Because it is essential to develop a deep understanding of the characteristics of cyber catastrophe events and the financial impact they could have on the standalone cyber insurance market as it exists today, CyberCube Analytics (1) and Guy Carpenter have collaborated to help (re)insurers quantify cyber risk by pooling data resources and analytics capabilities to cultivate a view of the potential U.S. cyber industry loss from a range of different cyber catastrophe scenarios, according to Erica Davis, Cyber Center of Excellence, Guy Carpenter.
“In our recent joint study, we analyzed all 23 catastrophe loss scenarios on CyberCube’s platform, which range from attacks on critical infrastructure to third-party technology aggregation scenarios to attacks that affect the cloud environment. We focused on the five that drive the highest loss values,” says Siobhan O’Brien, Cyber Center of Excellence, Guy Carpenter.
The five major contributing catastrophe scenarios were:
- Long-lasting outage at a leading cloud services provider (USD 14.3 billion loss)
- Large-scale cloud ransomware at a leading cloud services provider (USD 11.5 billion loss)
- Widespread data loss from a leading operating system provider (USD 23.8 billion loss)
- Widespread theft from major e-mail service provider (USD 19.1 billion loss)
- Large-scale data loss from cloud services provider (USD 22.2 billion loss)
“Insurers and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios,” adds Rebecca Bole, Head of Industry Engagement, CyberCube Analytics. “The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.”
O’Brien continues: “By understanding risk tolerance and capital commitment, primary carriers can also ensure that they have purchased enough reinsurance capacity in a structure that best protects against these events. We explored the study’s findings in the context of helping (re)insurers investigate portfolio construction, risk retention and transfer strategies, capital allocation – and how robust modeling and analytics can inform these strategies.”
Cyber risk poses unique quantification challenges. (Re)insurers and the organizations they insure must be aware of the loss potential of cyber catastrophes and of the potential financial losses in each of these scenarios.
“With very little precedent for systemic cyber loss, it is a challenge for (re)insurers to estimate the size and scope of a catastrophic cyber event on their balance sheets,” explains Bole. “Yet, this catastrophic component adds complexity and considerable risk in both typical and worst-case years that must be contemplated in forming robust and reliable growth strategies for this line of business.”
Davis adds: “The cyber market must further develop by increasing buyer penetration, assisting businesses to understand and measure their cyber exposures, and continuing to expand the product so it bridges cyber protection gaps across lines of business in order to help the (re)insurance industry to sustain the full potential impact of these economic losses.”
Addressing the issue of modeling cyber catastrophes to better price these scenarios into insurance products is key to creating a sustainable solution and adequate capacity for insurance buyers and the (re)insurance value chain.
“We encourage all interested stakeholders to read our report: A U.S. Cyber Insurance Industry Catastrophe Loss Study; Looking Beyond the Clouds for more details on the study’s background and development and our research findings,” says O’Brien.
O’Brien notes that: “Guy Carpenter and CyberCube strongly believe that taking a robust, modeled, forward-looking view of cyber catastrophe risk can help enable the cyber insurance market to grow sustainably. Sustainable growth will better position insurers to bridge the protection gap for businesses and form lasting partnerships as part of robust cybersecurity frameworks.”
1 a ForgePoint Capital portfolio company