Guy Carpenter and CyberCube: financial firms are the most impacted during systematic cyber-attack events

5 September 2019 — press.release
Guy Carpenter and CyberCube Analytics released the findings of a joint report that explores the size and shape of potential cyber catastrophes and the resulting financial impact on the U.S. cyber insurance market.

The report, named "Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study", examined some of the key drivers of cyber catastrophe scenarios and provided a data-driven view on the potential insured loss figures for the standalone cyber insurance market. It also highlighted particular vulnerabilities that could be exploited to execute a cyberattack and explored the volatility around the frequency and severity of those attacks.

The industry-wide analysis was based on a synthetic USD 2.6 billion portfolio constructed using anonymized cyber insurance policy characteristics. This was extrapolated to provide a broad representation of the U.S. standalone cyber insurance market. This data, plus additional cyber security information and analytics, allowed CyberCube Analytics to create a series of realistic catastrophe scenario narratives and apply frequencies and severities to them to build a probabilistic model.

From a total of 23 catastrophe loss scenarios analyzed, ranging from attacks on critical infrastructure to breaches affecting the cloud environment, the study revealed that the highest potential loss value generators were:

  • Long-lasting outage at a leading cloud service provider - USD 14.3 billion loss;
  • Large-scale cloud ransomware at a leading cloud services provider - USD 11.5 billion loss;
  • Widespread data loss from a leading operating system provider - USD 23.8 billion loss;
  • Widespread theft from a major e-mail service provider - USD 19.1 billion loss;
  • Large-scale data loss from a cloud service provider - USD 22.2 billion loss;
For each of these scenarios, the analysis considered the size of loss, single point of failure (SPOF) targeted to execute the attack and the implications of these findings for the (re)insurance market.

While the study showed that widespread data loss from a leading operating system provider was the costliest cyber catastrophe scenario modeled, it also revealed that the likelihood of this occurring was the lowest - beyond the 1-in-300-year return period.

According to the findings, the total annual cyber catastrophe insured loss figure for a 1-in-100-year return period was USD 14.6 billion, rising to USD 16.1 billion for a 1-in-200-year event. Furthermore, the most likely catastrophe loss scenario was widespread data theft from a major email service provider. Large-scale ransomware at a leading cloud service provider was the second most likely scenario.

While the cost components of each scenario varied, the study showed that business interruption (BI) costs, caused when supply chains stall or factories are offline, featured heavily in the insured loss figures. For example, BI made up 94.4 percent of the insured costs associated with a widespread data loss from a leading operating system, while the figure was 92 percent for a long-lasting outage at a leading cloud service provider.

The study also revealed that on an industry basis, financial firms were most impacted during these systemic events, accounting for over 20 percent of the overall insured loss. This accumulation of insured loss among financial firms was reflective of the buying patterns of this sector. The companies also represented potentially more lucrative targets for cyber criminals.

The complete study can be found here: Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study


Share |