Looking beyond the Clouds: A U.S. cyber insurance industry catastrophe loss study

A Guy Carpenter and CyberCube Analytics collaboration explores the size and shape of cyber catastrophes and the resulting financial impact on the U.S. cyber insurance industry

The inexorable spread of the digital economy is fundamentally changing the nature of risk, presenting unique opportunities – and challenges – to the (re)insurance industry. How the industry responds to the rapid pace of technological change is crucial to its long-term relevance and growth.

It is essential to develop a deep understanding of the characteristics of cyber catastrophe events and the financial impact they could have on the standalone cyber insurance market as it exists today. As the industry seeks to reduce protection gaps and drive cyber product adoption, the resulting future growth will help develop a robust market better equipped to absorb the potential for large-scale losses.

With that premise in mind, CyberCube1 Analytics and Guy Carpenter2 have collaborated to help (re)insurers quantify cyber risk by pooling data resources and analytics capabilities to cultivate a view of the potential U.S. cyber industry loss from a range of different cyber catastrophe scenarios.

The study highlights five key considerations for (re)insurers and other stakeholders to help protect profitability and examine capital adequacy of the existing U.S. cyber standalone insurance industry.

1. The U.S. industry 1-in-100 year return period produces total annual cyber catastrophe insured losses of USD 14.6 billion (this can include one or more events within the same year).

2. Both on-premise and cloud service providers face exogenous threats from malicious third parties. Focusing on cloud service providers, the calculated probability of ransomware is four times larger than the probability of other outages.

3. The top five scenario classes comprise roughly 75 percent of the total average annual loss (AAL).

4. The costliest cyber catastrophe scenario is widespread data loss from a leading operating systems provider with potential to generate up to USD 23.8 billion of insured loss.

5. The most likely cyber catastrophe loss scenario is widespread data theft from a major email service provider.

In this study, we analyzed all 23 catastrophe loss scenarios on CyberCube’s platform, which range from attacks on critical infrastructure to third-party technology aggregation scenarios to attacks that affect the cloud environment. We focused on the five that drive the highest loss values. For each, we considered the size of the loss, the single point of failure (SPOF) targeted to execute the attack and the implications of these findings on the insurance market.3

The five major contributing catastrophe scenarios were:

  • Long-lasting outage at a leading cloud service provider (USD 14.3 billion loss)
  • Large-scale cloud ransomware at a leading cloud services provider (USD 11.5 billion loss)
  • Widespread data loss from a leading operating system provider (USD 23.8 billion loss)
  • Widespread theft from major e-mail service provider (USD 19.1 billion loss)
  • Large-scale data loss from cloud service provider (USD 22.2 billion loss) Insurance companies and the organizations they insure need to be aware of these major scenarios, and understand the response plans necessary and the potential financial losses in each of these scenarios. The industry must invest in effectively assessing and managing aggregations, educating the business community to drive product adoption and quantifying cyber risk to promote the purchase of adequate insurance limits.

By understanding risk tolerance and capital commitment, primary carriers can also ensure that they have purchased enough reinsurance capacity in a structure that best protects against these events. We explore the study’s findings in the context of helping (re)insurers investigate portfolio construction, risk retention and transfer strategies, capital allocation – and how robust modeling and analytics can inform these strategies.

1 a ForgePoint Capital portfolio company

2 a wholly-owned subsidiary of Marsh McLennan Companies Inc.

3 For the purposes of this study, Guy Carpenter applied CyberCube’s aggregation modeling software: Portfolio Manager, to the Guy Carpenter synthetic portfolio. Portfolio Manager includes 23 modeled systemic, catastrophic scenario classes, ranging from attacks on critical infrastructure to third-party technology aggregation scenarios to attacks that affect the cloud environment. Of these, five stood out as having the most potential cause loss either at the mean or in an extreme event based on the synthetic U.S. portfolio.