs, caused when supply chains stall or factories are offline, featured heavily in the insured loss figures. For example, BI made up 94.4 percent of the insured costs associated with a widespread data loss from a leading operating system, while the figure was 92 percent for a long-lasting outage at a leading cloud service provider.
The study also revealed that on an industry basis, financial firms were most impacted during these systemic events, accounting for over 20 percent of the overall insured loss. This accumulation of insured loss among financial firms was reflective of the buying patterns of this sector. The companies also represented potentially more lucrative targets for cyber criminals.
Commenting on the report, Robert Bentley, CEO, Global Strategic Advisory at Guy Carpenter, said: “As the cyber market continues to expand, the (re)insurance industry must develop a much more granular understanding of the potential impact of systemic events. More work similar to that which we have carried out with CyberCube Analytics needs to be undertaken to help (re)insurers make sound and informed risk tolerance decisions and help create a cyber market sufficiently robust to withstand these catastrophic events. With the unique capabilities of Guy Carpenter’s Cyber Centre of Excellence, we are positioned to help our clients gain that heightened level of insight into this constantly evolving threat landscape by combining market-leading product expertise with a data-driven approach.”
Pascal Milliare, CEO at CyberCube Analytics, added: “Through improved data and enhanced analytics, (re)insurers can gain a much more granular understanding of these high-impact scenarios, enabling them to allocate capital appropriately and develop more nuanced underwriting strategies. Through collaborating with the industry, our aim is to cultivate that more sophisticated view of the loss potential posed by cyber through pooling data resources and analytical capabilities. Only by adopting a robust, modeled, forward-looking view of cyber catastrophe risk can we ensure the ongoing development of a sustainable and profitable cyber insurance market.”
The study reflected the impact of catastrophic losses on an insured portfolio. Catastrophic loss is defined as a cybersecurity failure at a SPOF causing losses to occur at multiple other companies. The severity of the losses discovered in the research was based on the insurance limits purchased by the insured entities.